Privacy Policy — CLAWOLF Cyber Intelligence

01

Who We Are

CLAWOLF Cyber Intelligence Ltd. ("CLAWOLF", "we", "us", or "our") is the data controller responsible for your personal data. We operate the CLAWOLF Agentic Guard platform — an autonomous Managed Detection and Response (MDR) and Security Orchestration, Automation and Response (SOAR) service.

Our registered office and principal place of business is the address provided under Section 14 (Contact & DPO) of this policy. References to the "Platform" include our web application, APIs, integrations, and all associated services.

Enterprise customers (B2B): If you access CLAWOLF through your employer or a corporate account, your organisation is a separate data controller for the security telemetry it sends us. This policy covers CLAWOLF's own processing of personal data. Your organisation's own privacy policy applies to their use of the Platform.

02

Data We Collect

We collect personal data in three ways: data you provide directly, data generated automatically when you use the Platform, and data received from your integrated security tools.

Category	Examples	Source
Account Data	Name, work email address, job title, company name, password (hashed)	Provided by you on registration
Contact Data	Email address submitted via demo request forms or contact forms	Provided by you
Billing Data	Company name, billing address, VAT number. Card details are processed directly by our payment processor and never stored by CLAWOLF.	Provided by you at checkout
Usage & Telemetry	Pages visited, features used, clicks, session duration, browser type, OS, IP address	Automatically collected
Security Event Data	Alerts, IOCs, log data, device hostnames, IP addresses — from your connected security tools (EDR, SIEM, etc.)	Your integrated tools via API
Communications	Content of support requests, emails, or chat messages you send us	Provided by you
SSO / Identity	Email, name, and identity token provided by your SSO provider (Okta, Azure AD, Google) if you use SSO login	Your identity provider

We do not collect special category data (health data, biometric data, racial or ethnic origin) and do not seek to do so. If any security event data transmitted to us incidentally contains such information, it is processed only as part of the threat detection pipeline and is not used for any other purpose.

03

How We Use Your Data

We use personal data for the following purposes:

Service Delivery — to provision accounts, authenticate users, process alerts, run autonomous agents, and display results within the Platform.
HITL Approval Workflows — to identify the right human analyst or administrator to receive approval requests for high-risk automated actions.
Billing & Payments — to manage subscriptions, issue invoices, and process payments via our payment processor.
Customer Support — to respond to help requests, diagnose issues, and improve product reliability.
Security & Fraud Prevention — to detect, prevent, and investigate suspicious login activity, data breaches, or abuse of the Platform.
Product Improvement — aggregated, anonymised usage analytics to understand how features are used and prioritise development.
Marketing & Communication — to send you product updates, security advisories, and (with your consent) promotional content. You may unsubscribe at any time.
Legal Compliance — to comply with applicable laws, court orders, and regulatory requirements including financial sector regulations applicable to our customers.
Audit Trails — to maintain immutable logs of user actions and system events required by SOC 2, ISO 27001, and customer compliance mandates.

We do not use your data to train third-party AI models or sell it to data brokers or advertisers.

04

Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:

Processing Activity	Legal Basis
Account creation and service delivery	Performance of a contract (Art. 6(1)(b))
Billing and payment processing	Performance of a contract (Art. 6(1)(b))
Security event processing (customer telemetry)	Performance of a contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))
Audit trails and compliance logging	Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f))
Product analytics (anonymised)	Legitimate interests (Art. 6(1)(f))
Security and fraud detection	Legitimate interests (Art. 6(1)(f))
Marketing emails to existing customers	Legitimate interests (Art. 6(1)(f)) — with opt-out
Marketing emails to new leads	Consent (Art. 6(1)(a))
Legal and regulatory compliance	Legal obligation (Art. 6(1)(c))

Legitimate interests: Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 8).

05

Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Sub-processors & Service Providers — vendors who process data on our behalf under binding Data Processing Agreements (DPAs), including: cloud infrastructure providers, email delivery services, payment processors, and customer support tools. A full sub-processor list is available on request at privacy@clawolf.io.
Integrated Vendor Platforms — when you connect your EDR, SIEM, or cloud tools, the Vendor Query Agent queries those platforms on your behalf using credentials you provide. We do not retain vendor credentials beyond the active session unless you explicitly configure persistent integration tokens.
Threat Intelligence Providers — IOCs (IP addresses, hashes, domains) extracted from your alerts may be submitted to threat intelligence APIs (e.g., VirusTotal) for reputation lookup. These are technical indicators only and are not linked to personal data.
Legal Authorities — where required by law, court order, or regulatory authority. We will notify you of any such disclosure to the extent permitted by law.
Business Transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity under the same privacy protections.
With Your Consent — for any other purpose not listed above, only with your explicit prior consent.

06

International Data Transfers

CLAWOLF operates infrastructure in multiple regions. If you are located in the EEA, UK, or Switzerland, your data may be transferred to and processed in countries outside of these regions, including the United States.

When we transfer personal data internationally, we rely on one or more of the following safeguards:

European Commission Standard Contractual Clauses (SCCs) — incorporated into our Data Processing Agreements with sub-processors and customers.
UK International Data Transfer Agreements (IDTAs) — for transfers from the United Kingdom.
Adequacy decisions issued by the European Commission or UK Secretary of State.

You may request a copy of the relevant transfer mechanisms by contacting privacy@clawolf.io.

Financial sector customers: If your data residency requirements mandate processing within a specific jurisdiction (e.g., EU-only), please contact our sales team. We offer dedicated regional deployment options on Corporation/MSSP plans.

07

Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, or as required by law. Our standard retention periods are:

Data Type	Retention Period	Reason
Account data (active)	For the lifetime of the account	Service delivery
Account data (after deletion)	30 days (then anonymised)	Account recovery window
Security event data (hot tier)	Plan-dependent: 7 – Unlimited days	Threat investigation and audit
Security event data (cold archive)	Up to 7 years on Enterprise+	Regulatory compliance (financial sector)
Audit trail logs	7 years minimum	Legal and compliance requirements
Billing records	7 years	Tax and financial regulations
Support communications	3 years after ticket close	Quality and dispute resolution
Marketing / lead data	2 years from last interaction	Legitimate interests / consent basis
Usage analytics (anonymised)	Indefinitely	Product improvement (no personal data)

When retention periods expire, data is securely deleted or irreversibly anonymised.

08

Your Rights

Depending on your location, you have the following rights over your personal data. You may exercise any of these rights by contacting us at privacy@clawolf.io. We will respond within 30 days (GDPR) or 45 days (CCPA).

Right of Access

Request a copy of all personal data we hold about you and information about how it is processed.

Right to Rectification

Request correction of inaccurate or incomplete personal data. You can update most account data directly in your profile settings.

Right to Erasure

Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.

Right to Restrict Processing

Request that we limit how we process your data in certain circumstances (e.g., while a dispute is resolved).

Right to Data Portability

Receive your data in a structured, machine-readable format (JSON/CSV) and transfer it to another controller.

Right to Object

Object to processing based on legitimate interests or for direct marketing at any time. We will stop unless we have compelling overriding grounds.

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

File a complaint with your local supervisory authority (e.g., ICO in the UK, or the relevant EU DPA in your country).

Identity verification: To protect your data, we will verify your identity before processing any rights request. We may ask for confirmation of your account email address or other information to confirm your identity.

09

Cookies & Tracking Technologies

CLAWOLF uses cookies and similar technologies to operate and improve the Platform. We categorise cookies as follows:

Category	Purpose	Consent Required
Strictly Necessary	Session management, authentication tokens, CSRF protection. Required for the Platform to function.	No — essential to service
Functional	User preferences (theme, language, dashboard layout), remembered login state.	No — legitimate interests
Analytics	Aggregated usage statistics to improve the Platform. We use privacy-friendly analytics that do not fingerprint individual users.	Yes — consent banner
Marketing	Currently not used. If introduced, will require explicit consent.	Yes — if/when introduced

You can manage cookie preferences through your browser settings or our cookie preference centre (accessible via the banner on your first visit). Disabling strictly necessary cookies will prevent the Platform from functioning correctly.

The CLAWOLF public landing page loads Google Fonts, which may result in your IP address being transmitted to Google's servers. See Google's Privacy Policy for details.

10

Security Measures

As a cybersecurity company, we apply rigorous controls to protect your data. Our security measures include:

Encryption in transit: All data transmitted between your browser/client and our servers uses TLS 1.2 or higher.
Encryption at rest: Databases and file storage are encrypted using AES-256.
Access controls: Role-based access control (RBAC) ensures employees access only the data necessary for their role. Access to production systems is restricted and audited.
Authentication: Multi-factor authentication (MFA) is enforced for all CLAWOLF staff with access to production systems.
Penetration testing: Regular third-party penetration tests and vulnerability assessments.
Incident response: We maintain an incident response plan. In the event of a personal data breach, we will notify affected individuals and relevant supervisory authorities within 72 hours where required under GDPR.
Audit trails: All access to personal data is logged in an immutable audit trail.

Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it to security@clawolf.io.

11

Children's Privacy

The CLAWOLF Platform is a business-to-business (B2B) service intended solely for use by professionals aged 18 or older. We do not knowingly collect or process personal data from individuals under the age of 18.

If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@clawolf.io and we will delete it promptly.

12

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete: Request deletion of personal information we collected from you, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: CLAWOLF does not sell or share personal information with third parties for cross-context behavioural advertising. No opt-out action is required.
Right to Limit Use of Sensitive Personal Information: CLAWOLF does not use sensitive personal information for purposes other than those permitted under CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise your California rights, contact us at privacy@clawolf.io with the subject line "California Privacy Request". We will verify your identity and respond within 45 days.

