Privacy Policy

Introduction

Neumann Labs, Inc. ("Neumann Labs," "we," "our," or "us") respects your privacy and is committed to protecting the personal information that you share with us. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Agentic Incident Responder (AIR) platform, related services, or visit our website ("Services").

We understand the sensitive nature of security data and are committed to maintaining the confidentiality, integrity, and security of information entrusted to us. This Privacy Policy applies to all users of our Services, including customers, website visitors, and those who interact with our communications.

Information We Collect

Personal Information

We may collect the following types of personal information:

• Identity Data: Name, job title, company name, and similar identifiers.
• Contact Data: Email address, telephone number, postal address, and other contact details.
• Account Data: Username, password, and account preferences.
• Transaction Data: Details about payments to and from you, and details of Services you have purchased from us.
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology identifiers.
• Usage Data: Information about how you use our website and Services.

Security Incident Data

When using our AIR platform, we may process security incident data provided by you, which may include:

• Log files and security event data
• Network traffic information
• System configuration details
• File hashes and metadata
• Forensic artifacts
• Incident-related communications

We understand the highly sensitive nature of this data and employ industry-leading security measures to protect it, as outlined in our "Data Security" section below.

How We Collect Information

We collect information in the following ways:

• Direct Interactions: Information you provide when you create an account, purchase our Services, request support, or communicate with us.
• Automated Technologies: As you interact with our website or Services, we may automatically collect Technical Data about your equipment, browsing actions, and patterns.
• Platform Usage: When you use AIR, we collect information about how you interact with the platform and the data you input for analysis.
• Third-Party Sources: We may receive information from third-party service providers, such as business partners, technical, payment, and delivery service providers, advertising networks, analytics providers, and search information providers.

How We Use Your Information

We use your information for the following purposes:

• Providing, maintaining, and improving our Services
• Processing and fulfilling your requests, transactions, and payments
• Sending you service announcements, updates, security alerts, and support messages
• Personalizing your experience with our Services
• Analyzing usage patterns to improve our Services and develop new features
• Detecting, investigating, and preventing fraudulent transactions and other illegal activities
• Protecting our rights, property, or safety, and that of our users or others
• Complying with legal obligations

Security Incident Data Processing

The AIR platform processes security incident data for the specific purpose of:

• Automated security incident analysis and investigation
• Threat detection and characterization
• Providing actionable security recommendations
• Creating incident reports and documentation
• Supporting remediation and recovery efforts

Our processing is limited to these purposes, and we implement strict controls to ensure data is handled in accordance with your instructions and our contractual commitments.

Data Sharing and Disclosure

We may share your information with:

• Service Providers: Third-party vendors who perform services on our behalf, such as cloud hosting, data analytics, payment processing, and customer service.
• Business Partners: With your consent, we may share information with partners who offer complementary services.
• Compliance and Legal Requirements: We may disclose information to comply with applicable laws, regulations, legal processes, or governmental requests.
• Business Transfers: In connection with a corporate transaction such as a merger, acquisition, or sale of assets.
• With Your Consent: We may share information for other purposes with your consent.

Security Incident Data Sharing

We take particular care with security incident data:

• We never sell security incident data to third parties.
• We only share this data with service providers who need access to provide the Services and who are bound by strict confidentiality requirements.
• Unless explicitly authorized by you, we do not use customer security incident data to train our models or for any purpose other than providing the Services to you.

Data Security

The security of your information is our highest priority. We employ industry-standard technical, administrative, and physical safeguards designed to protect your information from unauthorized access, disclosure, use, and modification.

Our security measures include:

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication for platform access
• Role-based access controls and privileged access management
• Regular security assessments and penetration testing
• Continuous monitoring for suspicious activities
• Employee security training and background checks
• Physical security measures at our facilities
• Incident response plan for data breaches

While we implement these safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information using commercially reasonable means.

Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include:

• The duration of our ongoing relationship with you
• Legal obligations to retain data for certain periods
• Statute of limitations under applicable law
• Our legitimate business interests

For security incident data, retention periods are specified in our service agreements. At the end of the applicable retention period, we securely delete or anonymize your information.

Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: You may request access to your personal information.
• Correction: You may request that we correct inaccurate or incomplete information.
• Deletion: You may request the deletion of your personal information in certain circumstances.
• Data Portability: You may request a copy of your personal information in a structured, machine-readable format.
• Restriction: You may request that we restrict the processing of your information in certain circumstances.
• Objection: You may object to our processing of your personal information.
• Withdrawal of Consent: You may withdraw any consent you previously provided.

To exercise these rights, please contact us at privacy@neumann-labs.com. We will respond to your request in accordance with applicable law. Note that there may be circumstances where we cannot fulfill your request, such as when it would interfere with our regulatory obligations, affect legal matters, or we cannot verify your identity.

International Data Transfers

We are based in the United States, and your information may be processed in countries where you are located or where we have facilities or service providers. These countries may have different data protection laws than your country of residence.

When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to the United States or other countries which the European Commission has not determined provide adequate protection, we use legal mechanisms designed to ensure your rights and protections travel with your data, such as Standard Contractual Clauses or binding corporate rules.

Compliance with Regulations

GDPR Compliance

For individuals in the European Economic Area, we process personal data in accordance with the General Data Protection Regulation (GDPR). We process personal data based on the following legal grounds:

• To perform our contract with you
• To comply with legal obligations
• For our legitimate interests, such as improving our Services
• With your consent, where applicable

CCPA/CPRA Compliance

For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). In addition to the rights described above, California residents have the right to:

• Know what personal information we collect, use, disclose, and sell
• Request deletion of your personal information, subject to certain exceptions
• Opt-out of the sale or sharing of your personal information
• Non-discrimination for exercising your privacy rights

We do not sell or share personal information as defined under the CCPA/CPRA.

Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us, and we will take steps to delete such information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by email or through a notice on our website prior to the changes becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.