Privacy Policy Version 3.0

Version 3.0 — Updated April 4, 2019

Recorded Future, Inc. is a threat intelligence company, which analyzes threat data to provide better, faster security.

I. What We May Collect About You

When you visit the Recorded Future website, or use our services, we may collect the following types of information:

Information About People or Entities Online

The purpose of Recorded Future’s services is to amass data from thousands of selected sources at high pace and extract information from that data. Thus, from publicly available data, including commercially available data, we correlate different data sources to extract meaningful information from the raw data. This includes information about individual companies, people, organizations, places, etc. — as well as events in which they are involved. By analyzing dates referenced in that public information, we can also add temporal information about subjects and events – not only what events are happening, but when they are happening and who are the participants. We honor robots.txt and behave as a responsible crawler. The raw and analyzed data is stored in a centrally located and secured location. We harvest publicly accessible data to build an awesome user experience and an API that our users can benefit from in doing all kinds of information, analysis, and search tasks. We currently offer multiple kinds of capabilities — and expect to build many other types of services in the future.

While the underlying documents that we process during harvesting are not stored beyond a brief caching period, the indexes and other data that we generate in our harvesting process will be stored for a long time in order to enhance the quality of the services offered. The information collected is limited only by the nature of the information publicly posted online or commercially available, in government filings (e.g., SEC filings) or in publicly accessible locations. This means that much of the information will relate to high profile people, companies or events (e.g., the President of the United States, CEO of General Electric, etc.), but it can include information about just about anyone – if that information is in a public source. If you want to know what information the Recorded Future index contains about you from public sources, simply query the user interface, but remember that not every potential source on the internet is indexed (actually, far from it). If you find an error, or want us to add a new source, enter a note of correction in our user interface and we will respond to your request as appropriate.

To create these indices, Recorded Future processes the information referenced above for certain legitimate business purposes, which may include (but is not limited to) the following:

  • Empowering organizations to remediate compromised credentials;
  • Locating data that may have been breached or leaked online;
  • Tracking vulnerabilities and exploits targeting our customers;
  • Providing enrichment for data logs and security infrastructure; and
  • Enabling organizations to better research threats.

We analyze threat intelligence to better protect the organizations that use our service, and we believe this makes technology more secure.

When we process personal information for our legitimate interests, we make sure to consider and balance any potential impact on potential data subjects and their rights under data protection laws.

Information You Provide to Us

When you sign up as a customer, vendor, or partner, you will be asked to provide certain information about yourself, including personally identifiable information, (name, address, email address) billing and other related information. Additionally, some customers may use our "Analyst Notes" feature to add custom annotations to Intelligence Cards™ that are visible to others in your organization. We will also use the information you provide to us to enable you to enter into contests, and where we have your consent, to send you marketing materials about the contests and our other services including follow-up demos, as well as future competitions and events. We will use this information strictly to provide services to you, and will not share this information with third parties without your consent, except to the extent necessary to process your requests (for example, processing a credit card for payment).

Information About How You Use Our Services

When you interact with Recorded Future, by using our services, posting queries, performing analysis, or annotating results, a record of these activities will be collected automatically as a result of your use of the website. When you create this information by engaging in actions such as (but not limited to) posing queries, doing analysis, annotating results, etc. the information will be collected, stored or archived by Recorded Future. Information about your interaction with Recorded Future (queries, visualizations, analysis, etc.) is saved for 14 days on our servers unless you delete that information or delete your account. While our servers automatically collect information as a consequence of your using the service, we do not examine or inspect individual search queries, and we encrypt the logs related to your searches or inquiries. If you have chosen to share results of queries, analysis or similar searches with others, copies of that information will remain viewable by those with whom you have shared the query or similar even after you remove information from your profile or delete your account. We log queries you make when you use our system, and we anonymize them; but we do not manually inspect them. We will not share your queries with anyone, unless you ask us to do so through the user interface, although you are free to share queries information yourself.

Recorded Future is not a data broker. Recorded Future does not maintain files on individuals’ purchases, nor sell lists of consumers. Recorded Future does not collect consumer information for targeting of ads. Recorded Future does not provide consumer scoring. In addition, Recorded Future:

  • Does not maintain transaction-specific data about consumer purchases.
  • Does not obtain payment data from retailers and/or catalog companies.
  • Does not track consumer product purchases, the dollar amount of the purchase, the date of the purchase, or payment types.
  • Does not obtain information from magazine publishers about the types of subscriptions sold.

