Nucleus Privacy Policy

Last modified December 20, 2023

I. Applicability of This Privacy Policy

This Privacy Policy (“Policy”) covers the personal information we collect about you when you use Nucleus online and mobile vulnerability management tools and platforms (referred to herein as the “Services”) or otherwise interact with us. This Policy also explains your choices surrounding how we use personal information about you, including how you may object to certain uses of personal information about you and how to access and update personal information about you.

This Policy does not apply to any third-party applications or software that integrate with any Services through the Nucleus platform, or any other third-party products, services or businesses who will provide their services under their own terms of service and privacy policy.

If you do not agree with this Policy, please do not access or use the Services or websites maintained by Nucleus.

II. Personal Information We Collect

We collect personal information about you when you input it into the Services or otherwise provide it directly to us. Types of personal information we collect include the following:

  1. Account and Profile Information: We collect personal information about you when you register for an account, create or modify your profile, set preferences, sign-up for or make purchases through the Services. For example, you provide your contact information and, in some cases, billing information, when you register for the Services. We keep track of your preferences when within the Services.
  2. Payment Information: We collect payment and billing information when you register for paid Services. For example, we ask you to designate a billing representative, including name and contact information, upon registration. You might also provide payment information, such as payment card details, which we collect via secure payment processing services.
  3. Personal information we Collect Automatically when you Use the Service: We collect personal information about you when you use our Services, including browsing our websites and taking certain actions within the Services.
  4. Your Use of the Services: We keep track of certain personal information about you when you visit and interact with any of our Services. This personal information includes the features you use; the links you click on; and how you interact with others on the Services. We use this personal information to provide features of our Service, to improve and customize our Service.
  5. Device and Connection Information: We collect personal information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update, or use our Services. We also collect personal information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. How much of this personal information we collect depends on the type and settings of the device you use to access the Services.

III. How We Collect Information

  1. Cookies and Other Tracking Technologies: Nucleus uses cookies and other tracking technologies (for example, web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information, please see our Cookie Notice which includes information on how to control or opt out of these cookies and tracking technologies. We use cookies for the purposes set forth below:
    Type of Cookie Business Purpose
    Essential Cookies
    • Provide you with Services available through our website and enable you to use various features.
    • Help to authenticate users and prevent fraudulent use of user accounts.
    • Without these cookies, your Services cannot be provided.
    Notice Acceptance Cookies
    • Identify if users have accepted the use of cookies on our website.
    Functionality Cookies
    • Allow us to remember choices you make when you use our website, such as remembering your login details or language preference.
    • Provide you with a more personal experience and enable you to avoid re-entering your preferences every time you use our website.
    Analytics and Performance Cookies
    • Administered by third parties to track information about traffic to the website and how users use the website.
    • Data gathered may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access our website.
    • Allow for testing new advertisements, pages, features or new functionality of our website to gauge user reaction.
  2. “Do Not Track” Signals: Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked.  Like many websites, we do not currently respond to “do not track” browser headers except where legally required. But with most web browsers, you can take steps to limit tracking by erasing cookies from your device and by setting your browser to block all cookies or warn you before a cookie is stored.

IV. How We Process Collected Personal information and the Legal Basis

  1. To Provide the Services and Personalize your Experience: We use information about you to provide the Services to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate, maintain, and improve the Services.  Our Services also include tailored features that personalize your experience, enhance your productivity, and provide notifications that are most relevant for you and your team.  To opt out of this personalization, please contact info@nucleussec.com.
  2. For Research and Development:  We always look for ways to make our Services more secure, integrated, and useful.  We use information and collective learnings (including feedback) about how people use our Services to troubleshoot, to identify trends, usage, activity patterns, and areas for integration and to improve our Services and to develop new products, features and technologies that benefit our users and the public.
  3. To Communicate with you about the Services: We use your contact information to send transactional communications via email and within the Services, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending technical notices, updates, security alerts, and administrative messages.
  4. To Market the Services: We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email. We also communicate with you about new Services, product offers, promotions, and contests.  To opt out of these communications, please contact info@nucleussec.com.
  5. For Security: We use information about you and your Service use to verify accounts and activity, to detect, prevent, and respond to potential or actual security incidents and to monitor and protect against other malicious, deceptive, fraudulent or illegal activity, including violations of Nucleus policies.
  6. To Comply with the Law:Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
  7. With your Consent: We use information about you where you have given us consent to do so for a specific purpose not listed above.

