Privacy Policy
1. Who we are and what this covers
Saint Fox Inc. ("Saint Fox", "we", "us") is an enterprise cybersecurity firm. This policy explains how we handle personal data when you visit stfox.com and its subpages (the "Site"), contact us, request a datasheet, apply for a role, or otherwise interact with us as a prospective or current client, partner, or candidate.
It is written for a global audience. Section 10 sets out the rights you hold under the regime that applies to you, including the EU and UK GDPR, US state privacy laws, Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, Singapore's PDPA, India's DPDPA, and Japan's APPI. Where local law gives you more protection than this policy describes, local law wins.
2. Our roles: controller and processor
Privacy law distinguishes the party that decides why and how data is processed (the controller) from a party that processes it on another's instructions (the processor). We act in both capacities, and the distinction determines which obligations are ours directly:
- For the Site, marketing, recruitment, and our own business operations, Saint Fox is the controller (the "business" under the CCPA, the "Data Fiduciary" under the DPDPA, the "organisation" under the PDPA and the Privacy Act). This policy applies in full.
- For client engagements, such as managed detection and response, identity governance, or AI Governance work, we process security telemetry and related data on the client's documented instructions as a processor or service provider. That processing is governed by the engagement contract and data processing agreement, not by this policy. Individuals whose data reaches us through a client should direct requests to that client; we will assist the client in responding, as our contracts require.
3. Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identity and contact | Name, work email, company, role | You, through the contact form, datasheet requests, or correspondence |
| Inquiry content | What you tell us about your needs, including free-text messages | You |
| Usage data | Pages viewed, scroll depth, time on page, referrer, device type, timezone, pseudonymous visitor and session identifiers | Collected automatically, only after analytics opt-in (see the Cookie Notice) |
| Technical data | IP address as part of ordinary web server operation; truncated and hashed before any analytical storage | Collected automatically |
| Candidate data | CV, work history, links you share, interview notes | You, recruiters, referees, public professional profiles |
| Business contact data | Names and work contact details of client and partner personnel | You, your employer, business exchanges |
We do not collect special category or sensitive data through the Site, and we ask you not to submit any. We do not buy contact lists. We collect no precise geolocation. We do not knowingly collect data from children (section 12).
4. Purposes and legal bases
Where the GDPR or a similar law requires a legal basis, we rely on the following:
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Responding to inquiries and datasheet requests | Identity, contact, inquiry content | Art. 6(1)(b) steps prior to a contract; Art. 6(1)(f) legitimate interest in responding to business contacts |
| Operating and securing the Site | Technical data, essential storage | Art. 6(1)(f) legitimate interest in running a secure, functioning site |
| Measuring and improving the Site | Usage data | Art. 6(1)(a) consent, given through the cookie banner and revocable at any time |
| Marketing communication | Identity, contact | Art. 6(1)(a) consent, or Art. 6(1)(f) for existing business relationships where local law permits, always with an opt-out |
| Recruitment | Candidate data | Art. 6(1)(b) steps prior to a contract; Art. 6(1)(f); consent where required locally |
| Legal compliance and defense | Any category, as required | Art. 6(1)(c) legal obligation; Art. 6(1)(f) |
Where we rely on legitimate interest, we have balanced that interest against your rights and concluded the processing is proportionate; you may object at any time under section 10. Where we rely on consent, refusing or withdrawing it never affects your access to the Site or our services.
5. Cookies and analytics
The Site's measurement is first party, off by default, and runs only after you opt in. Visitors who decline are counted only in anonymous aggregate. The complete inventory of every cookie and storage key, with durations and purposes, lives in the Cookie Notice, together with how we honor Global Privacy Control signals.
6. How we share data
We do not sell personal data, and we do not share it for cross-context behavioral advertising. We disclose personal data only to:
- Service providers (processors) who host the Site, deliver form submissions to our mailbox, provide email and productivity infrastructure, or support recruitment, each bound by contract to process data only on our instructions, with confidentiality and security obligations.
- Professional advisers such as lawyers, accountants, and insurers, under professional duties of confidence, where reasonably necessary.
- Authorities and courts where disclosure is required by law, or where necessary to establish, exercise, or defend legal claims, or to protect the safety of any person.
- A successor entity in a merger, acquisition, or asset sale, in which case this policy continues to apply to data transferred and we will notify affected individuals where the law requires.
Under the CCPA, the disclosures above are to "service providers" and for "business purposes" only. We have not sold or shared personal information in the preceding 12 months.
