Privacy Policy

Kaspera LLC ("we," "us," or "Kaspera") operates Kaspera Shield, an AI-powered cybersecurity and compliance platform. We are committed to protecting the privacy of organizations and individuals who use our platform.

This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data. By using Kaspera Shield, you agree to the practices described in this policy.

• To provide, maintain, and improve the Kaspera Shield platform and its features
• To generate AI-powered security insights, policies, risk profiles, and compliance recommendations
• To send transactional emails including scan results, training reminders, breach alerts, and security notifications
• To send phishing simulation emails to employee email addresses provided by the customer organization
• To calculate security scores and employee risk profiles
• To provide customer support and respond to inquiries

We do not use customer data to train AI models. AI-generated content is produced using third-party AI services with customer data included only in individual prompts — not used for model training or improvement.

We do not sell your data to third parties under any circumstances.

For employee data uploaded by customer organizations (names, email addresses, training records, phishing results), Kaspera LLC acts as a data processor. The customer organization is the data controller and is responsible for:

• Having appropriate legal authorization to share employee data with us
• Informing employees about how their data is used in connection with security training
• Responding to employee data access or deletion requests (we will assist on request)

Email addresses used in phishing simulation campaigns are provided by the customer organization. When a simulated phishing email is sent, we track whether the recipient opened the email and whether they clicked the simulated phishing link. This click-tracking data is stored and attributed to individual employees to support security awareness reporting.

Customer organizations are responsible for ensuring that their employees have been informed, as part of their employment terms, that security testing — including simulated phishing — may be conducted.

We share data only with the following third-party service providers, each of which is necessary to operate the platform:

• Supabase — database hosting and authentication
• Vercel — application hosting and deployment
• Anthropic — AI content generation (prompts may include domain names, policy context, and organizational metadata but not personal employee data)
• Resend — transactional and phishing simulation email delivery
• Stripe — payment processing
• HaveIBeenPwned API — breach checking using customer-provided email domains only

We do not share data with advertising networks, data brokers, or any other third parties not listed above.

Active customer data is retained for the duration of the subscription. Upon subscription cancellation or account termination, data is retained for an additional 30 days to allow for export. After this period, data is permanently deleted.

Customers may request immediate deletion of their data at any time by contacting us at legal@kasperashield.com.

We take the security of your data seriously and implement commercially reasonable technical and organizational measures, including:

• Encryption in transit (TLS/HTTPS) for all data transmitted to and from the platform
• Encryption at rest for stored data via our database provider
• Row-level security policies enforcing organizational data isolation
• Role-based access controls within customer organizations
• Regular vulnerability scanning and security monitoring of our own infrastructure

Customers may request access to, correction of, or deletion of their organization's data by emailing legal@kasperashield.com. We will respond to all requests within 30 days.

If you are an employee of a Kaspera Shield customer and wish to exercise data rights, please contact your employer (the data controller) directly.

Kaspera Shield is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from an individual under 18, we will take steps to delete it promptly.

Kaspera Shield is hosted in the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your data to the United States for processing and storage. We will handle your data in accordance with this Privacy Policy regardless of where it is processed.

We use essential session cookies for authentication and maintaining your login state. These cookies are necessary for the Service to function and cannot be disabled.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral advertising technology. We do not participate in ad networks or share browsing data with advertisers.

We may update this Privacy Policy from time to time. We will notify customers of material changes via email to the account administrator or via an in-app notification banner at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

If you have questions about this Privacy Policy or our data practices, please contact us at legal@kasperashield.com.