1Who we are
ThreatReady is operated by Aerovant Technologies Private Limited, a company incorporated in India (the "Company," "we," "us"). For the purposes of this Privacy Policy, Aerovant Technologies is the data fiduciary under DPDPA 2023 and the data controller under GDPR for data collected directly from engineers (B2C) and website visitors.
When you use ThreatReady as a business customer and upload or assess your candidates' data, your organization is the data fiduciary/controller for that candidate data, and Aerovant Technologies acts as the data processor. The terms of that processing are set out separately in our Data Processing Agreement.
2What data we collect
2.1 Account data
- Name, email address, password (hashed)
- Company name, job title, country (for B2B accounts)
- Billing information (processed by our payment provider — we do not store card details)
2.2 Assessment data
- Answers you submit to scenarios
- Scores, percentiles, and badge records
- Session metadata (scenario ID, start time, completion time, question sequence)
2.3 Usage data
- IP address, browser type, device type, referring URL
- Pages visited, actions taken, session duration
- Error logs and performance metrics
2.4 Communications
- Support tickets, emails you send us, feedback submissions
- Newsletter subscription status
3Why we collect it (legal basis)
| Purpose | Legal basis (GDPR) | Lawful ground (DPDPA) |
|---|---|---|
| Provide the ThreatReady service | Contract (Art. 6(1)(b)) | Contractual necessity |
| Process payments and billing | Contract & legal obligation | Legal obligation |
| Evaluate your assessment answers via AI | Contract | Contractual necessity |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) | Legitimate use |
| Improve the platform and scoring accuracy | Legitimate interest | Legitimate use |
| Send marketing emails (Attack of the Week) | Consent (Art. 6(1)(a)) | Consent |
| Comply with legal requests | Legal obligation | Legal obligation |
4Who we share it with
We share the minimum data necessary with the following categories of third parties:
4.1 Sub-processors
- Anthropic PBC (USA) — evaluates assessment answers using the Claude API against our scoring rubric. Assessment text and scoring rubric metadata is transmitted to the API. Anthropic does not train on inputs sent via the API.
- Amazon Web Services (India — Mumbai region, ap-south-1) — primary hosting, database, and object storage.
- Payment processor — card payments are processed by our payment partner. We receive payment confirmation but not card details.
- Email service provider — transactional emails (password reset, receipts) and opt-in newsletter.
- Analytics provider — privacy-respecting, cookieless usage analytics.
A current list of sub-processors is available in our DPA. We give business customers 30 days' notice before engaging any new sub-processor that handles their data.
4.2 When required by law
We may disclose data in response to a valid legal request (subpoena, court order, warrant) after reviewing the request and, where legally permitted, notifying the affected user.
4.3 Business transfers
If Aerovant Technologies is involved in a merger, acquisition, or sale of assets, your data may transfer to the acquirer. You will be notified and given the opportunity to delete your account before any transfer.
5How long we keep it
- Account data: For as long as your account is active, plus 90 days after deletion to handle chargebacks and final billing.
- Assessment answers and scores: Retained for the life of the account. You can delete individual assessment records at any time from your dashboard.
- B2B candidate data: Retained per the business customer's instructions in their DPA, typically 12 months or until they request deletion.
- Billing records: 7 years, as required by Indian tax law.
- Logs and security records: 12 months, then anonymized.
6Your rights
Under GDPR and DPDPA 2023, you have the following rights over your personal data:
- Right to access: Request a copy of all personal data we hold about you.
- Right to correction: Ask us to fix inaccurate or incomplete data.
- Right to deletion ("right to be forgotten"): Ask us to delete your account and associated data.
- Right to data portability: Receive your data in a machine-readable format (JSON export).
- Right to object: Object to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent: Where processing relies on consent, you can withdraw it at any time without affecting past lawful processing.
- Right to grievance redressal (DPDPA): File a complaint with our Grievance Officer (see Section 11) and, if unresolved, escalate to the Data Protection Board of India.
To exercise any right, email [email protected]. We will respond within 30 days (or 7 days for DPDPA grievance redressal, escalating to 30 days for complex requests). There is no charge for reasonable requests.
7Cookies
We use a minimal set of cookies:
- Essential cookies (always on) — session authentication, CSRF protection, cookie consent preference.
- Analytics cookies (optional) — aggregated usage data. You control these via the cookie banner.
We do not use third-party advertising cookies. We do not track you across other websites.
8International transfers
Primary storage of your data is in India (AWS Mumbai, ap-south-1). When we transmit data to Anthropic for AI evaluation, that data is transferred to the United States.
For users in the European Economic Area and United Kingdom, these transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission. For users in India, we rely on the DPDPA framework for cross-border processing.
You can read more about how Anthropic handles API data in Anthropic's Privacy Policy.
9Children's data
ThreatReady is a professional platform intended for users 18 years and older. We do not knowingly collect personal data from children under 18. Under DPDPA 2023, additional consent requirements apply to users under 18 in India; we require age verification at signup and do not accept accounts from minors. If you believe a minor has created an account, contact us and we will delete it.
10Changes to this policy
We may update this policy from time to time. Material changes will be notified by email to registered users at least 14 days before taking effect. The "Last updated" date at the top reflects the current version. Previous versions are available on request.
11Contact & Grievance Officer
For privacy questions, data requests, or complaints:
Data Protection contact
Email: [email protected]
Postal: Aerovant Technologies Pvt. Ltd., [Registered Office Address], Chennai, Tamil Nadu, India
Grievance Officer (per DPDPA 2023 §32)
Name: [To be appointed]
Email: [email protected]
Response SLA: Initial response within 7 days. Resolution within 30 days.
If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India for redressal under DPDPA 2023.