Menu

Privacy Policy

Last Updated :

Jul 1, 2025

Herd Security Privacy Policy

Effective Date: 09/23/23
Last Updated: 07/01/25

Herd Security, Inc. (“Herd Security,” “we,” “us,” or “our”) provides AI-driven security training and social engineering threat detection for subscribing organizations (“Customers”) and their users. This Privacy Policy explains how we collect, use, share, and protect personal data processed through our Services, including our subscription platform, free tools, and websites.

1. Scope of This Policy

This policy applies to personal data processed in the following contexts:

  • Visitors to Herd Security websites and public-facing content

  • End Users (employees or users under Customer accounts using our Services)

  • Customer Admins (those managing enterprise accounts and integrations)

If you are a Customer and have executed a Data Processing Agreement (DPA) with us, that DPA governs in case of conflict.

2. What Is Personal Data?

“Personal Data” refers to any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and behavioral metadata.

3. Roles and Responsibilities

  • Herd Security is a Processor of End User data processed via our Services.

  • Customers are Controllers of the data submitted or uploaded to the platform.

  • For Visitors, Herd Security acts as a Controller.

4. What Data We Collect

We collect Personal Data in three main categories:

A. Visitor Data (website, forms)

  • Name, email, phone number, organization

  • IP address, browser/device info, referral URL

  • Cookie and usage data

B. Customer Admin Data

  • Name, email, role/title, department


  • Authentication credentials and audit logs

  • Admin interactions and access control data

C. End User Data

  • Name, email, organization ID

  • Behavioral metadata (clicks, message metadata, training responses)

  • Risk scores, phishing simulation results, and platform usage data

    Note: We do not process message content or store full messages from Slack, Microsoft Teams, or Discord.

5. How We Collect Data

  • From Customers or their Admins during setup and account configuration

  • Through browser interactions (cookies, logs, beacons)

  • Via integrations with communication platforms

  • Through forms and email correspondence

6. Purpose and Legal Basis of Processing

We process Personal Data for the following purposes:

Purpose

Legal Basis

Delivering Services

Performance of contract

Platform security and fraud prevention

Legitimate interests

Customer support

Performance of contract

Training personalization

Legitimate interests

Regulatory compliance

Legal obligation

Marketing (only for Visitors)

Consent (where required)


7. Use of Artificial Intelligence

  • AI is used only for inference, not training.

  • We do not use any Customer data to train large language models, including models by subprocessors such as OpenAI.

  • AI analyzes metadata to identify phishing or behavioral patterns and personalize training content.

  • No automated decision-making with legal or significant impact occurs.


8. Cookies and Tracking Technologies

We use cookies and web beacons for analytics, onboarding support, and platform improvements. Types include:

  • Session cookies (expire after session ends)

  • Support cookies (used to optimize onboarding/training experience)

    We do not use cookies for behavioral advertising. You may disable cookies via your browser.


9. International Data Transfers

Currently, we do not host any data internationally or support entities operating outside of the United States of America.

10. Subprocessors and Sharing of Data

We use third-party providers ("Subprocessors") under strict contractual obligations. Key Subprocessors include:

  • Amazon Web Services (AWS) – cloud hosting

  • OpenAI – inference-based language models

  • Slack, Microsoft Teams, Discord – integrations

We also disclose Personal Data:

  • For legal compliance or law enforcement requests

  • In connection with a business transfer (e.g., acquisition, merger)

  • With your consent or instruction

We do not sell Personal Data to third-party sources or vendors.


11. Data Retention

We retain Personal Data for as long as necessary to:

  • Provide services to the Customer

  • Fulfill legal and contractual obligations

  • Maintain security, audit, and logging records (standard: 12–24 months)

Upon Customer request or termination, data will be deleted within 30 days unless retention is legally required.


12. Security Measures

Herd Security employs industry-standard measures:

  • Encryption at rest and in transit

  • Access controls and role-based permissions

  • Audit logging and monitoring


13. Data Subject Rights

Depending on your location, you may have rights to:

Right

Description

Access

Request a copy of your Personal Data

Correction

Correct inaccurate or incomplete data

Deletion

Request deletion of your data

Objection

Object to processing based on legitimate interests

Restriction

Ask us to stop processing in certain circumstances

Portability

Receive data in a portable format

Automated decisions

Request human review of automated processing

Withdraw consent

Where processing is based on consent

Lodge complaints

With a supervisory authority in your jurisdiction


How to Exercise Your Rights:

  • Contact us at: info@herdsecurity.io

  • If you’re an End User, we may forward your request to your organization’s Account Admin.


14. Children's Data

Herd Security’s Services are not intended for children under 13 unless used under an education contract.

  • FERPA: We act as a “School Official” under applicable regulations.

  • COPPA: Parental or institutional consent is required if users are under 13.

15. Sensitive Data Disclaimer

We do not request or process:

  • Protected Health Information (PHI) under HIPAA

  • Financial data covered by GLBA or PCI DSS

  • Government-issued ID or Social Security Numbers

    Do not upload such information. We are not certified to handle it, and its presence may violate our Terms of Service.


16. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Request access or deletion of your Personal Data

  • Know the categories of data collected and shared

  • Opt out of data sales (we do not sell data)

  • Not to be discriminated against for exercising your rights

Submit requests to: info@herdsecurity.io
We may verify identity before responding.


17. Complaints and Dispute Resolution

If you believe we have not resolved your concern:

  • You may file a complaint with your Data Protection Authority (EEA/UK/Switzerland)

  • If subject to the Data Privacy Framework, you may:

    • Contact our U.S.-based dispute resolution provider (free of charge)

    • Invoke binding arbitration as a last resort


18. Contact Us

If you have questions, complaints, or wish to exercise rights:

Email: info@herdsecurity.io