7. International transfers
We operate internationally, and personal data may be processed outside the country where it was collected, including in the United States. Where data leaves a jurisdiction that restricts transfers, we use the safeguards that jurisdiction recognizes:
- From the EEA: European Commission adequacy decisions where available, otherwise the Standard Contractual Clauses (2021), with transfer impact assessments and supplementary measures where needed.
- From the UK: the UK International Data Transfer Agreement or the UK Addendum to the SCCs.
- From Singapore, India, Australia, Japan, Brazil, and elsewhere: contractual protections meeting the comparable-protection standards of the PDPA, DPDPA, APPs, APPI, and LGPD respectively, including onward transfer restrictions.
We have not certified to the EU-US Data Privacy Framework as of the date above; if that changes, this section will be updated before we rely on it. A copy of the relevant safeguard for a specific transfer is available on request.
8. Retention
| Data | Retention |
|---|---|
| Inquiries and datasheet requests | While we correspond with you, then up to 24 months after last contact, then deleted or anonymized |
| Site usage data (on your device) | Capped rolling logs; durations per item in the Cookie Notice; removed entirely when you clear browser data |
| Consent records | Up to 180 days on device; decision logs as evidence of compliance for as long as required |
| Candidate data | Through the process, then up to 12 months with your consent to be considered for future roles, then deleted |
| Contract and billing records | As required by tax, corporate, and accounting law, typically 7 to 10 years |
When retention ends we delete or irreversibly anonymize the data. Backup copies are purged on the backup rotation cycle.
9. Security
Security is our trade, and we hold ourselves to the standard we set for clients. Measures include encryption in transit for all Site traffic, least-privilege and need-to-know access controls, multi-factor authentication on administrative systems, logging and monitoring, vendor security review before onboarding, and documented incident response. No transmission or storage is perfectly secure; section 14 describes what we do if something goes wrong despite these measures.
10. Your rights worldwide
You hold rights over your personal data. The strongest set that applies to you governs; we honor requests under whichever regime fits your circumstances, verified as described at the end of this section.
10.1 European Economic Area and United Kingdom (GDPR, UK GDPR)
You may request access, rectification, erasure, restriction of processing, and portability; object to processing based on legitimate interest, including any direct marketing, which we stop without exception; and withdraw consent at any time without affecting prior processing. You may complain to your supervisory authority, such as your national data protection authority in the EEA or the ICO in the UK. We respond within one month, extendable by two further months for complex requests with notice.
10.2 United States (CCPA/CPRA and other state laws)
Residents of California and of states with comparable laws (including Virginia, Colorado, Connecticut, Texas, and Oregon) may request: to know the categories and specific pieces of personal information we hold, the categories of sources, purposes, and recipients; deletion; correction; and portability. You may opt out of sale, sharing, and targeted advertising; we do not engage in any of these, and we honor Global Privacy Control as a binding opt-out signal regardless. We do not use or disclose sensitive personal information beyond what the CPRA permits without a right to limit. We will not discriminate against you for exercising any right. You may appeal a refusal by replying to our decision, and we will respond as state law requires; Virginia and similar states also let you escalate to the state Attorney General. Authorized agents may submit requests with proof of authorization.
CCPA category disclosure: in the preceding 12 months we collected the categories listed in section 3 (identifiers, professional information, internet activity), from the sources listed there, for the purposes in section 4, disclosed only as described in section 6, and sold or shared none.
10.3 Canada (PIPEDA, Quebec Law 25)
You may request access to and correction of your personal information, withdraw consent subject to legal and contractual restrictions, and ask how your information has been used and disclosed. Quebec residents additionally hold rights to data portability and to be informed of automated decision making (which we do not use, section 13). Complaints may go to the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec.
10.4 Brazil (LGPD)
You may request confirmation of processing, access, correction, anonymization, blocking or deletion of unnecessary or excessive data, portability, information about sharing, and review of consent. Requests are honored within the LGPD's timelines, and you may complain to the ANPD.
10.5 Australia (Privacy Act 1988, APPs)
You may request access to and correction of your personal information under APP 12 and APP 13. We will respond within a reasonable period, normally 30 days. If you believe we have breached the APPs, complain to us first using the contact in section 17; if unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC). We do not use personal information for direct marketing without a simple opt-out, consistent with APP 7, and the Spam Act's consent and unsubscribe rules apply to our commercial email.
10.6 Singapore (PDPA)
You may request access to your personal data and information about how it has been used or disclosed within the past year, and request correction. We respond within 30 days or tell you when to expect an answer. You may withdraw consent on reasonable notice, and we will explain the consequences before acting. Our commercial messages respect the Do Not Call provisions. Unresolved concerns may go to the Personal Data Protection Commission (PDPC). Our Data Protection Officer is reachable at contact@stfox.com, marked "DPO".