V. How We Share and Disclose Information

We may share personal information as provided below.

  1. Affiliates: We may share personal information affiliates provided they honor this Policy.  Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies at we control.
  2. Third-party service providers: We may share personal information to the extent we are legally obliged to share or have a legitimate interest in sharing your personal information in connection with a corporate transaction, such as a sale, consolidation or merger of Nucleus businesses.
  3. Other third parties: We may share personal information in order to comply with legal requirements such as the demands of applicable subpoenas and court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or to protect the rights, property or security of our customers or third parties.
  4. Other users: While using the Services, if you share personal information or otherwise interact in the public areas with other users where personal information may be viewed by all users and may be publicly distributed outside. If you interact with other users or register through a third-party social media platform, your contacts on the third-party social media platform may see your name, profile, pictures and description of your activity. Similarly, other users will be able to view descriptions of your activity, communicate with you and view your profile.
  5. Aggregated or anonymous data. We may share aggregated or anonymous data with third parties to help deliver products, services, and content that are better tailored to the users of our online services and for other purposes.

We do not sell personal information as the term sell is commonly understood. Under certain Data Protection Laws, a “sale” is defined to include disclosures of personal information to a third party for monetary or valuable consideration. When you use Nucleus websites, Nucleus authorized partners, such as advertising networks, data analytics providers, social networks and advertising partners, may collect cookies and similar technology and use this data (such as your Internet or other similar network activity) for their own purposes, such as improving their own services.  This activity may qualify as a “sale” under applicable Data Protection Laws. You can make choices to allow or prevent such uses (see our Cookie Policy).

VI. How Long we Retain Personal Information

We will retain your personal information, including usage data, only for as long as is necessary for the purposes set out in this Policy. This includes retention of personal information only to the extent and for the time necessary to comply with our legal obligations and to pursue legitimate business interests (for example, to comply with applicable laws, resolve disputes, and enforce our legal agreements and policies).

VII. How we Secure Personal Information

We have implemented reasonable administrative, technical, and engineering controls to help protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of information. However, given the nature of communications and information processing technology no method of transmission over the Internet, or method of electronic storage is 100% secure from intrusion by others.

We make reasonable efforts to restrict access to personal information to employees, contractors, and agents who need to know that personal information in order to operate, develop, or improve our Services. We subject our employees and our third-party contractors and agents to contractual controls to ensure that they apply suitable protections to any personal information they access or receive from us and are further bound to reasonable efforts to maintain confidentiality.

The security of your information also depends on you: you are responsible for using unique, strong usernames and passwords for each of your accounts, and for keeping those usernames and passwords confidential. We are not responsible for the circumvention of any privacy settings or cybersecurity measures contained on our Services, and any transmission of personal information is at your own risk.

VIII. Third Party Links

Our website may contain links to other websites provided by third parties not under our control. When following a link and providing personal information to a third-party website, please be aware that we are not responsible for personal information you provide to that third party. These linked websites or offerings have separate and independent privacy policies, which we recommend you read carefully.

IX. Children’s Online Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personal information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us at info@nucleussec.com. If we become aware that we have collected personal information from anyone under the age of 13 without verification of parental consent, we take steps to remove that personal information from our servers.

If we need to rely on consent as a legal basis for processing your personal information and your country requires consent from a parent, we may require your parent’s consent before we collect and use that information.

X. International Data Transfers

Nucleus is global in nature with business processes, management structures and technical systems that cross borders. As such, we may share personal information with Nucleus vendors in other countries. Any international data transfers will be in accordance with this Privacy Statement and in compliance with applicable laws.

If we are established in the EU/EEA or are otherwise subject to the GDPR or similar laws, we only transfer your personal information to countries that are considered by those laws to provide an adequate level of protection or otherwise where we have established or confirmed that all data recipients will provide an adequate level of data protection, in particular by way of entering into appropriate data transfer agreements based on Standard Contractual Clauses (e.g., Commission Implementing Decision (EU) 2021/914) and other suitable measures, which are accessible from us upon request. Your personal information is processed at our operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located in other countries where the data protection laws may differ from the Untied States.

Nucleus uses Standard Contractual Clauses approved by the European Commission (and the equivalent standard contractual clauses for the UK where appropriate) for transfers to, among others, Australia, Canada, India, Japan, South Korea, and the United States.

