Privacy Policy

Last updated: February 2026

Overview

ThreatKrew (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights.

Information We Collect

Account Information

  • Email address (required for signup)
  • Name (optional)
  • Company name (optional)

Assessment Data

  • Architecture documents you upload
  • Threat models we generate
  • Clarification responses you provide
  • Chat conversations about your assessments

Usage Data

  • Feature usage patterns
  • Error logs (anonymized)
  • Performance metrics

Payment Data

  • Billing is processed by Stripe. We do not store credit card numbers. Stripe receives your name, email, and payment details. See Stripe’s privacy policy.

What We Don’t Collect

  • We don’t use tracking cookies beyond essential session management
  • We don’t sell your data to third parties
  • We don’t share your data for marketing purposes
  • We don’t train AI models on your specific documents

How We Use Your Information

  • To provide and improve our services
  • To communicate about your account
  • To send product updates (with your consent)
  • To respond to support requests

Data Retention

  • Assessment data: Retained until you delete it
  • Account data: Retained 30 days after account deletion
  • Logs: 30-90 days depending on type

Your Rights (GDPR)

You have the right to:

  • Access: Request a copy of your data
  • Rectification: Correct inaccurate data
  • Erasure: Delete your account and data
  • Portability: Export your data
  • Objection: Opt out of marketing communications

To exercise these rights, contact privacy@threatkrew.io.

Data Residency

Your data is stored in AWS Sydney (ap-southeast-2), Australia. Some global services (CloudFront CDN, WAF) operate from edge locations worldwide, but your assessment data and account information remain in the Sydney region.

Sub-processors

We use the following third-party services to deliver ThreatKrew:

ServicePurposeData Shared
AWS (Sydney)Infrastructure, compute, storageAll service data
Amazon BedrockAI threat analysisArchitecture documents (not stored by Bedrock)
StripePayment processingName, email, payment details
GitHubSource code hosting, CI/CDNone of your data

Security

See our Security page for details on how we protect your data.

Changes

We’ll notify you of material changes via email. Continued use after changes constitutes acceptance.

Contact

Email: privacy@threatkrew.io

Data Controller: ThreatKrew