Legal

Privacy Policy

Effective: January 1, 2026 | Last Updated: January 1, 2026 | Version 1.0

Overview

This Privacy Policy explains how Patchly AI Corp ("Patchly," "we," "us," or "our"), a Delaware corporation, collects, uses, shares, and protects information when you use our websites, platform, software, and services (the "Services"). It also describes your choices regarding your information.

We believe in being straightforward about data. As a cybersecurity company, we understand the sensitivity of the information you entrust to us — and we treat it accordingly.

The short version: your data is yours. We collect what we need to run the Services, we protect it with the same rigor we bring to our security products, and we don't sell it. Ever.

This Privacy Policy should be read together with our Terms of Service. If you have entered into a separate Data Processing Addendum (DPA) or Enterprise Agreement with Patchly, those agreements govern to the extent they conflict with this policy.

Information We Collect

Information You Provide to Us

Category Examples
Account Information Name, email address, company name, job title, phone number, billing address, and payment information when you create an account or subscribe to a Paid Plan.
System & Security Data Vulnerability scan results, patch deployment records, system configurations, endpoint metadata, software inventories, and other technical data you submit to or generate through the Services ("Your Data" as defined in our Terms of Service).
Communications Information you provide when you contact our support team, respond to surveys, participate in webinars, or communicate with us through any channel.
Integration Credentials API keys, OAuth tokens, and connection details you provide to integrate the Services with your existing tools. These are stored encrypted and used solely to maintain your integrations.

Information We Collect Automatically

Category Examples
Usage Data Features accessed, actions taken within the platform, dashboard views, report generation, search queries, and interaction patterns with the Services.
Device & Connection Data IP address, browser type and version, operating system, device identifiers, referring URLs, and general geographic location (city/country level derived from IP).
Log Data Server logs, error reports, access timestamps, API call records, and performance metrics.
Cookie & Tracking Data Information collected through cookies, pixels, and similar technologies as described in the Cookies & Tracking section below.

Information from Third Parties

We may receive information about you from third parties in limited circumstances, for example: identity verification services to prevent fraud, business contact databases for sales and marketing purposes, and publicly available vulnerability databases and threat intelligence feeds that inform our Patch Veracity engine (these do not contain your personal information).

How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Services. Processing vulnerability data, generating Patch Veracity scores, producing risk assessments, displaying dashboards, and delivering the features you use.
  • Account Management. Creating and managing your account, processing payments, sending billing notifications, and managing subscriptions.
  • Improving the Services. Understanding how the Services are used, identifying bugs and performance issues, developing new features, and improving the user experience.
  • Security & Fraud Prevention. Protecting the Services and our users from security threats, detecting unauthorized access, and preventing fraudulent activity.
  • Communications. Sending transactional emails (account confirmations, security alerts, service updates), and, where permitted, marketing communications about Patchly products and events.
  • Legal Compliance. Meeting our legal obligations, responding to lawful requests from public authorities, enforcing our Terms of Service, and protecting our rights.
  • Aggregated Insights. Creating aggregated and de-identified benchmarks, trend analyses, and threat intelligence that help improve security outcomes across our customer base.

Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are: performance of our contract with you (providing the Services), your consent (where you have opted in to marketing communications or optional data programs), our legitimate interests (improving the Services, security, fraud prevention), and compliance with legal obligations.

AI & Machine Learning

We believe AI should make security teams more effective, not more exposed. That's why we're transparent about how our models work and give you control over your data's role in improving them.

Our Services use artificial intelligence and machine learning to power features like Patch Veracity scoring, risk-based prioritization, and remediation recommendations. Here's how your data interacts with our AI systems:

  • Processing Your Data. We use AI models to analyze Your Data and generate outputs specific to your environment (risk scores, patch confidence levels, remediation guidance). This processing is performed solely to deliver the Services to you.
  • No Cross-Customer Training. We do not use Your Data to train AI models that benefit other customers, unless you have explicitly opted in to a data-sharing program.
  • Aggregated & De-Identified Data. We may use aggregated and de-identified data — which cannot reasonably identify you or your organization — to improve our AI models, generate industry benchmarks, and enhance threat intelligence.
  • Opt-Out. You may opt out of aggregated data contributions at any time through your account settings or by contacting privacy@patchly.ai.
  • Human Review. AI-generated outputs are informational and designed to assist — not replace — qualified security professionals. We recommend human review of all AI-generated recommendations before taking action.

How We Share Information

We do not sell your personal information. We do not rent it. We do not trade it. We share your information only in the following limited circumstances:

  • Service Providers. We share information with trusted third-party vendors who help us operate the Services (cloud infrastructure, payment processors, email delivery, customer support, analytics). These vendors are contractually obligated to protect your information.
  • At Your Direction. When you use features that share reports or data with others (colleagues, auditors, integrations), we share information as you direct.
  • Business Transfers. If Patchly is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you of any change in ownership.
  • Legal Requirements. We may disclose information if required by law, regulation, legal process, or enforceable governmental request. We will notify you where legally permitted and will challenge overbroad requests.
  • Protection of Rights. We may share information when necessary to protect the safety, rights, or property of Patchly, our users, or the public.

Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Services, remember your preferences, understand how you use the platform, and improve your experience.

Type Purpose Duration
Essential Required for the Services to function: authentication, session management, security, and load balancing. Cannot be disabled. Session / 12 months
Functional Remember your preferences and settings (language, dashboard layout, notification preferences). Up to 12 months
Analytics Understand how the Services are used so we can improve them. Privacy-respecting; no individual advertising profiles. Up to 24 months
Marketing Used on our public website (not the platform) to measure marketing effectiveness. Up to 12 months

When you first visit our website, we present a cookie consent banner. You can update preferences at any time through the cookie settings link in our footer or through your browser settings. We honor Do Not Track (DNT) browser signals.

Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law:

  • Account Information: Retained for the duration of your account plus 30 days after closure.
  • Your Data (System & Security Data): Available for export for 30 days following termination, then deleted from active systems. May persist in encrypted backups for up to 90 days.
  • Billing Records: Retained for 7 years as required by tax and financial regulations.
  • Usage & Log Data: Retained for up to 24 months, then aggregated or deleted.
  • Marketing Preferences: Retained until you withdraw consent or unsubscribe.
  • Support Communications: Retained for up to 3 years to provide consistent support.

When data reaches the end of its retention period, we securely delete or irreversibly anonymize it.

Data Security

As a cybersecurity company, security isn't just a feature — it's foundational to everything we do. We implement and maintain administrative, technical, and physical safeguards, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls and the principle of least privilege for all internal systems.
  • Regular penetration testing and vulnerability assessments of our own infrastructure.
  • SOC 2 Type II compliance (or active preparation toward certification).
  • Employee security training and background checks.
  • Incident response procedures with defined notification timelines.
  • Multi-factor authentication for all internal access to production systems.

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you in accordance with applicable law and our contractual obligations.

International Data Transfers

Patchly is headquartered in the United States and processes data primarily in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and other lawful transfer mechanisms. If you have entered into a Data Processing Addendum with Patchly, the DPA governs international data transfers for your account. You can request a copy of our SCCs by contacting privacy@patchly.ai.

Your Privacy Rights

Depending on where you are located, you may have certain rights regarding your personal information. We are committed to honoring these rights regardless of your location, to the extent it is practical and legally permissible.

EEA / UK / Switzerland (GDPR)

  • Access — Request a copy of your personal data.
  • Rectification — Correct inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data.
  • Restriction — Restrict processing in certain circumstances.
  • Portability — Receive your data in a structured, machine-readable format.
  • Objection — Object to processing based on legitimate interests or for direct marketing.
  • Withdraw Consent — Where processing is based on consent, withdraw it at any time.
  • Complaint — Lodge a complaint with your local supervisory authority.

All Users

  • Access & Export — View and export Your Data through the Services at any time.
  • Correction — Update your account information through your settings.
  • Deletion — Request deletion of your account and associated data.
  • Opt-Out of Marketing — Unsubscribe from marketing emails using the link in any message.
  • Opt-Out of AI Data Contributions — Opt out through your account settings.
  • Cookie Preferences — Manage cookie settings via our website consent tool.

To exercise any of these rights, contact privacy@patchly.ai. We will respond within 30 days (or sooner where required by law). We will not discriminate against you for exercising your privacy rights.

Additional U.S. State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another state with a comprehensive privacy law, you may have additional rights under those laws.

California (CCPA/CPRA)

  • Right to Know. You can request details about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom it was shared.
  • Right to Delete. You can request deletion of your personal information, subject to certain legal exceptions.
  • Right to Correct. You can request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing. We do not sell your personal information and do not share it for cross-context behavioral advertising.
  • Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

In the preceding 12 months, we have collected the categories of personal information described in the Information We Collect section. We do not sell personal information and have not done so in the preceding 12 months.

To submit a request under applicable state privacy law, contact privacy@patchly.ai. You may also designate an authorized agent to make a request on your behalf.

Other U.S. States

Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have similar rights. We honor these rights consistently regardless of your state of residence. To exercise them, contact privacy@patchly.ai.

Children's Privacy

The Services are not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact privacy@patchly.ai.

Third-Party Links & Integrations

The Services may contain links to third-party websites, services, or integrations (for example, Microsoft services, SIEM platforms, or ticketing systems). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you connect to or access through the Services.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days in advance by email or by posting a prominent notice in the Services. The "Effective Date" at the top indicates when it was last updated. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, we want to hear from you:

Patchly AI Corp
Privacy Inquiries: privacy@patchly.ai
Data Protection: dpo@patchly.ai
General Legal: legal@patchly.ai

Your privacy and security are at the heart of everything we build. Thank you for trusting Patchly AI.