XI. Disclosures to Residents of California: Notice of California Privacy Rights

The California Privacy Rights Act (“CPRA”) grants residents of California certain rights with respect to their personal information and requires us to provide such individuals with certain information, as described in this section.

  • Right to Transparency. At the time we collect personal information, you have the right to receive notice of the categories of personal information we collect, and the purposes for which those categories of personal information will be used.
  • Right to Access/Right to Know. You have the right to request access to personal information we collected about you and information regarding the source of that personal information, the purposes for which we collect it, and the third parties including service providers with whom we share it.
  • Right to Deletion. You have the right to request that we erase data we have collected from you. Please note that we may have a reason to deny your deletion request or delete data in a more limited way than you anticipated, e.g., because of a legal obligation to retain it or to provide a good or service that you request.
  • Right to Request Correction of inaccurate personal information.
  • Right to Opt-Out of Sale and Share. You have the right to request that we stop “selling” your personal information as that that term is defined in the California Privacy Rights Act.  A “sale” of personal information is defined broadly: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” “Sharing” of personal information is defined as: “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
  • Categories of personal information we collect: We collect the categories of information described in the table below.
    CATEGORY OF PERSONAL INFORMATION (AS SPECIFIED IN THE CPRA) PERSONAL INFORMATION COLLECTED
    Identifiers
    • Data such as your name, postal address, unique personal identifier, online identifier, IP address, email address, account name and other similar identifiers.
    Categories of Personal Information Described in Cal. Civ. Code § 1798.80(e) (the California Customer Records Statute)
    • Data such as your name, signature, address, phone number, bank account number, credit card number, debit card number, or any other financial information.
    Characteristics of Protected Classifications
    • Data such as demographic information.
    Commercial Information
    • Data such as records of products or services purchased, obtained, or considered and other purchasing or consuming histories or tendencies.
    Internet or Other Electronic Network Activity Information
    • Data such as your browsing history, search history and information regarding your interaction with websites, applications or advertisements.
    Geolocation Data
    • Data such as the location of your device (e.g., based on a browser or device’s IP address or Bluetooth technology, if your device settings allow for this).
    Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information
    • Data such as your image and video footage captured by call and video recordings.
    Professional or Employment-Related Information
    • Data such as your employer or educational institution name and your title or role (as that information relates to your use of our products and services).
  • Categories of personal information we disclose: We may disclose any of the categories of information listed above and use them for the purposes listed below.
    BUSINESS PURPOSES (AS SPECIFIED IN THE CCPA) CATEGORIES OF PERSONAL INFORMATION
    Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions and verifying customer information, processing payments, providing advertising or marketing services, providing analytics services or providing similar services.
    • Identifiers
    • Categories of Personal Information Described in Cal. Civ. Code § 1798.80(e)
    • Characteristics of Protected Classifications
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    • Geolocation Data
    • Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information
    • Professional or Employment-Related Information
    Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance.
    • Identifiers
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    Short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
    • Identifiers
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    • Geolocation Data
    Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for that activity.
    • Identifiers
    • Categories of Personal Information Described in Cal. Civ. Code § 1798.80(e)
    • Characteristics of Protected Classifications
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    • Audio, Electronic, Visual, Thermal, Olfactory  or Similar Information
    • Professional or Employment-Related Information
    Debugging to identify and repair errors that impair existing intended functionality.
    • Identifiers
    • Commercial Information
    Undertaking internal research for technological development and demonstration.
    • Identifiers
    • Characteristics of Protected Classifications
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
    • Identifiers
    • Categories of Personal Information Described in Cal. Civ. Code § 1798.80(e)
    • Characteristics of Protected Classifications
    • Commercial Information
    • Internet or Other Electronic Network Activity Information
    • Geolocation Data
    • Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information
    • Professional or Employment-Related Information
  • Categories of personal information we “sell”: We may “sell” any of the categories of personal information listed above to third parties, except for professional or employment-related information.

To submit a request to exercise your privacy rights, please email us at info@nucleussec.com with the subject line “CPRA Request.”

