Privacy Policy

Effective Date: March 4, 2026

Windsor Security LLC ("Windsor Security," "we," "us," or "our") is an Ohio limited liability company that operates the website windsorsec.com and related services. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website and services. By using our services, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

  • First name and last name
  • Email address
  • Password (stored securely; we never store passwords in plain text)

Once your account is active, we also maintain associated account data such as your user ID, IOC enrichment usage counts, and timestamps related to your activity.

Usage and Analytics Data

We operate a lightweight, first-party analytics system to understand how visitors interact with our site. Our analytics tracker uses sessionStorage — not cookies — to maintain a session identifier. Session IDs are randomly generated and automatically cleared when you close your browser tab or window.

During a session, we may collect:

  • Page paths you visit on our site
  • Referrer URLs (the page that linked you to our site)
  • Your browser's user agent string
  • Whether you arrived from an AI tool (such as ChatGPT, Claude, Perplexity, Gemini, Copilot, or similar services)

This data is transmitted to our analytics endpoint at track.windsorsec.com using the browser's navigator.sendBeacon API. We do not use third-party analytics platforms such as Google Analytics.

Service Data

When you use our products, we collect information necessary to deliver and improve those services:

  • IOC Enrichment: Indicators of compromise you submit for analysis, including IP addresses, domains, URLs, file hashes, and email addresses.
  • AI Assessment: Your quiz responses, scores, and the resulting risk tier classification.
  • SignalForge: Alert and incident metadata from connected Microsoft Sentinel instances. We do not ingest or store raw log data from your SIEM.

Communication Data

We collect information you provide when you communicate with us or sign up for notifications:

  • Waitlist signups: Email address, name, referral source, and IP address.
  • AI Assessment email capture: Email address, quiz score, risk tier, and your answers. This data is processed through our form provider, Formspree.
  • Contact form submissions and emails: Any information you include when you reach out to us.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and improve our services: Delivering IOC enrichment results, generating threat intelligence reports, operating SignalForge, and continuously improving the quality of our tools.
  • Process IOC enrichment requests: Your submitted indicators are queried against threat intelligence sources to return enrichment data. This is the core function of the service.
  • Analytics: Understanding how visitors use our site, which pages are most useful, and how people discover us (including referrals from AI tools). This helps us prioritize development and improve the user experience.
  • Communications: Sending service-related updates, responding to inquiries, and notifying you about security matters that may affect your account.
  • Payment processing: When applicable, processing payments for paid services.
  • Security and enforcement: Enforcing our Terms of Service, preventing abuse, and protecting the integrity of our platform.

3. Information Sharing

We do not sell your personal information. We share data only in the limited circumstances described below:

Service Providers

We work with a small number of third-party providers who process data on our behalf:

  • Formspree: Processes form submissions for our AI Assessment quiz and other forms.
  • Stripe: Handles payment processing. We do not store your full credit card number; Stripe manages payment data under their own privacy policy.
  • Threat intelligence sources: When you submit an indicator of compromise for enrichment, that indicator value (e.g., an IP address, domain, hash, or URL) is sent to external threat intelligence APIs to retrieve enrichment data. This is a core part of how the service works. We do not send your personal account information to these sources.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests. We will attempt to notify affected users when legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4. Data Storage and Security

We take the security of your data seriously and employ industry-standard practices to protect it:

  • All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Authentication is managed via JSON Web Tokens (JWT) stored in your browser's localStorage. Tokens are scoped to your session and account.
  • Session tracking for analytics uses sessionStorage, which is automatically cleared when your browser tab or window closes. No persistent tracking cookies are set by our analytics system.
  • Passwords are securely processed on our backend systems and are never stored in plain text.

While no system can guarantee absolute security, we implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, loss, or misuse.

5. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this policy:

  • Account data: Retained for as long as your account remains active. If you delete your account, we will remove your personal data within a reasonable timeframe, except where retention is required by law.
  • Analytics session data: Session identifiers are stored in sessionStorage and are automatically cleared when your browser session ends. Server-side analytics records are retained in aggregate form.
  • IOC query data: Indicators you submit and the associated enrichment results may be retained to improve our service, refine threat intelligence, and maintain query history for your account.
  • Waitlist and contact data: Retained until your request has been fulfilled or you request deletion.

You may request deletion of your data at any time by contacting us at hello@windsorsec.com.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete personal data.
  • Deletion: Request that we delete your personal data, subject to legal retention requirements.
  • Opt out of analytics: Because our analytics system relies on JavaScript and sessionStorage, you can prevent analytics collection by disabling JavaScript in your browser or by using browser privacy settings and extensions that block script execution.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt Out of Sale: We do not sell your personal information. Because we do not engage in the sale of personal data, there is no need to opt out.
  • Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at hello@windsorsec.com. We will respond to verifiable requests within 45 days.

7. Children's Privacy

Our services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at hello@windsorsec.com.

8. Third-Party Links

Our site may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party site you visit.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. When we make changes, we will revise the "Effective Date" at the top of this page and post the updated policy on our site. We encourage you to review this page periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us: