Privacy Policy
Dated June 17, 2026
PRIVACY POLICY — TEAM CYMRU THREAT INTELLIGENCE
This policy explains what data the Team Cymru Threat Intelligence application ("the App") receives, how it is used, how long it is kept, how it is protected, and your rights over it. It is provided by Team Cymru ("we", "us") and supplements Team Cymru's general Privacy Policy at https://www.team-cymru.com/privacy. Some items below apply only where your platform supports them (such as file uploads or interactive sign-in); where a feature is unavailable, the related data is not collected.
1. DATA WE COLLECT
- Identifiers and routing data: a platform user ID, an organization/workspace/tenant ID, a pseudonymous (one-way SHA-256) tenant key, conversation/thread and activity identifiers, and your display name.
- Query content: the text of your queries and interactive submissions (such as feedback). Where file uploads are supported, file content is processed in memory to extract indicators (IP addresses, domains, hashes) and then discarded.
- Authentication data (where sign-in is required): profile claims (user ID, display name, organization ID, role) and short-lived sign-in/session material (authentication state, PKCE values, single-use authorization code, access and refresh tokens, token expiry, and a conversation reference).
- Operational records: usage and cost metrics, security watchlist matches, and request-context fields recorded in logs and traces.
2. HOW WE USE IT
We use this data to operate the App and return responses, route requests and keep each customer's data isolated, authenticate you, enforce usage limits, maintain logs and metrics for reliability and security, account for usage, and act on feedback you submit.
The App does not run its own language model. To answer a query, we transmit the query text and conversation context over an encrypted (HTTPS) connection to a third-party AI model provider that your organization selects and authorizes; that provider generates the response. Within our service your platform identity is replaced with a one-way pseudonymous key. The provider is not a Team Cymru subprocessor, and its handling of that data — including any retention or training on inputs — is governed by your organization's agreement with it. We do not use your query content to train Team Cymru's own AI/ML models except where your organization agrees in writing; we may use aggregated, anonymized, or de-identified usage data to operate and improve the service. AI responses may be inaccurate or incomplete — if any output seems inappropriate or harmful, report it to the contact in section 6 and we will act on it promptly.
Please do not paste passwords, credentials, API keys, or personal information into queries, as query text is sent to your AI provider and may be kept in our feedback records.
3. HOW LONG WE KEEP IT
Authentication and session data is short-lived: transient sign-in state expires automatically (on the order of minutes), session data is kept until you sign out or the session can no longer be refreshed, and any in-memory access-token caching lasts on the order of one minute. All other data the App stores — query text in feedback records, operational and audit logs and traces, usage and cost records, watchlist match records, and user and organization records — is retained for up to 60 days, after which it is deleted or anonymized. Data sent to your organization's AI provider is retained by that provider under its own terms.
4. HOW WE PROTECT IT
We apply the following controls to protect the data the App handles:
- Encryption in transit: traffic between the App, our service, your platform, and the AI provider is sent over HTTPS using TLS.
- Identity pseudonymization: your platform identity is replaced with a one-way (SHA-256) key before queries are sent to the AI provider, so your raw identity is not exposed in that process.
- Tenant isolation: each customer's data is segregated using a one-way tenant composite key across our data stores.
- Access controls and audit logging: access to stored data is restricted to authorized personnel and systems, and activity is recorded in audit logs.
- Credential handling: authentication tokens and secrets are held in a dedicated secrets store and a short-lived session store, with the limited lifetimes described in section 3, and are never exposed to end users.
These controls operate within Team Cymru's broader information-security program, described in our general Privacy Policy (see section 6).
5. DATA WE RECEIVE BUT DO NOT KEEP
We do not retain profile fields beyond your display name (real name, email, phone, job title), uploaded file contents, full message history, reactions, @mentions, channel or space names, presence/calendar/client metadata, or single-use dialog tokens. Ongoing conversation history is held server-side by our service, not stored within the platform integration.
6. YOUR RIGHTS AND HOW TO CONTACT US
You can access, correct, export, or delete the data the App holds about you. Contact us at support@cymru.com; we verify requests and respond within 45 days, and you may use an authorized agent or appeal a decision. Where we process this data on behalf of your organization, we may coordinate your request with them; data held by your AI provider must be addressed through that provider. Use the same address to report inappropriate or harmful output. For your full rights — including EU-U.S. Data Privacy Framework and UK Extension rights, U.S. state privacy rights, international transfers, children's privacy (the service is not intended for anyone under 16), and our broader security program — see Team Cymru's general Privacy Policy, which this policy supplements; for App-specific matters this policy controls, and the DPF Principles govern any conflict.