Privacy Policy

Last updated: 18 May 2026

This Privacy Policy explains how ThreatTree ("we", "us", or "our") collects, uses, and protects information about you when you use ThreatTree (the "Service"). By using the Service you agree to the practices described here.

1. Data We Collect

We collect only the information necessary to provide the Service:

  • Account information: your name and email address, provided when you register.
  • Diagram content: threat models, Data Flow Diagrams, Attack Trees, and Risk Register entries you create.
  • Usage data: page visits, visitor identifiers (stored in localStorage), and referrer information used to understand how the Service is used.
  • Technical data: IP address and browser information transmitted with every request, retained in server logs for up to 30 days.

2. How We Use Your Data

We use the information we collect to:

  • Provide, operate, and improve the Service.
  • Send transactional emails (account creation, password resets).
  • Understand aggregate usage patterns to guide product decisions.
  • Comply with legal obligations.

We do not sell your personal data or use it for advertising.

3. How We Store and Protect Your Data

Your data is stored on servers within the European Economic Area. We use industry-standard measures to protect your data, including encrypted connections (TLS) and access controls. Diagram content and account data are backed up regularly. Despite these measures, no method of transmission or storage is 100% secure.

4. Third-Party Services

We use the following third-party services to operate the platform:

  • Hosting provider: for server infrastructure.
  • Email provider: for transactional email delivery (e.g. password resets, notifications).

These providers process data only on our behalf and under our instructions. We do not use any third-party analytics or advertising services. We do operate our own first-party analytics — page visits, pseudonymous visitor identifiers, and referrer information are sent to our own servers to help us understand how the Service is used. This data is not shared with any third party and is not linked to your personal identity (see Section 1 and Section 5).

5. Cookies and Local Storage

The Service does not set tracking cookies. We use your browser's localStorage to store:

  • Your authentication token (to keep you logged in).
  • A pseudonymous visitor identifier used for aggregate visit counting.

These values remain on your device and are not shared with third parties. You can clear them at any time by clearing your browser's site data.

6. Data Retention and Deletion

We retain your account data and diagram content for as long as your account is active. If you delete your account we will permanently delete your data within 30 days, except where retention is required by applicable law. Server logs are retained for up to 30 days.

7. Your Rights

Depending on your location you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to correct inaccurate data.
  • Deletion: ask us to delete your account and associated data.
  • Portability: request your diagram content in a machine-readable format.
  • Objection: object to certain types of processing.

To exercise any of these rights, contact us at privacy@threattree.com. We will respond within 30 days.

8. International Transfers

If you access the Service from outside the European Economic Area, your data may be transferred to and processed in the EEA. We rely on standard contractual clauses and other appropriate safeguards for any such transfers.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email before material changes take effect and display the updated date at the top of this page.

11. Contact

For privacy-related questions or requests, contact us at privacy@threattree.com.