Privacy Policy 

Date: 1 March 2024 

Version number: 1.2

Our Data Privacy Promise

1. Private: We will never sell personally identifiable data.

2. Secure: We will keep your data encrypted and safe.

3. Consensual: We will only use your data in ways that you have consented to.

4. No spam: You control what you receive from us.

5. No floating data: if we aren’t using it, we’ll delete it.

6. We Care: as a compliance technology company, this is part of our culture.

This Privacy Policy (“Policy”) applies to personal data processed by Castellum.AI in our business, including on our websites and other online or offline offerings (a “Service” or collectively, the “Services”). 

1. This Policy describes how Castellum.AI and its related companies (“Company,” “we,” “our,” “us,”) collect, use and share information in connection with your use of our websites, services and applications, collectively, the “Services.”  This Policy also applies to any of our other websites that post this Policy. This Policy does not apply to websites that post different statements.

2. We may collect and receive information about users of our Services ("users," "you," or "your") from various sources, including: (i) information you provide through your user account on the Services (your "Account") if you register for the Services; (ii) your use of the Services; and (iii) from third-party websites, services, and partners. See the table below for more information.

3. Legal Basis for Processing Personal Information: Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. We normally collect personal information from you where: 

   • Where we have your consent to do so.

   • Where we need the personal information to perform a contract with you.

   • Where we have a legitimate interest in operating our Services and communicating with you as necessary to provide these Services, for example when responding to your queries, improving our platform and services, researching and developing new products, undertaking marketing, or for the purposes of detecting or preventing illegal activities.

   • Where we have a legal obligation to collect personal information from you and  need the personal information to protect your vital interests or those of another person.

   • If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

4. Cookies: We use, and allow certain third parties to use cookies, web beacons and other similar technologies to enhance our Services and to help collect data. We, or third parties, may use session cookies or persistent cookies. Session cookies only last for the specific duration of your visit and are deleted when you close your browser. Persistent cookies remain on your device’s hard drive until you delete them or they expire. Different cookies are used to perform different functions, which we explain below:

   • Essential functions: Some cookies are necessary in order to enable you to move around our websites and use their features, such as accessing secure areas of the website. Without these cookies, we cannot enable appropriate content based on the type of device you are using. These cookies allow us to remember choices you make on our websites, such as your preferred language and the country from which you are visiting, and provide our services.

   • Analytics and Performance Measurement: We use third-party services to see how you use our websites and services in order to enhance their performance and develop them according to your preferences. We use Google Analytics to see where our Website users come from, what languages they prefer to see content in, and how long they spend on our site. Google provides a complete privacy policy, instructions on controlling your data at this link, and describes how it uses information from Google Analytics at this link. We also use Hotjar. Hotjar is a technology service that helps us better understand our users’ experience (e.g. allowing users to submit feedback through a widget, how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) Hotjar uses cookies and other technologies to collect data on our users’ actions on our website and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, read more at this link. We use Clearbit to collect IP information regarding which enterprises are visiting our website. For this Clearbit uses pixel tags to collect IP addresses, which can then be used to analyze web traffic and derive insights. You can learn more about Clearbit’s service at this link.

5. Cookie Management: You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. The Help feature on most browsers provides information on how to accept cookies, disable cookies or to notify you when receiving a new cookie. Many of the cookies we use are “necessary” cookies. By blocking or deleting them, you will not be able to access certain features of our Services. For more information about cookies and how to block them, please visit allaboutcookies.org.

6. Opportunity to Opt-Out: You can use some of the features of the Services without registering, thereby limiting the type of information that we collect. You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, simply follow the instructions found at the end of emails you receive from us. Even if you unsubscribe, we may still contact you for informational, transactional, account-related, or similar purposes. Many browsers have an option for disabling cookies, which may prevent your browser from accepting new cookies or enable selective use of cookies. Please note that, if you choose not to accept cookies, some features and the personalization of our Services may no longer work for you. You will continue to receive advertising material but it will not be tailored to your interests.

7. California Consumer Privacy Act Rights: California law permits residents of California to opt-out of their disclosure of personal information to third parties for direct marketing purposes. We do not provide personal information to third parties. California law also permits residents of California to request and obtain from us once per year, free of charge, a list of the third parties (if any) to whom we have disclosed personal information for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. As we do not share information with third parties for marketing purposes, we do not have any information to provide. If we ever change this policy, which we do not plan to, we will update this Privacy Policy appropriately.

8. Data Breach:  If we learn of a data breach we will notify you through the email you have provided to us. We may also post a notice on the Services if a security breach occurs. Depending on where you live, you may have a legal right to receive written notice of a data privacy or security breach.

9. Security: Security is a top consideration in everything we do and Castellum.AI is committed to protecting your information. To do so, we employ a variety of security technologies and measures designed to protect information from unauthorized access, use, or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing personal information. 

   • HTTPS for secure connections. Castellum.AI forces HTTPS for all services using TLS (SSL), including our public website.

   • We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. 

   • You agree, and understand, that despite all the measures we take, the Internet cannot be guaranteed to be 100% secure.

10. Data Encryption: Castellum.AI protects user data with encryption in transit and at rest. Measures are in place at every layer of the platform to protect confidentiality and ensure reliable delivery of cloud services. 

    • The product development team adheres to industry best practices, following a secure software development lifecycle process, where security is considered at every stage in the development. 

    • To reduce security risk, measures have been taken throughout the entire operating environment, to include code scanning, vulnerability management, automation, monitoring, access controls, network protection, incident response, training, and the use of secure cloud service and hosting providers. 

    • These measures are designed and intended to prevent corruption of data, block unknown or unauthorized access to Castellum.AI systems and information, as well as provide reasonable protection of private information.

11. Data Retention: We retain personal information we collect from you where we have an ongoing legitimate business need to do so.

    • For example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).

    • We retain information you upload where we have an ongoing business need to tune, enhance and improve our services. 

    • When we have no ongoing legitimate business need to retain your personal information or information you upload, we will either delete or anonymize it.

12. Content and Links to Other Websites or Platforms: The Services contain links to other websites and sources of information. Castellum.AI is not responsible for the privacy practices of unaffiliated companies. Once you leave our Website, please read the Privacy Policy of the other Service, Website or Platform

13. Assignment: In the event that all or part of Castellum.AI is acquired by another individual or entity, or in the event of a merger, you grant us the right to assign all of the information we have collected from and regarding you.

14. Our Legal and Security Requirements: We may also share anonymized or personally identifiable information with law enforcement or security investigators to (i) satisfy any applicable law, regulation, legal process, or governmental request; (ii) enforce this Privacy Policy and our BETA Participant Agreement, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) protect our property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.

15. Updates to this Privacy Policy: We may update this Privacy Policy from time to time, so please review it frequently. Changes to this Privacy Policy will be posted on our websites. If we materially change the ways in which we use or share personal information previously collected from you through our Services, we will notify you through our Services, by email, or other communication.

    
    

16. Contact Us: Your visit to the Services is subject to this Privacy Policy.  If you have any questions, comments or concerns regarding this Privacy Policy, please contact us by email privacy@castellum.ai or by postal mail at:  Privacy, Castellum.AI, 99 Wall Street #1377, New York, NY 10005.

Categories of data 

Below is a table of the categories of data, as classified by the California Consumer Protection Act (CCPA) which summarizes the types of information Castellum.AI does and does not collect as well as who we share it with.