Privacy Policy

How we collect, use, and protect your personal information.

Threatcl Cloud ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how your personal information is collected, used, and disclosed by Threatcl Cloud.

This Privacy Policy applies to our website and its associated subdomains (collectively, our "Service") alongside our application, Threatcl Cloud. By accessing or using our Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your personal information as described in this Privacy Policy and our Terms of Service.

Threatcl Cloud is an Australian company and we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process the personal data of individuals located in the European Economic Area, the United Kingdom, or California, additional rights may apply as set out below.

Customer Data

The Threatcl Cloud Service is a collaborative threat modelling platform. In the course of using it, you and your team will upload, create, and store threat models, HCL files, architecture diagrams, configurations, comments, and related security information ("Customer Data"). Customer Data is treated separately from the personal information we collect about you as a user of the Service.

Ownership. As between you and Threatcl Cloud, you retain all right, title, and interest in your Customer Data. We claim no ownership over it.

How we use it. We access and process Customer Data only as needed to:

  • provide, maintain, and secure the Service for you;
  • respond to a support request you initiate;
  • investigate or address a security incident, abuse, or suspected violation of our Terms;
  • comply with a legal obligation or valid legal process.

What we will not do. We will not sell your Customer Data. We will not use Customer Data to train machine learning or artificial intelligence models. We will not share Customer Data with advertisers or marketing partners. We will not access Customer Data for any purpose other than those listed above.

How we protect it. Customer Data is encrypted in transit using TLS and encrypted at rest within our hosting provider's infrastructure. Access to production systems is restricted to authorised personnel and is logged and monitored. For more information about our security practices, see our Security page.

Definitions and Key Terms

  • Cookie: a small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, and remember information about you such as your language preference or login information.
  • Company: when this policy mentions "Company," "we," "us," or "our," it refers to Threatcl Cloud Pty Ltd, responsible for your information under this Privacy Policy.
  • Country: where Threatcl Cloud or the owners/founders of Threatcl Cloud are based — in this case, Australia.
  • Customer: a company, organization, or person that signs up to use the Threatcl Cloud Service.
  • Device: any internet-connected device such as a phone, tablet, or computer that can be used to visit Threatcl Cloud and use the services.
  • IP address: a number assigned to every device connected to the Internet, often used to identify the location from which a device is connecting.
  • Personnel: individuals who are employed by Threatcl Cloud or are under contract to perform a service on behalf of one of the parties.
  • Personal Data: any information that directly, indirectly, or in connection with other information allows for the identification of a natural person.
  • Service: the service provided by Threatcl Cloud as described on this platform.
  • Third-party service: advertisers, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
  • Website: Threatcl Cloud's site, accessible at https://threatcl.com.
  • You: a person or entity registered with Threatcl Cloud to use the Services.

What Information Do We Collect?

We collect information in the following categories:

Account information you provide. When you register or use the Service, we collect your name, username, email address, organisation name, and any profile details you choose to add.

Billing information. If you subscribe to a paid plan, our payment processor (Stripe) collects your payment card details, billing address, and tax information. Threatcl Cloud does not store any payment information.

Usage and log data. When you use the Service we automatically collect technical information including your IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, features used, API calls made, timestamps, and error logs. This information is used to operate, secure, debug, and improve the Service.

Cookies and similar technologies. We and our service providers set cookies and similar identifiers in your browser. See the "Cookies" section below for detail.

Support communications. If you contact us for support — by email, web form, or chat — we retain a record of that communication, including any information you choose to share with us.

Customer Data. Threat models, HCL, diagrams, comments, and other content you upload to the Service. This is governed by the "Customer Data" section above.

We collect this information when you register, place an order, subscribe to a mailing list, respond to a survey, fill out a form, contact support, or otherwise interact with the Service.

How Do We Use The Information We Collect?

Any of the information we collect from you may be used in one of the following ways:

  • To personalize your experience and better respond to your individual needs
  • To improve our website based on the information and feedback we receive from you
  • To improve customer service and more effectively respond to support requests
  • To process transactions
  • To administer a contest, promotion, survey, or other site feature
  • To send periodic emails

When Do We Use Third-Party Information?

Threatcl Cloud will collect End User Data necessary to provide the Threatcl Cloud services to our customers.

We receive some information from third parties when you contact us. For example, when you submit your email address to show interest in becoming a Threatcl Cloud customer, we may receive information from a third party that provides automated fraud detection services.

Do We Share Information With Third Parties?

We may share information with our current and future affiliated companies and business partners. If we are involved in a merger, asset sale, or other business reorganization, we may also share or transfer your personal and non-personal information to our successors-in-interest.

We may engage trusted third-party service providers to perform functions such as hosting and maintaining our servers, database storage and management, e-mail management, marketing, and payment processing. We will likely share your personal information with these third parties to enable them to perform these services for us and for you.

