← Back to Home

Privacy Policy

Effective date: 1 May 2026

Last updated: 28 April 2026

1. Introduction

This Privacy Policy explains how Deltabridge Group Ltd. ("Deltabridge", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our website (deltabridge.io), our platform (app.deltabridge.io), our APIs, and any related services (collectively, the "Services").

Deltabridge Group Ltd. is registered in England and Wales. Our operating subsidiary, Deltabridge (Pty) Ltd., is registered in South Africa. For the purposes of data protection law, Deltabridge Group Ltd. is the data controller.

We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Protection of Personal Information Act 2013 (POPIA) in South Africa, and other applicable data protection laws.

For any questions about this Privacy Policy or your personal data, contact us at privacy@deltabridge.io.

2. Personal Data We Collect

2.1 Account Information

When you register for Deltabridge or request access to the Community tier, we collect your name, email address, organisation name, job title, and country. If you subscribe to a paid tier, we also collect billing information (processed by our payment provider, Stripe — we do not store credit card numbers).

2.2 Usage Data

When you use the Services, we automatically collect data about your interactions, including: pages visited, features used, queries submitted to Athena (our AI agent), schedules created, reports generated, briefs accessed, API calls made, timestamps, IP addresses, browser type and version, device type, and operating system.

2.3 Organisation Data

If you configure an Organisation Profile within Deltabridge, we collect the information you provide, including: industry sector, geographic regions of operation, and technology stack / software inventory. This data is used solely to contextualise intelligence outputs to your environment.

2.4 Threat Intelligence Data

Deltabridge ingests and processes publicly available threat intelligence data from third-party sources (RSS feeds, vulnerability databases, government advisories). This data does not contain personal data about our users. However, threat intelligence may include personal data about third parties (e.g., names of threat actors, researchers credited in advisories). We process this data under our legitimate interest in providing cyber threat intelligence services.

2.5 Cookies and Tracking

We use essential cookies to maintain your session and authentication state. We may use analytics cookies (such as Plausible Analytics or similar privacy-focused tools) to understand usage patterns. We do not use advertising cookies or trackers. You can manage cookie preferences through your browser settings.

3. How We Use Your Data

We use your personal data for the following purposes:

To provide the Services: Account creation, authentication, platform access, AI-powered intelligence generation, report production, and scheduled monitoring.

To process payments: Subscription management and billing through Stripe.

To personalise intelligence outputs: Contextualising briefs, assessments, and Athena responses based on your Organisation Profile.

To improve the Services: Analysing usage patterns to improve platform features, performance, and reliability.

To communicate with you: Service updates, security notices, product announcements, and support responses. You can opt out of non-essential communications at any time.

To ensure security: Detecting and preventing fraud, abuse, and security incidents.

To comply with legal obligations: Responding to lawful requests from authorities and complying with applicable laws.

4. Lawful Basis for Processing

Under UK GDPR, we process your personal data on the following lawful bases:

Contract: Processing necessary to perform our contract with you (providing the Services you subscribed to).

Legitimate interest: Processing necessary for our legitimate business interests (improving the Services, security, analytics), where those interests are not overridden by your rights.

Consent: Where you have given explicit consent (e.g., opting into marketing communications). You may withdraw consent at any time.

Legal obligation: Processing necessary to comply with applicable laws.

5. How We Share Your Data

We do not sell your personal data. We share personal data only in the following circumstances:

Service providers: We use third-party providers to operate the Services, including Supabase (database and authentication), Vercel (frontend hosting), Railway (backend hosting), Anthropic (AI model provider — see Section 8), and Stripe (payment processing). These providers process data on our behalf under data processing agreements.

Legal requirements: We may disclose personal data if required by law, regulation, legal process, or governmental request.

Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer.

We do not share your Organisation Profile, queries, investigation threads, or any platform activity with other customers. Each organisation's data is isolated at the application and database level.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

Account data: Retained for the duration of your account plus 12 months after deletion, to allow for reactivation and to comply with legal obligations.

Usage data: Retained for 24 months for analytics purposes, then anonymised or deleted.

Athena thread content: Retained for the duration of your subscription. Upon account deletion, thread content is permanently deleted within 30 days.

Billing records: Retained for 7 years to comply with UK tax and accounting requirements.

Community tier accounts that have been inactive for 12 months may be deleted after 30 days' notice.

7. Your Rights

Under UK GDPR and POPIA, you have the following rights:

Access: Request a copy of the personal data we hold about you.

Rectification: Request correction of inaccurate or incomplete personal data.

Erasure: Request deletion of your personal data (subject to legal retention requirements).

Restriction: Request restriction of processing in certain circumstances.

Portability: Request a machine-readable copy of your personal data.

Objection: Object to processing based on legitimate interests.

Withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@deltabridge.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or the Information Regulator in South Africa.

8. AI Processing & Anthropic

Deltabridge uses AI models provided by Anthropic (Claude) to power the Athena agent, brief generation, entity extraction, and assessment production. When you interact with Athena or when the platform generates intelligence products, your query content and relevant context (Organisation Profile data, thread history) is sent to Anthropic's API for processing.

Anthropic's data processing terms state that API inputs and outputs are not used to train their models. We have a data processing agreement with Anthropic that governs this processing. For Enterprise tier customers, BYOM (Bring Your Own Model) options are available, allowing you to route AI processing through your own model provider.

We do not send your personal account information (name, email, billing details) to Anthropic. Only the content of your queries and the contextual data necessary to produce intelligence outputs is transmitted.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the UK, including the United States (where Anthropic and some infrastructure providers are based) and South Africa (where Deltabridge's operating subsidiary is based). Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including UK Standard Contractual Clauses or adequacy decisions.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including: encryption in transit (TLS 1.2+) and at rest, row-level security in our database ensuring organisational data isolation, regular security assessments, access controls limiting employee access to personal data on a need-to-know basis, and secure development practices.

While we take reasonable precautions, no method of transmission or storage is 100% secure. If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with applicable law.

11. Children

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Services. The "Last updated" date at the top of this policy indicates when it was most recently revised. Continued use of the Services after changes constitutes acceptance of the updated policy.

13. Contact

Data Controller: Deltabridge Group Ltd.

Email: privacy@deltabridge.io

Website: deltabridge.io