Put simply, Recorded Future does not provide consumer marketing databases, or even the means to produce consumer marketing databases, in any shape or form.

Cookies

When you visit the Recorded Future website, we may send one or more cookies – a small file containing a string of characters – to your computer, mobile phone, or other device that uniquely identifies your browser. When you return to our site, we may detect the presence of that cookie, and the information contained in it. We will not share this cookie information with anyone, and will use it solely to provide services to you.

Cookies allow Recorded Future to provide customers, and visitors to our site, a better, more secure experience. While the exact names and parameters of cookies used by Recorded Future will periodically change, they are generally used for authentication, security, performance, or analytics. These cookies can be deleted at any time. To learn more about how Recorded Future uses Cookies, please click here.

Internet Log Information

When you access any Recorded Future website, network, server, or other electronic asset, our servers automatically record information that your browser sends whenever you visit any website. These logs may include information such as the nature and content of your web request, your Internet Protocol address (and approximate geographic location), browser type and version, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser. In the event of an actual or attempted unauthorized or malicious access to our website or servers, we may use this information to conduct investigations and to protect the integrity of your information. We may preserve your information if we believe it is reasonably necessary to protect our systems, enforce our Terms of Service, or address any security or technical issues.

Your Communications With Us

When you send or receive email or other communications with us, we may retain those communications in order to process your inquiries, respond to your requests and improve our services, to inform you about changes in our policies or pricing or service offerings or to fulfill or respond to requests you may initiate. Additionally, we use a service that lets us know when you have received or opened email we have sent to you. We use this information solely for the purposes of tracking whether or not you have received an email from us for quality control and response purposes. We also offer an email alerting capability called “Alerts” which automatically sends information you have requested to an email account you have registered with us. You have ultimate control over the information sent to you through this service, including the nature and scope of the information, and the frequency of such alerts. To access this service and put in your personal controls, visit the Alerts management page and update your settings.

Links In and Out

Recorded Future may collect information about sites that have linked to our sites, or sites that we link to. Therefore, Recorded Future may collect information about the website you came from when you were directed to us, or the website you visit as a result of a link on our site.

Children

We do not knowingly collect or maintain personally identifiable information from persons under 13 years of age, and no part of Recorded Future’s sites are directed at persons under the age of 13. If you are under 13 years of age, then please do not use the Website. If we learn that personally identifiable information of persons under 13 years of age has been collected without verifiable parental consent, then we will take the appropriate steps to delete this information. To request the deletion of any such information, please contact us at privacy [at] recordedfuture [dot] com.

II. How We Use the Information

When We Share

Recorded Future does not share your personal information with any other companies or individuals except for the following:

Consent. We will not share your nonpublic information except to deliver services to you unless you affirmatively opt-in to such sharing. If you share this data with third parties, this is, of course consent to such sharing.

While non-anonymized data is never shared, metadata and anonymized information may be transmitted to our data provider partners when their databases are queried. This allows us to provide you with enriched context about that data from a wider variety of sources.

Legal Requirements. We may share, or log your information without your consent if we have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or valid governmental request, (b) enforce applicable Terms of Service, Terms of Use or contractual obligations including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property, safety or security of Recorded Future, its users or the public as required or permitted by law.

Sharing in the Event of a Merger or Acquisition

If Recorded Future becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, the assets of Recorded Future may include “information assets” including the information we have collected about you. In that event, we will continue ensure the confidentiality of any personal information involved in such transactions and provide you with notice before any of your personal information is transferred and may become subject to a different privacy policy.

Using Aggregated Information to Improve Our Service

We may use information about how you have used our service in order to improve our service offering to you or to others. By knowing, for example what kinds of information you are seeking on our site, and the results delivered to you, we may be able to analyze this information to deliver more targeted results, and a better user experience. While we will not share the individual search results or what we call “identified” information about your searches or results, we may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or the nature of the results returned to aggregated users. Such information does not identify you or your searches or results individually.

How We Protect Your Information

While no measures can ever guarantee absolute security, Recorded Future takes commercially reasonable and appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data, including data that relates to your personally identifiable information, which we update to stay consistent with industry standards. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. Additionally, all log data is automatically deleted after 14 days. We restrict access to personal information to Recorded Future employees, contractors and agents (including third party hosting platforms) who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Data Integrity and Quality

Recorded Future processes personal information only for the purposes for which it was collected and in accordance with this Privacy Policy. We review our data collection, storage and processing practices to ensure that we only collect, store and process the personal information needed to provide or improve our services or as otherwise permitted under this Policy. We take reasonable steps to ensure that the personal information we process is accurate, complete, and current, but we depend on our users to update or correct their personal information whenever necessary.