XII. Disclosures to Residents of Colorado, Connecticut, Virginia, and Utah

The disclosures in this section apply solely to individual residents of the States of Colorado, Connecticut, Virginia, and Utah. Privacy laws in these states give residents certain rights with respect to their personal data, when they take effect over the course of 2023. These rights include:

  • Right to Access Information. You have the right to access and obtain a copy of your personal information.
  • Right to Request Deletion. You have the right to request that we delete personal information provided by or obtained about you.
  • Right to Correct. You have the right to correct inaccuracies in your personal information.
  • Right to Opt-Out of Targeted Advertising. You may ask us not to use or disclose your personal information for the purposes of targeting advertising to you.
  • Right to Opt-Out of Information Sales.  You may ask us not to sell your personal information to third parties.

To submit a request to exercise your privacy rights, please email us at info@nucleussec.com with the subject line “Privacy Rights Request” and let us know in which state you live.

XIII. Verification

Before responding to a request for personal information, we must verify the request. Verification is important to protect your personal information and to help confirm that we are responding to a valid request and providing the response to the correct individual. To verify the request, we initially ask for at least two (2) or three (3) identifiers, such as name, email address and location. If we have a need to request additional identifiers to reasonably verify your identity, we will contact you and request additional verification. The personal information we ask to verify your identity may depend on your relationship with us.

When you exercise your privacy rights under the applicable Data Protection Laws, you can designate an authorized agent or representative to make a request on your behalf by providing the authorized agent with written permission to do so and verifying your identity with us as part of the request, or by providing the authorized agent with Power of Attorney pursuant to applicable law (e.g., the California Probate code). We will ask the individual submitting the request to denote that they are an authorized agent or representative. When submitted by an authorized agent or representative, we ask the authorized agent or representative to provide name, email address and a description of the relationship with the individual who is the subject of the request and to certify that the representative has permission to submit the request and may request proof of the consumer’s written permission.

XIV. GDPR Notice

Nucleus, acting as a data controller, collects and processes personal information that you submit or disclose to us. We process this personal information in accordance with the applicable EU and Member State regulations on data protection in particular, the General Data Protection Regulation No 2016/679 (the “GDPR”). In fulfillment of GDPR requirements, we undertake the following actions:

  • We will always process your personal information based on one of the legal basis provided for in the GDPR. We may collect and process your personal information for the purposes detailed in Section IV of this Policy.
  • We may share your personal information in accordance with Section V of this. Policy. Where we share your personal information with a data processor, we will put the appropriate legal framework in place in order to cover such transfer and processing. Furthermore, where we share your personal information with any entity outside the EEA, we will put appropriate legal frameworks in place, notably controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EU) Standard Contract Clauses approved by the European Commission, in order to cover such transfer.
  • We handle records of all processing of personal information in accordance with the obligations established by the GDPR both where we might act as a controller or as a processor. In these records, we reflect all the information necessary in order to comply with the GDPR and cooperate with the supervisory authorities as required.
  • In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess it promptly. Depending on the outcome of our assessment, we will make the requisite notifications to the supervisory authorities and communications to the affected data subjects, which might include you.
  • You have the following rights regarding personal information collected and processed by us:
    • Information regarding your personal information processing: You have the right to obtain from us all the requisite information regarding our data processing activities that concern you.
    • Access to personal information: You have the right to obtain from us confirmation as to whether or not personal information concerning you are being processed, and, where that is the case, access to the personal information and certain related information.
    • Rectification or erasure of personal information: You have the right to obtain from us the rectification of inaccurate personal information concerning you without undue delay, and to complete any incomplete personal information. You may also have the right to obtain from us the erasure of personal information concerning you without undue delay, when certain legal conditions apply.
    • Restriction on processing of personal information: You may have the right to obtain from us the restriction of processing of personal information, when certain legal conditions apply.
    • Object to processing of personal information: You may have the right to object, on grounds relating to your particular situation, at any time to processing of personal information concerning you, when certain legal conditions apply.
    • Data portability of personal information: You may have the right to receive your personal information in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without our hindrance, when certain conditions apply.
    • Not to be subject to automated decision-making: You may have the right not to be subject to automated decision-making (including profiling) based on the processing of your personal information, insofar as this produces legal or similar effects on you, when certain conditions apply.
    • If you intend to exercise such rights, please contact us at info@nucleussec.com.
  • You are entitled to withdraw your consent to processing at any time. If you withdraw your consent, we may not be able to provide you with access to certain functionalities of the Service.

XV. Changes To This Privacy Policy

This Policy is current as of the date set forth above. Changes to this Policy will be posted on this site. We reserve the right to update or modify this Policy at any time and without prior notice.

If you have any questions about this Policy, please contact us: