Privacy policy

This Privacy Policy (the "Privacy Policy") explains what type of personal data our company, Prelude Research, Inc. (the “Company” or “us”), collects and processes and the measures we apply to protect such personal data with respect to which we act as a “data controller” under the General Data Protection Regulation (the “GDPR”), as a “business” under the California Consumer Privacy Act (the “CCPA”) or equivalent denominations under relevant U.S. state privacy laws such as, without limitation, Colorado Privacy Act, Connecticut Personal Data Privacy and Online Monitoring Act, Utah Consumer Privacy Act pr Virginia Consumer Data Protection Act (the CCPA and other relevant U.S. state privacy laws hereinafter also “U.S. State Privacy Laws”).

In this Privacy Policy, the “Company” or “us” means both the data controller under the GDPR and the business under the CCPA and the term “personal data” includes both personal data under the GDPR and personal information under the CCPA.

  1. What personal data we collect

Below you may find the types of personal data that we may collect and process. To fulfil the requirements of CCPA, please note that the below list includes also a list of personal data that we may have collected about you in the preceding 12 months and the reference to corresponding categories of personal data as defined under CCPA that most closely describe the personal data collected:

  1. Data that you provide to us:
    • We may collect your email address, first name and last name, your company name and job title, and your address, state, province, ZIP/Postal code, city. 
    • We may collect your personal data when you communicate with us through email, chat, our social media and other forms of communication. 
    • You can also log in to our services using a Single-Sign-On (“SSO”) mechanism. When you use SSO to access our services, other than your email address and the configuration information required to connect to your SSO provider, Prelude does not receive or store any personal data used for user authentication – those remain fully with your SSO provider. 
    • You may connect our services to third-party applications or platforms (CrowdStrike, Sentinel One, Splunk, Microsoft Defender, etc.). If you choose to connect to such third-party platforms, you will provide us with an API key which will be stored and encrypted in our database. 

Corresponding categories under CCPA:

  • Category A: Identifiers;
  • Category B: Personal information described in subdivision (e) of Section 1798.80 of the California Civil Code;
  • Category D: Commercial information;
  • Category I: Professional or employment-related information.
  1. Data we collect:some text
    • We may access and collect personal data when you when you download and run any free demo version of our services (the “Demo Versions”). The personal data we collect in this instance typically include data contained in your endpoints accessed within the Demo Versions. 

The exact scope of personal data collected will depend on the specific features then available and used by you and the functionality of the Demo Versions that you decide to implement and deploy.

Corresponding categories under CCPA:

  • Category A: Identifiers;
  • Category B: Personal information described in subdivision (e) of Section 1798.80 of the California Civil Code;
  • Category D: Commercial information;
  • Category F: Internet or other electronic network activity information.

Information about the personal data we collect within Cookies and from Job Candidates is described separately in clauses 3 and 4 of this Privacy Policy. 

  1. How we use your personal data

We may use your personal data that we collect for the following purposes (or business purposes and commercial purposes as defined under CCPA) and on the legal bases listed below: 

  1. Processing necessary for the performance of a contract to which the data subject is party:some text
    • To provide our services, including the Demo Versions;
    • To communicate with you if you are or act for a legal entity that is our customer, former or potential customer, supplier or business partner or if you otherwise entered into a business relationship or communication with us;
  2. Processing necessary for compliance with a legal obligation:

On this legal basis, we use the information about you to comply with legal requirements.

  1. Processing necessary for the purposes of our legitimate interests:

On this legal basis, we use the information about you to detect, prevent and address fraud and other illegal activity. We may also use the personal data about you to enhance, optimize, secure, update, market, and analyse our services or develop new services. Lastly, we may also contact you about our products and services where permissible under applicable law without your express consent. 

  1. Processing to which you have given us your consent:

On this legal basis, we may use the information about you for the purposes to which you have granted your consent or share your personal data with our business partners, provided you have given us your consent for such data sharing. 

We do not knowingly collect or process any personal data that may be classified as special categories of personal data under the GDPR or sensitive personal information or data under U.S. State Privacy Laws or biometric data under the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier law (Texas Business and Commercial Code Chapter 503), and the Washington Biometrics Identifiers Statute (RCW 19.375).

  1. Cookies 

We may use cookies on our website to collect information about your browsing activities and preferences. Cookies are small text files that a website transfers to a visitor’s device for recordkeeping purposes. The information collected through these cookies may be combined with personal data or aggregated with other information. Cookies may vary depending on the browser you use. We use functional cookies that are strictly necessary for our website to function and cannot be turned off in our system or preference centre. In addition, we use analytics and marketing cookies to track the performance of certain aspects of our website and to identify potential customers. You can manage your cookie preferences through your browser settings or through the settings accessible by clicking on a button “Cookies” at the bottom of our website.

  1. Job Candidates 

If you apply for a job in our Company, we may collect your personal data contained in your CV or other data that you provide to us. 

We will use your personal data to communicate with you and to assess your job application. Where permitted, we may use your personal data also to contact you with job opportunities similar to the one to which you originally applied.

Your personal data will be stored in accordance with applicable laws and kept as long as needed to complete the recruitment process and for a reasonable period thereafter to allow us to record the reasons for our decision in relation to your application (including to exercise, establish, or defend any legal claims). Based on your consent we may process your data for a reasonable period to consider you for and inform you of other suitable job offers. If your job application is successful, your personal data will be kept as employee personal data.  

  1.  Data Disclosure

We may disclose personal data to third parties in the following circumstances:

  1. With service providers: 

We may disclose your personal data to our service providers who process your personal data on our behalf and pursuant to our instructions (e.g. for the purposes of IT support, hosting). A list of Prelude’s service providers can be found here

  1. For business transfers: 

We may disclose or transfer your personal data in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.

  1. With affiliates: 

We may disclose your personal data to our affiliates, in which case we will require those affiliates to honour this Privacy Policy. Affiliates may include subsidiaries, joint venture partners or other companies that we control or that are under common control with us.

  1. With business partners: 

We may disclose your personal data to our business partners to offer you certain products, services or promotions.

  1. With professional advisors:

We may also share your information with our legal, financial, insurance and other advisors.

  1. For compliance with legal requirements:

We may disclose personal data to comply with applicable laws, regulations, legal processes, or governmental requests.

As required under CCPA, below you may find the reference to categories of personal data as defined under CCPA that most closely describe the personal data disclosed to the above-mentioned third parties:

  • Category A: Identifiers;
  • Category B: Personal information described in subdivision (e) of Section 1798.80 of the California Civil Code;
  • Category D: Commercial information;
  • Category F: Internet or other electronic network activity information.
  • Category I: Professional or employment-related information.
  1. Transfer of your personal data

Your personal data is processed at our operating offices and in any other places where the parties involved in the processing are located. It means that your personal data may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.

We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place ensuring the security of your personal data. 

  1. Data Security

We implemented appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We use encryption, firewalls, access controls (multi-factor/two-factor authentication), and other industry-standard security measures to safeguard personal data. Database volumes are encrypted when stored at rest and in transit. 

We apply standard IAM (access controls) that enforces the Least Privilege Principle. Only employees who have a job function requiring access to a particular system are granted it, and only for the duration it is required.

More information is available here

  1. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Unless we have a direct services agreement with you that specifies otherwise, we will delete personal data when it is no longer needed or when you request your data to be deleted, subject to certain exceptions provided by the relevant data protection laws.

  1. Direct marketing

We may contact you about our products and services that may be of interest to you based on our previous business interactions. If you grant us your consent, you may also subscribe to such communication on our website or on other platforms and communication channels. 

You may unsubscribe from these communications at any time by following the unsubscribe link or instructions provided in any email we send to you or by contacting us using the contact information provided in this Privacy Policy.

According to GDPR, you also have a right to submit objections to direct marketing. If you no longer wish to receive marketing communication from us or you do not wish that your personal data is used for processing related to such marketing or promotional activities, you can request that we cease to use your personal data for these purposes. You can exercise this right by contacting us using the contact information provided in this Privacy Policy.

  1. Your rights under GDPR

If you are located in the European Union, you have the following rights in relation to your personal data:

  1. Right to Access: 

You have the right to obtain from us the confirmation as to whether personal data concerning you are being processed, and, where that is the case, access to the personal data and other information.

  1. Right to Rectification: 

You have the right to request the correction or update of inaccurate or incomplete personal data held by us.

  1. Right to Erasure (“right to be forgotten”): 

You have the right to request the deletion of your personal data, subject to certain exceptions under GDPR.

  1. Right to Restriction of Processing: 

You have the right to request the restriction of processing of your personal data in certain circumstances, such as when the accuracy of the data is contested, or the processing is unlawful.

  1. Right to Data Portability: 

You have the right to receive your personal data in a structured, commonly used and machine-readable format and request the transfer of such personal data to another controller.

  1. Right to Object: 

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

  1. Automated individual decision-making, including profiling:

Please note that we do not make any decisions based solely on automated processing, including profiling, which would produce legal effects concerning you or which would similarly significantly affect you. 

  1. Right to Withdraw Consent: 

You have the right to withdraw your consent for processing of personal data for which you gave us your consent.

You can exercise your rights by contacting us using the contact information provided in this Privacy Policy. Additionally, you have the right to lodge a complaint with the competent Data Protection Authority if you believe your rights regarding our use of your personal data have been violated.

  1. Your rights under CCPA and U.S. State Privacy Laws

If you are a resident of California or another U.S. state with relevant rights under the U.S. State Privacy Laws, you have the following rights in relation to your personal data:

  1. Right to access your personal data. 

You have the right to request that we send you the categories and the specific pieces of your personal data we have collected in the 12 months preceding your request.

  1. Right to delete personal data: 

You have the right to request that we delete any of your personal data collected from you, subject to certain exceptions set out in the U.S. State Privacy Laws. 

  1. Right to correct inaccurate personal data:

You have the right to correct the inaccurate personal data that we collect about you, considering the nature of the personal data and the purposes of the processing of the personal data.

  1. Right to know what personal data is being collected. Right to access:

You have the right to request that we disclose to you the specific information related to your personal data as defined under U.S. State Privacy Laws. 

  1. Right to know what personal data is sold or shared and to whom:

Please note that we do not “sell” or “share” any personal data within the meaning of CCPA (or equivalent under other relevant U.S. State Privacy Laws) to any third party. We do however disclose personal data to third parties as described in Clause 6 of this Privacy Policy. 

  1. Right of no retaliation following opt out or exercise of other rights. 

We will not discriminate against you in any way for exercising any of your rights related to the collection of your personal data. 

You can exercise your rights by contacting us using the contact information provided in this Privacy Policy.

  1. “Shine the Light” right. 

If you are a resident of California, under Section 1798.83 of California Civil Code (California “Shine the Light” law) you also have the right to ask us one time per year for information about our disclosure, if any, of personal data to third parties for their direct marketing purposes in the preceding calendar year.

You can exercise this right by contacting us using the contact information provided in this Privacy Policy.

  1. Privacy Rights for Minor Users

If you are under the age of 18 and a registered user of online site, service or application, you have the right to request and obtain removal of content or information you have publicly posted.

To request removal of such data, you can contact us using the contact information provided below.

Be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

  1. Children's Privacy

We do not knowingly collect personal data from children under the age of 13 (or under the age of 16 in certain jurisdictions, such as EU member countries). If we become aware that personal data of a child under 13 (or under the age of 16 in certain jurisdictions, such as EU member countries) has been collected, we will take appropriate steps to delete such data.

  1. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. We will notify you of any material changes to this Privacy Policy on this website or by other means. You are encouraged to review this Privacy Policy for the latest information.

  1. Contact Information

If you have any questions about our Privacy Policy, you can contact us by email at support@preludesecurity.com.

Issued on May 2, 2024.