[ /legal/privacy // v2.4 ]

Privacy Policy.

What we collect, why we collect it, and how to get it deleted. No dark patterns. No data broker pipelines.

LAST_REVISED: 2026-04-01
DOC_ID: IH-LEGAL-PRV-002 VERSION: 2.4 EFFECTIVE: 2026-04-01 JURISDICTION: EU / GDPR

// 01Overview

IntelHarvest ("we", "us") provides a threat-intelligence automation platform for CTI analysts. This policy explains what personal data we process when you use our website, create an account, or integrate with our API.

We do not sell personal data. We do not enrich third-party profiles with yours. Threat intelligence output derived from your submissions is yours; we only expose it publicly when you explicitly set a report to public.

// TL;DR: email, hashed password, submitted PDFs, and generated reports. That's it. You control privacy per-report.

// 02Data we collect

Account data

  • Email address, username, full name (optional), company (optional)
  • Hashed password — we never see plaintext
  • Role preference (SOC / CTI / C-level) for tailored output
  • Plan, credits remaining, subscription timestamps

Usage data

  • PDF uploads and extracted text — only for the duration of analysis
  • Generated reports (TTPs, IOCs, threat actors, executive summaries)
  • API request logs — IP, timestamp, endpoint, status code
  • Feed subscriptions and crawl history

Technical data

  • Server logs (IP, user-agent, referrer, request path) retained 30 days
  • Session cookies for authentication

// 03How we use it

  • Authenticate you and enforce plan limits
  • Run ATT&CK mapping, IOC extraction, and actor clustering on your submissions
  • Generate reports and make them available via dashboard / API
  • Detect abuse, enforce rate limits, and investigate security incidents
  • Send transactional email (password reset, billing, security alerts) — no marketing without opt-in

// 04Sharing & subprocessors

We share the minimum necessary data with the following categories of processors:

cloud_hosting   —   EU-region provider (compute, storage)
email_transactional   —   SMTP provider for password resets / receipts
error_monitoring   —   Self-hosted Sentry instance (no personal data in stack traces)
payment_processing   —   PCI-compliant gateway (we never store card numbers)

A current, exhaustive subprocessor list is available on request to privacy@intelharvest.com.

// 05Retention

  • Uploaded PDFs: deleted within 60 seconds of analysis completion
  • Generated reports: retained while your account is active; deleted 30 days after account closure
  • Server logs: 30 days rolling
  • Billing records: 7 years (legal obligation)

// 06Your rights

Under GDPR and equivalent regimes you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your account and all associated reports
  • Export your data as JSON via the /api/v1/intel/reports endpoint
  • Object to processing and lodge a complaint with your supervisory authority

Exercising any of these rights is free and takes effect within 30 days. Mail privacy@intelharvest.com.

// 07Security

  • TLS 1.3 in transit; AES-256 at rest
  • Passwords hashed with Werkzeug PBKDF2-SHA256
  • Principle-of-least-privilege IAM on all infrastructure
  • Third-party penetration tests annually
  • Responsible disclosure: security@intelharvest.com

// 08Cookies

We use a single first-party session cookie for authentication. We do not use tracking, advertising, or analytics cookies. If that changes we will update this policy and show a consent banner before setting any optional cookie.

// 09International transfers

Primary infrastructure is hosted in the European Union. Where a subprocessor operates outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) and equivalent safeguards.

// 10Contact

data_controller   —   IntelHarvest B.V.
dpo_email   —   privacy@intelharvest.com
postal   —   Istanbul, TR (full address on request)
response_sla   —   30 days

// end_of_document   // hash: sha256:a3f1…92d4   // supersedes v2.3