Quality of Internet Information

The information we deliver to our clients and customers (that is the aggregated, analyzed and indexed information from public sources), is only as accurate as the original source material itself. Thus, we cannot remove information from a public website, blog, posting, filing or other source, and if the underlying information is erroneous, our index of that information will merely reflect what was posted. Therefore, before you act on any information we may provide to you from public sources, you should undertake reasonable steps to validate the accuracy of the information, not merely its existence. We accept no responsibility to validate the accuracy of information posted by others online, nor does Recorded Future have any ability to do so.

Accessing and Updating Personal Information

When you use Recorded Future services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request if it is not otherwise required to be retained by law or for legitimate business purposes. We ask individual users to identify themselves and the information requested to be accessed, corrected or removed before processing such requests, and we may decline to process requests that are unreasonably repetitive or systematic, jeopardize the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup tapes), or for which access is not otherwise required. In any case where we provide information access and correction, we perform this service free of charge, except if doing so would require a disproportionate effort. All requests, accompanied by proof of identification, should be sent to privacy [at] recordedfuture [dot] com

Enforcement

Recorded Future regularly reviews its compliance with this Privacy Policy. Please feel free to direct any questions or concerns regarding this Privacy Policy or Recorded Future’s treatment of personal information by contacting us by email to privacy [at] recordedfuture [dot] com, or by writing to us at Recorded Future/Privacy Policy, 363 Highland Avenue, Suite 2, Somerville, MA, 02144, USA. When we receive formal written complaints at this address, it is Recorded Future’s policy to contact the complaining user regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that cannot be resolved between Recorded Future and an individual.

EU-U.S. Privacy Shield Framework

Recorded Future and its subsidiaries comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, and the United Kingdom, to the United States.

Recorded Future has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Recorded Future commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Recorded Future’s Data Protection Officer at privacy [at] recordedfuture [dot] com.

Recorded Future has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit JAMS for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Furthermore, individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, please refer to Annex I of the Privacy Shield Framework.

In the context of an onward transfer, Recorded Future has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Depending on the circumstances, Recorded Future may remain liable under the Privacy Shield if its agent processes such personal information in a manner inconsistent with the Principles.

Depending on where you reside (for example, the European Union), you may have several rights regarding Personal Information:

  • You have the right to request an accounting of all personal information that we possess that pertains to you in an electronically portable format (e.g., electronic copies of information attached to an email).
  • You have the right to request that we change any personal information that pertains to you.
  • You have the right to request that we delete any personal information that pertains to you.

To request an accounting of your personal information, a change to your personal information, or deletion of your personal information, contact privacy [at] recordedfuture [dot] com.

Under the EU-U.S. Privacy Shield Framework, the Federal Trade Commission has jurisdiction over Recorded Future’s compliance with the Framework.

III. Mobile App Users

All information obtained through Recorded Future’s mobile application is treated consistently with this privacy policy. Just as with users of Recorded Future’s website, users of Recorded Future’s mobile application also have the following information collected through the application:

  • _System logging_. As with the website, you might be asked to provide information about yourself. We use this information strictly to provide services to you, and will not share information to third parties without your consent, except as necessary to process your requests.
  • _Usage tracking_. Like with the website, when you interact with the mobile app, we collected information about your use of the app. As with the website, we do not examine or inspect individual search queries without your consent, and we encrypt the logs related to your searches or inquiries.

In addition, Recorded Future also collects crash data. If your app suffers a crash, it will send telemetry data back to Recorded Future through Sentry.io and through the app store you used when you downloaded the app. This telemetry information contains data about what caused the crash, provides identifying information about you, the user (such as your IP address and, in some cases, your email address), and what you were doing at the time of the crash. Your identifying information relating to a crash event is stored for 90 days.

If you have any questions regarding the information collected through the mobile app, please contact privacy [at] recordedfuture [dot] com.

IV. Changes to this Privacy Policy

Please note that this Privacy Policy may change from time to time. We will post any Privacy Policy changes on this page and, if we believe the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). By using, or continuing to use, this service after being provided notice of the change is policy, you will be deemed to have consented to the change. Each version of this Privacy Policy will be identified at the top of the page by its effective date, and we will also keep prior version of this Privacy Policy in an archive for your review. If you have any additional questions or concerns about this Privacy Policy, please feel free to contact us any time by email to privacy [at] recordedfuture [dot] com.