Privacy Policy

Risk72 is operated by Heights Consulting Group ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you visit risk72.com or use the Risk72 platform at app.risk72.com (collectively, the "Services"). By using the Services, you agree to this policy.

1. Information We Collect

Information You Provide Directly

• Account registration: First name, last name, email address, company name, and a username and password when you create an account.
• Billing information: Payment card details and billing address, collected and processed by our payment processor, Stripe. We do not store full payment card numbers on our servers.
• Security questionnaire responses: Information you enter about your organization's IT environment, infrastructure, and security controls as part of the assessment process.
• Contact form submissions: Name, email address, company, phone number, and message content when you contact us through our website.
• Communications: Email correspondence, support requests, and other messages you send to us.

Information Collected Automatically

• Log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and timestamps of requests.
• Usage data: Features accessed, scans initiated, reports generated, and other interactions with the platform.
• Session data: Authentication tokens and session identifiers used to maintain your logged-in state.
• Cookies: We use strictly necessary session cookies to operate the platform. We do not use third-party advertising or tracking cookies.

Information from Third Parties

• Stripe: When you subscribe, Stripe provides us with payment confirmation, subscription status, and limited billing details necessary to manage your account.
• Postmark: We use Postmark to deliver transactional email. Postmark receives the recipient email address and message content necessary to deliver system emails.

2. How We Use Your Information

We use the information we collect to:

• Create, authenticate, and manage your account
• Process payments and manage your subscription
• Run automated security tests against the targets you authorize and deliver your assessment reports
• Send transactional emails including account confirmations, password resets, and report delivery notifications
• Respond to your inquiries and provide customer support
• Monitor and improve the security, performance, and reliability of the platform
• Comply with applicable laws and regulations
• Enforce our Terms of Service and protect the rights, property, and safety of Risk72, our customers, and the public

We do not sell your personal information. We do not use your data for behavioral advertising.

3. Authorized Targets and Scan Data

The Risk72 platform performs security testing exclusively against targets you explicitly authorize through a signed scoping agreement. Scan data — including IP addresses, hostnames, vulnerability findings, and technical artifacts — is collected solely to produce your assessment report. This data is associated with your account and is not shared with other customers or used for any purpose outside of your engagement.

You are responsible for ensuring you have lawful authority to authorize security testing of any target you submit to the platform. Unauthorized use is a violation of our Terms of Service and may be unlawful.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

• Service providers: We share information with vendors who help us operate the Services, including Stripe (payment processing), Postmark (transactional email), and Amazon Web Services (cloud hosting and database). These providers are contractually bound to use your information only to perform services on our behalf.
• Legal compliance: We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of Risk72, our customers, or the public.
• Business transfers: If Risk72 or Heights Consulting Group is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information becomes subject to a different privacy policy.
• With your consent: We may share information in other circumstances with your explicit consent.

5. Data Retention

We retain your account information and assessment data for as long as your account is active or as needed to provide you with the Services. If you cancel your subscription, we retain your data for 90 days to allow for account reactivation, after which it is deleted or anonymized. We may retain certain records for longer periods as required by law or for legitimate business purposes such as fraud prevention and dispute resolution.

You may request deletion of your account and associated data at any time by contacting us at info@risk72.com.

6. Data Security

We implement industry-standard technical and organizational security measures to protect your information, including:

• TLS encryption for all data in transit
• Encrypted storage of sensitive credentials and session tokens
• Access controls limiting data access to authorized personnel on a need-to-know basis
• Regular security testing of our own infrastructure

No method of transmission or storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@risk72.com.

7. Cookies

We use session cookies that are strictly necessary to operate the platform — specifically to maintain your authenticated session after login. These cookies are deleted when you close your browser or log out. We do not use cookies for advertising, analytics, or any purpose beyond authenticated session management.

You can configure your browser to refuse cookies, but doing so will prevent you from logging in to the platform.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to certain legal exceptions.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to certain processing of your personal information.

To exercise any of these rights, contact us at info@risk72.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

9. Children's Privacy

The Services are not directed to children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly. If you believe a child has provided us with their information, please contact us at info@risk72.com.

10. Third-Party Links

Our website and platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 14 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Heights Consulting Group / Risk72
Email: info@risk72.com
Website: risk72.com