Authorised agents: You may designate an authorised agent to submit requests on your behalf. The agent must provide written authorisation signed by you, and we may verify your identity directly.

13

Turkey — KVKK Rights & Obligations

This section applies to data subjects residing in the Republic of Turkey whose personal data is processed by CLAWOLF in accordance with Law No. 6698 on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu — KVKK) and the secondary legislation published by the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK Authority / KVKK Kurulu).

VERBİS Kaydı: As a data controller processing personal data of Turkish residents, CLAWOLF maintains its registration in the Data Controllers' Registry Information System (VERBİS) as required under KVKK Article 16. Our VERBİS registration number will be published here upon completion of registration.

Data Controller Identity (Veri Sorumlusu)

For the purposes of KVKK, the data controller is CLAWOLF Cyber Intelligence Ltd., reachable at kvkk@clawolf.io. All KVKK-related requests and objections must be submitted to this address with the subject line "KVKK Başvurusu".

Legal Basis for Processing Under KVKK

CLAWOLF processes personal data of Turkish residents based on the following legal grounds set out in KVKK Articles 5 and 6:

Explicit consent (Açık Rıza — Art. 5/1): For marketing communications and any processing not covered by a statutory ground below.
Establishment or performance of a contract (Art. 5/2-c): Processing necessary to create your account, deliver the Platform, and manage billing.
Legitimate interest of the data controller (Art. 5/2-f): Security monitoring, fraud prevention, and aggregated product analytics — where such interests do not override your fundamental rights.
Legal obligation (Art. 5/2-ç): Compliance with applicable Turkish law, court orders, and regulatory requirements.

Your Rights Under KVKK Article 11

As a Turkish data subject, you have the following rights by applying directly to CLAWOLF as the data controller:

Right	Description
Learning (Öğrenme)	Learn whether your personal data is being processed.
Access (Bilgi Talep)	Request information about the purpose of processing and whether data is used in accordance with its purpose.
Domestic/International Recipients	Know the domestic or foreign third parties to whom personal data has been transferred.
Rectification (Düzeltme)	Request correction of incomplete or inaccurate personal data.
Erasure or Destruction (Silme/İmha)	Request deletion or destruction of personal data where the conditions for processing no longer exist.
Notification to Third Parties	Request notification to third parties to whom data was transferred of any correction, deletion, or destruction carried out.
Object to Automated Decisions (İtiraz)	Object to decisions taken solely through automated processing that are to your detriment.
Compensation (Tazminat)	Claim compensation for damages arising from unlawful processing of personal data.

How to Submit a KVKK Request

You may exercise your rights under KVKK Article 11 by submitting a written application to CLAWOLF using one of the following methods:

Email: kvkk@clawolf.io — with subject line "KVKK Başvurusu" and a copy of a valid identity document.
Secure electronic signature or KEP: If available, applications may be submitted via registered electronic mail (KEP) to our notified KEP address.

We will respond to your KVKK requests within 30 days from the date of receipt at no charge. Where the request involves a cost to CLAWOLF, we may charge a fee in accordance with the tariff published by the KVKK Authority.

Cross-Border Data Transfers Under KVKK

Pursuant to KVKK Article 9, personal data of Turkish residents is transferred abroad only where:

The destination country has been declared adequate by the KVKK Authority; or
A written undertaking has been obtained from the relevant foreign data controller and the transfer has been approved by the KVKK Authority; or
Explicit consent has been obtained from the data subject for the specific transfer.

Where we rely on standard undertakings or authority approvals, copies of the relevant documents are available on request at kvkk@clawolf.io.

Right to Complain to the KVKK Authority

If you believe your rights under KVKK have been violated and your application to CLAWOLF has not been resolved within 30 days (or has been rejected), you have the right to file a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu):

KVKK Authority
Nasuh Akar Mahallesi, Ziyabey Caddesi No:1407, 06520 Balgat / Ankara, Turkey
Web: www.kvkk.gov.tr · Phone: +90 312 216 50 50

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Send an email notification to all registered account holders at least 14 days before the changes take effect.
Display a prominent notice within the Platform for 30 days following any material update.

Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised policy. If you do not agree to the changes, you may close your account before the effective date.

Previous versions of this policy are available on request by emailing privacy@clawolf.io.

15

Contact & Data Protection Officer

For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us using the details below. We aim to respond to all enquiries within 5 business days.

CLAWOLF Privacy & Data Protection

Controller CLAWOLF Cyber Intelligence Ltd.

Privacy Email privacy@clawolf.io

DPO Email dpo@clawolf.io

KVKK (TR) kvkk@clawolf.io — subject: "KVKK Başvurusu"

Security security@clawolf.io

Subject Line Include "Privacy Request" or "Data Rights Request"

Response Time Within 5 business days (rights requests: 30 days under GDPR)

If you are located in the European Union and believe your rights under GDPR have been violated, you have the right to lodge a complaint with your national data protection supervisory authority. A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).