10.7 India (DPDPA 2023)
As a Data Principal you may request a summary of your personal data and the processing activities, correction, completion, updating, and erasure; nominate another individual to exercise your rights if you are incapacitated or deceased; and have a readily available grievance mechanism. Our Grievance Officer is reachable at contact@stfox.com, marked "Grievance Officer", and responds within the timelines prescribed under the Act. If unsatisfied, you may approach the Data Protection Board of India. Consent requests are presented in clear, plain language, and withdrawal is as easy as the grant.
10.8 Japan (APPI)
You may request disclosure of retained personal data, correction, addition or deletion, and cessation of use or third party provision where handling violates the APPI. We disclose our purpose of use in this policy and obtain consent before providing personal data to third parties abroad, with information about the destination country's protections.
10.9 Other jurisdictions
Visitors from jurisdictions not listed, including elsewhere in Asia, the Middle East, Africa, and Latin America, may use the same contact route. We apply the GDPR-grade process by default: verification, response within one month, and no charge for a first request.
How to exercise any right
Email contact@stfox.com with the subject "Privacy request", tell us which right you are exercising and your jurisdiction, and write from the address your request concerns or provide equivalent verification. We verify identity proportionately: enough to protect your data from impostors, never more than needed. Requests are free except where the law allows a fee for manifestly excessive repetition, and we will explain any refusal with the legal reason and your escalation options.
11. Health information and HIPAA
Saint Fox is not a healthcare provider, health plan, or healthcare clearinghouse, and the Site collects no health information. Where a client engagement involves systems containing protected health information (PHI) under the US Health Insurance Portability and Accountability Act, Saint Fox acts as a business associate: we execute a Business Associate Agreement before any PHI exposure, apply the HIPAA Security Rule's administrative, physical, and technical safeguards, use and disclose PHI only as the BAA permits, report security incidents and breaches of unsecured PHI to the covered entity without unreasonable delay, and return or destroy PHI at engagement end where feasible. Individuals' HIPAA rights, such as access and accounting of disclosures, run against the covered entity; we support those obligations as the BAA requires.
12. Children
The Site addresses businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18, and we do not serve advertising to anyone. If you believe a child has provided us personal data, contact us and we will delete it. We do not process children's data as contemplated by COPPA in the US, Article 8 GDPR in the EU, or section 9 of India's DPDPA, and we undertake no tracking or targeted advertising directed at children under any regime.
13. Automated decision making and profiling
We make no decisions about you by automated means that produce legal or similarly significant effects, and we do not profile Site visitors. Site analytics are aggregate measurements of pages, not assessments of people. If this ever changes, we will update this policy first and provide the safeguards the GDPR and comparable laws require, including human review.
14. Data breach notification
We maintain a documented incident response process. If a breach of personal data occurs, we will assess risk immediately, contain it, and notify the competent authority and affected individuals where and when the applicable law requires: without undue delay and within 72 hours of awareness to the relevant supervisory authority under the GDPR; per the eligible data breach scheme to the OAIC in Australia; to the PDPC in Singapore for breaches of significant scale or harm; to the Data Protection Board of India and affected Data Principals under the DPDPA; and per state breach notification statutes in the US. Notifications will say what happened, what data was involved, what we have done, and what you can do.
15. Job applicants
If you apply for a role, we process your candidate data to assess your application, communicate with you, and meet legal obligations. We may contact referees you name and view professional profiles you link. Interview notes are kept factual. Unsuccessful applications are retained up to 12 months only with your consent, then deleted. Background checks, where used, are performed lawfully in the relevant jurisdiction with your prior knowledge.
16. Changes to this policy
We update this policy when our practices change, and the version line at the top moves before the change takes effect. Material changes are flagged on the Site, and where a change would rely on consent you have not given, we ask rather than assume. Earlier versions are available on request.
17. Contact and complaints
Controller: Saint Fox Inc. Contact for all privacy matters, including the Data Protection Officer (Singapore PDPA), the Grievance Officer (India DPDPA), and EU/UK representative inquiries: contact@stfox.com. Postal and registered entity details for each operating jurisdiction are provided in engagement documents and on request, pending counsel confirmation noted at the top of this policy.
If you are unsatisfied with our answer, you may complain to your local authority: your EEA supervisory authority or the UK ICO, a US state Attorney General, the OPC in Canada, the ANPD in Brazil, the OAIC in Australia, the PDPC in Singapore, the Data Protection Board of India, or the PPC in Japan. We would appreciate the chance to resolve the matter first.