We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate in order to respond to claims, legal process (including subpoenas), to protect our rights and interests, or to comply with applicable laws, rules, and regulations.

How Do We Use Your Email Address?

By submitting your email address on this website, you agree to receive emails from us. You can cancel your participation in any of these email lists at any time by clicking on the opt-out link included in each email. We only send emails to people who have authorized us to contact them. We do not send unsolicited commercial emails.

Note: If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email.

How Long Do We Keep Your Information?

We retain personal information only for as long as we need it to provide the Service to you and to fulfil the purposes described in this policy. Different categories of information are retained for different periods:

  • Account information: retained for the lifetime of your account, then deleted within 30 days of account closure (subject to backups, see below).
  • Customer Data: retained while your account is active. On termination or expiry, retained for a 30-day grace period to allow export, then deleted.
  • Billing and tax records: retained for seven (7) years to comply with Australian tax and financial record-keeping laws.
  • Usage and log data: retained for up to 90 days, then deleted or aggregated into non-identifying form.
  • Support communications: retained for up to two (2) years after the matter is resolved.
  • Backups: data may persist in encrypted backups for up to 35 days after deletion from production systems, after which it is overwritten.
  • Marketing contact lists: retained until you unsubscribe or opt out.

Where we are required to retain information for longer to comply with a legal, regulatory, tax, accounting, or reporting obligation, or to establish, exercise, or defend legal claims, we will do so. When we no longer need to use information and have no obligation to retain it, we will delete it or irreversibly anonymise it.

How Do We Protect Your Information?

We implement a variety of administrative, technical, and physical security measures to maintain the safety of your personal information and Customer Data. These include encryption in transit (TLS), encryption at rest, role-based access controls, audit logging, regular security reviews, and least-privilege access for our personnel. Payment card details are handled directly by our PCI DSS-compliant payment processor and never stored on our systems.

We cannot, however, ensure or warrant the absolute security of any information you transmit to Threatcl Cloud or guarantee that your information may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards.

Data Breach Notification

Threatcl Cloud complies with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of an eligible data breach that is likely to result in serious harm to any individual whose personal information is involved, we will:

  • notify the affected individuals as soon as practicable;
  • notify the Office of the Australian Information Commissioner (OAIC); and
  • where the GDPR applies, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

Our notice will describe the nature of the breach, the kinds of information involved, the steps we are taking in response, and recommendations for steps you can take to protect yourself.

Could My Information Be Transferred to Other Countries?

Threatcl Cloud is incorporated in Australia, but the Threatcl Cloud Service is hosted on Google Cloud Platform (operated by Google LLC) in data centres located in the United States. As a result, your personal information and any Customer Data you upload to the Service is stored, processed, and backed up in the United States, and may be accessed by our personnel or sub-processors located in other countries where they perform support, security, or administrative functions on our behalf.

This means your information may be subject to the laws of the United States and other jurisdictions, including lawful access requests from foreign government and law enforcement authorities. We take reasonable steps to ensure that overseas recipients of personal information handle it in a way consistent with the Australian Privacy Principles, including through contractual commitments with our sub-processors (such as Google Cloud's Data Processing Addendum and Standard Contractual Clauses where applicable).

Our key sub-processors include:

  • Google LLC (Google Cloud Platform) — application, database, and object storage hosting, United States.
  • Google LLC (Firebase Authentication) — user authentication and credential storage, United States.
  • Stripe, Inc. — payment processing, United States.

By using our Service, you acknowledge and consent to this trans-border transfer, storage, and processing of your information. If you do not consent, please do not use the Service.

Can I Update or Correct My Information?

You have the right to request updates or corrections to the information Threatcl Cloud collects. You can contact us to:

  • Update or correct your personally identifiable information
  • Change your preferences with respect to communications and other information you receive from us
  • Delete the personally identifiable information maintained about you on our systems by cancelling your account

To protect your privacy and security, we may take reasonable steps to verify your identity before granting you profile access or making corrections. You are responsible for maintaining the secrecy of your unique password and account information at all times.

Sale of Business

We reserve the right to transfer information to a third party in the event of a sale, merger, or other transfer of all or substantially all of the assets of Threatcl Cloud, or in the event that we discontinue our business or file a petition in bankruptcy, reorganization, or similar proceeding, provided that the third party agrees to adhere to the terms of this Privacy Policy.

Cookies

Threatcl Cloud uses "Cookies" to identify the areas of our website that you have visited. A Cookie is a small piece of data stored on your computer or mobile device by your web browser. We use Cookies to enhance the performance and functionality of our website. Most web browsers can be set to disable the use of Cookies. However, if you disable Cookies, you may not be able to access functionality on our website correctly or at all. We never place Personally Identifiable Information in Cookies.

