IMPORTANT: PLEASE READ THIS PRIVACY POLICY as it applies to any Personal Data you provide us or that we collect about you. This data is necessary to: (1) provide a functioning website, (2) respond to your inquiries about our products or services (‘Services’), (3) provide you with access to our Services, (4) deliver data Services to our clients, or (5) respond to your application for employment.

For example, this policy applies if you access the website at www.crowdthreat.com, or any other website owned, operated, or provided by Crowd Threat or its affiliated companies (‘Website’ and ‘Company’, ‘us’, ‘we’ respectively). For purposes of this policy, we may be the Controller or Processor as noted in the section titled “The Types of Personal Data We Collect.”

We do not market to or enter into contracts with children nor do we collect Personal Data from any person under 18 years of age. Please do not access or use the Website or Services if you are under 18 years of age.

What This Policy Covers

This Policy sets out what Personal Data we might collect, how we process and protect that data, the lawful grounds for that processing, and your related rights. We always seek to comply with the data protection laws applicable to our processing of personal data.

‘Personal Data’ covers legally defined terms like ‘personally identifiable information’ or ‘personal information’ in various jurisdictions, including the EU, UK, and the US. Essentially, Personal Data means any information relating to an identified or identifiable natural person. This Policy and our processes are based upon General Data Protection Regulation (‘GDPR’) principles, as it is a global standard for data protection.

• Note for Residents of the European Economic Area, Switzerland and the United Kingdom: The EU GDPR and UK GDPR may apply directly to our processing. Please see the section below titled ‘Your Rights Under GDPR’ for specific details on your rights.

We will update this policy from time to time by posting a new policy on the Website. It is your responsibility to check for changes.

Categories of Processing Activities

We have identified six general categories of processing activities for which we collect Personal Data as part of our operations: Threat & Alerting Data, Client Platform Data, Marketing Data, Website Improvement Data, Technology Collected Data, and Recruiting Data.

• Controller: We are the ‘controller’ for Marketing Data, Website Improvement Data, Technology Collected Data, and Recruiting Data as we determine the purposes and essential means of processing.

• Processor: We are the ‘processor’ of Threat & Alerting Data and Client Platform Data as the client remains the ‘controller’ of this data, and we only process it to fulfil our contract with them and on their instructions.

• Controller or Processor (Joint): For Due Diligence/Investigation Report Data, we may be either a joint ‘controller’ or ‘processor’.

How We Collect and Use Your Personal Data

We collect or are provided Personal Data in the normal course of business. While providing data is never a requirement, not providing the necessary data may prevent us from responding to your query or providing Services to you.

Purpose and Lawful Basis for Processing

We use Personal Data to provide, secure, manage, and improve our Services and to meet any binding contractual or legal obligations. The lawful grounds for processing are typically:

• Legitimate Interests: Necessary for our legitimate interests in carrying out our business (e.g., to maintain, improve and market our products and services).

• Contract: Necessary to perform a contract with you.

• Legal Obligation: Necessary to comply with our legal obligations.

• Consent: When processing is based on your consent, which you can withdraw.

Sharing Your Personal Data

We will not give, sell, or rent your Personal Data to third parties for their marketing purposes. We do not accept advertising from third parties on the Website.

However, we may share Personal Data in limited circumstances to comply with a law or legal request, or if we enter negotiations for the sale or purchase of all or part of our business. When sharing, we have written contracts in place to safeguard that data and comply with applicable laws.

The Types of Personal Data We Collect

Below is an aggregated overview of the information required by GDPR for the general types of processing activities.

Threat & Alerting Data

• Description of Personal Data Collected: Names of client employees/contractors, contact information, location data when near a threat, and platform access credentials.

• Business or Commercial Purpose: To provide threat data, tailored alerts, secure two-way communication, and emergency response services to meet clients' duty-of-care obligations.

• Lawful Basis: Legitimate Interests or Contract.

• If Shared, Category of Third-Party Recipients and Purpose: Affiliates, clients, contractors, and web hosting providers as part of Service delivery.

Client Platform Data

• Description of Personal Data Collected: Names of client employees or contractors, email address, username, and password, or data entered into the Services to access deliverables.

• Business or Commercial Purpose: To respond to enquiries about the Services, to provide Services, and to provide advice and support.

