Privacy Policy
Last updated: 28 June 2026
This policy explains how the vCISO Threat Intel platform (the website at vciso.au and the iOS and Android apps, together the “Service”) handles information. The Service aggregates already-published cyber threat intelligence and lets members share intel with each other. We are privacy-first by design: we collect the minimum needed to run the Service and we never sell your data.
Information we collect
- Account details. When you sign in we use single sign-on (Google or LinkedIn). We receive your name, email address and avatar from that provider. We never see or store your password.
- Content you create. Intel posts, comments, ratings, saved indicators (IOCs), connections, direct messages, your technology watchlist and company domain. This is what you choose to add.
- Operational data. Basic technical data needed to serve requests (e.g. authentication tokens and timestamps). We do not use third-party advertising or analytics trackers.
We do not collect your contacts, photos, precise location, or device identifiers for advertising.
How we use information
- To authenticate you and keep your account secure.
- To show your feed, posts, messages, and exposure/CVE alerts.
- To match your own company domain and declared technologies against already-published breach and exploitation data, so we can alert you when you appear in it. We never scan, probe, or enumerate any domain.
- To operate, maintain, and improve the Service.
How sharing works
Intel you post is visible only to other authenticated members according to the audience you choose (everyone on the platform, a specific group, your connections, or named recipients). Member intel is never exposed to the anonymous public internet. Public threat data shown in the Service (news, advisories, CVEs, ransomware leak-site disclosures) is aggregated from already-published sources.
Service providers
We share data only with processors that help us run the Service:
- Supabase – authentication and database hosting.
- Google and LinkedIn – single sign-on identity providers (only when you choose to sign in with them).
These providers process data on our behalf under their own terms. We do not sell personal data and we do not share it for advertising.
Data retention
We keep your account and content while your account is active. Stored IOCs are pruned to the retention window you choose (30, 60, or 90 days). You can ask us to delete your account and associated content at any time (see Contact).
Your choices
- Access, correct, or delete your account data by contacting us.
- Choose the audience for everything you post.
- Stop using SSO by signing out; revoke access from your Google or LinkedIn account settings.
Children
The Service is intended for security professionals and is not directed to children under 16.
Changes
We may update this policy; we will revise the “Last updated” date above and, for material changes, notify members in-app.
Contact
Questions or data requests: [email protected].