Wherever you're located you may also set your browser to block cookies and similar technologies, but this action may block essential cookies and prevent our website from functioning properly.

Do Not Track Signals

Some browsers offer a "Do Not Track" ("DNT") setting that sends a signal to websites you visit indicating that you do not wish to be tracked. Because there is no consistent industry standard for how to interpret DNT signals, Threatcl Cloud does not currently respond to DNT browser signals. We treat all visitors the same regardless of whether the DNT signal is set. You can still control tracking through the browser-level cookie controls described above.

Payment Details

We may provide paid products or services within Threatcl Cloud. In that case, we use third-party services (Stripe) for payment processing. We will not store or collect your payment card details. That information is provided directly to our third-party payment processor whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by the PCI Security Standards Council.

Kids' Privacy

We do not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information from our servers.

Your Rights Under Australian Privacy Law

Under the Australian Privacy Principles, you have the right to:

  • request access to the personal information we hold about you;
  • request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
  • opt out of receiving direct marketing communications from us;
  • make a complaint about how we have handled your personal information.

To exercise any of these rights, please contact us at support@threatcl.com. We will respond within a reasonable period (typically 30 days). If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

GDPR — General Data Protection Regulation

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (or its UK equivalent) applies to our processing of your personal data, and you have additional rights as set out in this section.

Data controller. Threatcl Cloud Pty Ltd is the data controller for personal information we collect about you as a user of the Service. For Customer Data you upload, you (or your organisation) are the data controller and Threatcl Cloud acts as a data processor on your behalf.

Legal bases for processing. We rely on the following lawful bases under Article 6 of the GDPR:

  • Performance of a contract — to provide the Service you have signed up for, manage your account, process payments, and provide support.
  • Legitimate interests — to secure and improve the Service, prevent fraud and abuse, conduct analytics on aggregated usage data, and communicate with you about service-related matters. Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights.
  • Consent — for optional marketing communications and non-essential cookies. You may withdraw your consent at any time.
  • Legal obligation — to comply with tax, accounting, and other legal obligations applicable to us.

Your rights under the GDPR. You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — ask us to delete your personal data in certain circumstances.
  • Restriction — ask us to restrict processing of your personal data.
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format.
  • Objection — object to processing carried out on the basis of legitimate interests, including profiling.
  • Withdraw consent — withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint — complain to your local supervisory authority. A list of EU supervisory authorities is available on the European Data Protection Board website.

To exercise any of these rights, contact us at support@threatcl.com. We will respond within one (1) month of receiving a verifiable request, as required by Article 12 of the GDPR. We may need to verify your identity before acting on a request.

Automated decision-making. We do not use your personal data for any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), provides you with specific rights regarding your personal information.

Categories of personal information we collect. In the past twelve (12) months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

  • Identifiers (e.g., name, email address, account username, IP address);
  • Commercial information (e.g., subscription plan, billing records);
  • Internet or other electronic network activity information (e.g., usage logs, browser type, pages visited, API calls);
  • Geolocation data (approximate location derived from IP address);
  • Professional or employment-related information (e.g., organisation name, job role, where you choose to provide it).

We do not collect categories of "sensitive personal information" as defined by the CPRA in the ordinary course of providing the Service.

Sources, purposes, and disclosures. We collect this information from you directly, from your use of the Service, and from third-party service providers (such as our payment processor and fraud detection providers). We use it for the purposes described in the "How Do We Use The Information We Collect?" section above. We disclose it only to the sub-processors listed in the "Could My Information Be Transferred to Other Countries?" section, and only for the purposes of providing the Service.

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve (12) months. We do not knowingly sell or share the personal information of minors under sixteen (16).

Your rights. You have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Access a copy of the specific pieces of personal information we hold about you.
  • Correct inaccurate personal information we hold about you.
  • Delete personal information we have collected, subject to certain exceptions.
  • Opt out of the sale or sharing of personal information (not applicable, as we do not engage in either).
  • Limit the use and disclosure of sensitive personal information (not applicable, as we do not collect this category).
  • Non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, please contact us at support@threatcl.com. We will respond to verifiable requests within forty-five (45) days, with a possible extension of an additional 45 days where reasonably necessary, as permitted by the CCPA/CPRA. We may need to verify your identity before acting on a request. You may also designate an authorised agent to make a request on your behalf.

Changes to This Privacy Policy

We may change our Service and policies, and we may need to make changes to this Privacy Policy so that they accurately reflect our Service and policies. Unless otherwise required by law, we will notify you before we make changes to this Privacy Policy and give you an opportunity to review them before they go into effect. If you continue to use the Service, you will be bound by the updated Privacy Policy.

Contact Us

Don't hesitate to contact us if you have any questions about this Privacy Policy.

Last updated: 7 April 2026