• Lawful Basis: Legitimate Interests or Contract.

• If Shared, Category of Third-Party Recipients and Purpose: Affiliates, clients, contractors, and web hosting providers as part of Service delivery.

Marketing Data

• Description of Personal Data Collected: Name, email address, telephone number, business title, professional information, and interests/preferences.

• Business or Commercial Purpose: To market our Services to you by email or through social media and networking sites. We provide an easy and free way to opt-out.

• Lawful Basis: Legitimate Interests or Consent.

• If Shared, Category of Third-Party Recipients and Purpose: Affiliates, social media companies, and consultants to market our services to you.

Website Improvement Data

• Description of Personal Data Collected: IP address, pages visited, and Service usage information.

• Business or Commercial Purpose: To analyse and improve the Website or the Services, for example for technical or security purposes and to improve the customer experience.

• Lawful Basis: Legitimate Interests, Contract or Consent.

• If Shared, Category of Third-Party Recipients and Purpose: Analytics providers, website designers, and consultants for operational requirements, security, and business continuity.

Technology Collected Data

• Description of Personal Data Collected: Online identifiers (IP address, email address), browsing history, and geolocation data collected by cookies (see Cookie Declaration).

• Business or Commercial Purpose: To personalize content, provide social media features, and analyze our Website traffic as further described in our Cookie Declaration Policy.

• Lawful Basis: Legitimate Interests or Consent (where required).

• If Shared, Category of Third-Party Recipients and Purpose: Analytics providers, website designers, and consultants as described in our Cookie Declaration Policy.

Recruiting Data

• Description of Personal Data Collected: CV, education records, professional or other employment history data, criminal history, and financial data.

• Business or Commercial Purpose: To manage our recruitment activities.

• Lawful Basis: Legitimate Interests.

• If Shared, Category of Third-Party Recipients and Purpose: Our affiliates, cloud storage providers, and consultants to advisors to assist our recruiting activities.

Special Categories and Protected Classifications of Personal Data

We generally do not collect ‘special categories of personal data’ (GDPR), except when provided by you as part of Recruiting Data, or as described below for Threat & Alerting Data or Due Diligence/Investigation Report Data.

• Threat & Alerting Data: We collect sensitive data, such as Geolocation, to meet our contractual obligations to clients who have legal or other obligations to provide appropriate communication and security to their personnel.

Financial Data

We do not collect or process any bank, debit, or credit card data through our websites or Services.

International Transfers and Location

Our Website servers and data processing facilities may be located in other countries. The servers that host our client platform are located in Ireland and the United Kingdom, and may be accessed from other countries.

By using any portion of the Website or Services, you are consenting to the transfer of your Personal Data to these facilities and those third parties with whom we share it as described in this Privacy Policy. To govern transfers of Personal Information from the EU/EEA to recipients outside the EU/EEA, we have entered into Standard Contractual Clauses adopted by the European Commission (“Data Transfer Agreement”).

Retention and Security

• Retention: We will only retain Personal Data for any statutory retention period, then a reasonable period necessary for the above purposes. Our clients determine the retention period for the Client Platform data.

• Security: We take appropriate technical and organisational measures to protect your Personal Data.

We may create anonymised data from Personal Data, which is no longer subject to this Privacy Policy.

Your Rights Under GDPR

Under the UK and EU GDPRs, you have the right to:

• Access: Know if we process your data and, if so, receive a copy of that data.

• Rectification: Ask us to remove or correct inaccurate data.

• Object: Object to certain processing, including for direct marketing.

• Withdraw Consent: Withdraw any consent you may have given us.

• Restriction: Ask us to restrict processing certain data.

• Erasure: Ask us to erase your personal data.

• Portability: Ask us to ‘port’ certain of your personal data to you or another provider.

Contact Us

If you have any questions or wish to exercise any of your rights, you can contact us:

• Email: contact@crowdthreat.com

• Mail: Privacy Policy Administrator, Crowd Threat, 15A Cobalt Business Park, Quick Silver Way, Newcastle Upon Tyne, NE27 0QQ

We will send an initial acknowledgement within ten (10) business days and will typically complete your request within forty-five (45) days of receipt.

Personal Data Category Definitions

The following section defines the categories of personal data collected and specifies their classification under GDPR, particularly noting if they constitute Special Category (Sensitive) or Identifying data.

Account Access

• Definition: Account log-in, credentials allowing access to an account.

• GDPR Special / Sensitive Classification: Identifiers; Sensitive

Advertisements

• Definition: Ad interaction data, impressions, ad clicks, etc.

• GDPR Special / Sensitive Classification: (None provided)

Audio Visual

• Definition: Audio, electronic, visual, thermal, olfactory, or similar information like call recordings, CCTV.

• GDPR Special / Sensitive Classification: (None provided)

Biometric

• Definition: Genetic, physiological, biological, or behavioral characteristics that can be used to establish identity (e.g., fingerprints, face scans, voice recordings).

• GDPR Special / Sensitive Classification: Sensitive

Criminal History

• Definition: Non-publicly available information related to a data subjects criminal arrests or convictions.

• GDPR Special / Sensitive Classification: Sensitive

Commercial

• Definition: Transaction records, contractual details, products/services provided, billing information.

• GDPR Special / Sensitive Classification: (None provided)

Compliance

• Definition: Status on sanctions lists, politically exposed person designation, information about ownership of companies.

• GDPR Special / Sensitive Classification: Identifiers

Demographic

• Definition: Race, color, ancestry, national origin, citizenship, religion, sex (including gender, sexual orientation), veteran status.

• GDPR Special / Sensitive Classification: Sensitive

Device Identifiers

• Definition: Internet Protocol address; cookies and tracking identifiers; device information, browser type.

• GDPR Special / Sensitive Classification: Identifiers

Employment Performance

• Definition: Employee performance plans, reviews, utilization rates.

• GDPR Special / Sensitive Classification: Identifiers; Professional Information

Education

• Definition: Education information that is not publicly available (e.g., test scores, transcripts, disciplinary records).

• GDPR Special / Sensitive Classification: (None provided)

Family

• Definition: Names and contact information for family members.

• GDPR Special / Sensitive Classification: Identifiers

Financial

• Definition: Bank account details, income, or any other financial information.

• GDPR Special / Sensitive Classification: Customer Records

Geolocation

• Definition: GPS data, precise location, non-precise location or movements.

• GDPR Special / Sensitive Classification: Geolocation Data; Sensitive

Government ID

• Definition: Social security number, driver’s license number, passport number, national or state identification card number.

• GDPR Special / Sensitive Classification: Identifiers; Sensitive

Health

• Definition: Medical, genetic, and health information, medical condition, physical or mental disability.

• GDPR Special / Sensitive Classification: Sensitive

Interests/Preferences

• Definition: Personal interests expressed on a CV, hobbies, work habits, website user’s preferences.

• GDPR Special / Sensitive Classification: Inferences

Mail, email, text message content (directed to business)

• Definition: Communication content directed to the business.

• GDPR Special / Sensitive Classification: Identifiers; Customer Records

Online User Activity

• Definition: Internet / site usage, analytics, metrics, search, browsing, and other activity or history information.

• GDPR Special / Sensitive Classification: (None provided)

Opinions / Commentary / Market Reputation

• Definition: Information regarding a data subject’s reputation from public and private sources.

• GDPR Special / Sensitive Classification: Inferences

Personal Details

• Definition: Name, alias, email or mailing address, telephone number, physical characteristics, date of birth, age, images/photos.

• GDPR Special / Sensitive Classification: Identifiers; Consumer Records

Political Opinions

• Definition: Information on an individual’s membership in a political party, participation in a demonstration, or support of a political idea.

• GDPR Special / Sensitive Classification: Sensitive

Professional Information

• Definition: Business title, position, email or mailing address, employer name, current or past employment history.

• GDPR Special / Sensitive Classification: Professional Information

Profiling / Inferences

• Definition: Inferences drawn from other personal information to create a profile reflecting a person’s preferences, characteristics, behavior, etc.

• GDPR Special / Sensitive Classification: Inferences

Public Posts / Comments / User-generated content

• Definition: Content of communications and other user generated content through interactive site/application features.

• GDPR Special / Sensitive Classification: (None provided)

Research, survey, interests, and feedback data

• Definition: Responses to surveys and questionnaires and feedback.

• GDPR Special / Sensitive Classification: (None provided)