ThreatMonitor

Privacy Policy

Last updated: 23 February 2026

1. Who We Are

ThreatMonitor ("we", "us", "our") operates the threatmonitor.io website and provides CVE vulnerability intelligence services. This policy explains how we collect, use, and protect your personal data when you use our services.

2. Data We Collect

We collect the following information:

  • Account Information: Name, email address, and encrypted password when you register
  • Payment Information: Processed securely by Stripe. We do not store your card details
  • Usage Data: Pages visited, features used, and CVEs viewed to improve our service
  • Analytics Data: Anonymised browsing data via Google Analytics (see Cookies section)

3. How We Use Your Data

We use your data to:

  • Provide and maintain your ThreatMonitor account
  • Process subscription payments via Stripe
  • Send vulnerability alerts you've opted into (critical CVEs, vendor alerts, etc.)
  • Respond to support requests
  • Improve our platform based on usage patterns

We do not sell your personal data to third parties.

4. Legal Basis (UK GDPR)

We process your data based on:

  • Contract: To provide the service you signed up for
  • Legitimate Interest: To improve our platform and prevent fraud
  • Consent: For marketing emails (which you can opt out of anytime)

5. Data Sharing

We share data only with:

  • Stripe: For payment processing
  • Google Analytics: For anonymised usage analytics
  • Abacus.AI: For AI-powered features and email notifications

All third parties are bound by data protection agreements.

6. Cookies

We use:

  • Essential Cookies: Required for login and site functionality
  • Analytics Cookies: Google Analytics to understand site usage

You can disable cookies in your browser settings, but this may affect site functionality.

7. Data Security

We protect your data using:

  • TLS 1.3 encryption for all data in transit
  • Encrypted database storage
  • Secure password hashing (bcrypt)
  • Regular security updates

8. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we're legally required to retain it (e.g., payment records for tax purposes).

9. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of your data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Object: Object to certain processing activities

To exercise these rights, email us at [email protected].

10. Changes to This Policy

We may update this policy from time to time. We'll notify you of significant changes via email or a notice on our website.

11. Contact Us

For privacy-related questions, contact us at:

Email: [email protected]