Privacy Policy
Empirical Security Privacy Policy
Privacy Policy
Revised January 13, 2025
This Privacy Policy describes how Empirical Security, Inc. (“Empirical,” “we” or “us”) collects, uses and discloses personal information received from users of our vulnerability intelligence and analysis service and from visitors to this website (“Website”) collected via this Website, email, SMS, telephone, WAP or other means.
By using or accessing the Website, submitting information to us or using any of our products or services, you are accepting the practices described in this Privacy Policy, and you are consenting to our processing of your personal information as set forth in this Privacy Policy.
Web Services Users and Website Visitors
Like most Web services operators, Empirical collects non-personal information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Empirical’s purpose in collecting such information is to better understand how Empirical’s users and visitors use its Website and services. From time to time, Empirical may release such information in the aggregate, e.g., by publishing a report on trends in the usage of its Website and services.
Empirical also collects Internet Protocol (IP) addresses. Empirical does not use such information to identify its visitors and does not disclose such information other than under the circumstances described below.
Collection and Use of Personal Information
Certain visitors to the Website and users of Empirical’s services choose to interact with Empirical in ways that require or allow Empirical to gather personal information. The amount and type of personal information that Empirical gathers depends on the nature of the interaction. For example, we ask users of Empirical applications to provide a username and email address. In each case, Empirical collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Empirical. Empirical does not disclose personal information other than as described below. Visitors and users can always decline to provide their personal information, with the caveat that it may prevent them from engaging in certain activities.
If you are a registered user of a Empirical service and have supplied your email address, Empirical may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what’s going on with Empirical and our products. If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users.
Aggregated Statistics
Empirical may collect statistics about the behavior of visitors to its Website and users of its services. For instance, Empirical may collect and disclose aggregate data on how much vulnerability data an average customer collects, or what the most common vulnerability scores are across all customers. However, Empirical does not disclose personal information other than as described below.
Disclosure of Personal Information
Empirical will disclose the personal information that we collect or you provide to Empirical only in the following circumstances:
To service providers that Empirical uses to support its business and that are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which Empirical discloses it to them. Further information regarding such third parties is provided below.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Empirical’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Empirical is among the assets transferred.
To comply with any valid court order, law, or legal process, including to respond to any government or regulatory request.
If Empirical believes disclosure is necessary or appropriate to protect the rights, property, or safety of Empirical, Empirical’s customers, or others.
As noted above, Empirical may share personal information with certain service providers. Empirical is currently using the following service providers that have agreed to use personal information (to the extent disclosed) only for the purpose of providing services to Empirical.
Empirical will not rent or sell your personal information to anyone.
Security of Personal Information
Empirical has implemented technical and organizational measures, appropriate to the risk, to protect your personal information against accidental or unlawful destruction, loss or alteration and unauthorized disclosure or access. However, due to the inherent open nature of the Internet, we cannot ensure or warrant the security of any information provided online.
Retention of Personal Information
Empirical retains your personal information for as long as reasonably necessary for the purposes set out in this Privacy Policy. We also may retain your personal information for a longer period of time on the basis of our legitimate interests in providing or marketing our services to you or as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Even if we delete some or all of your personal information, we may continue to retain and use information that has been aggregated or anonymized so that it can no longer be used for personal identification.
Cookies
A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. As you browse the Website, cookies will be placed on your computer so that we understand user interests. Empirical uses cookies to help identify and track visitors, their usage of Empirical services, and their preferences. We do not employ such technologies to collect personal information such as name, email address, postal address or telephone number. Empirical visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using Empirical’s services, with the drawback that certain features of Empirical’s services may not function properly without the aid of cookies.
Do Not Track
Empirical does not track its customers over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. However, some third party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you.
Links to Other Web Websites
This Privacy Policy applies only to this Website and the Empirical services and not to any third-party websites. Empirical is not responsible for the privacy or security practices or the content of such websites.
Opt-Out Policy
If, at any time after providing your personal information to us, you change your mind about receiving information from us or about the use of information volunteered by you, you may opt out by sending us a request specifying your new choice. Please contact us at info@empiricalsecurity.com.
California Residents
California law grants additional privacy rights to California residents. In particular, the California Consumer Privacy Act (CCPA) requires businesses to disclose, for the past 12 months, (i) the categories of personal information collected, (ii) the sources of the collected personal information, (iii) the purposes for which the collected personal information is used, (iv) the categories of personal information disclosed for a business purpose, and (v) the categories of any personal information sold. Empirical provides these disclosures in the following table. Empirical has not sold personal information in the past 12 months.
Category
Sources of Collection
Purposes of Collection
Disclosures for a Business Purpose
Identifiers
Website visits and registration for a Empirical service
To allow use of Empirical’s services and to enable Empirical to communicate with you
To Empirical service providers for the purpose of providing Empirical’s services to you
Personal information categories listed in the California Customer Records statute
Registration for a Empirical service
To allow use of and payment for Empirical’s services
To Empirical service providers to facilitate payment transactions
Internet or other similar network activity
Your browsing and search history on the Empirical Website
To improve the visitor experience on the Empirical Website, diagnose server problems and administer the Empirical Website
To marketing specialist companies for the purpose of enhancing the Empirical Website and improving the effectiveness of our advertising
California residents also have the rights described below. We will not discriminate against any California resident who exercises these rights.
Right to access/know. You may request from us a list of (i) the personal information that we have collected about you, and (ii) the categories of third parties to whom we have disclosed your personal information. You have the right to up to two (2) access requests each twelve (12) months.
Right to delete your personal information. You may request, at any time, that we delete your personal information.
Residents of the State of California may exercise their data protection rights under the California Consumer Privacy Act (CCPA) by contacting us at:
Address:
215 N Damen Ave
Chicago, Illinois 60612
Telephone: 312-380-5083
Email: info@empiricalsecurity.com
To ensure the privacy and protection of individuals, we are required to verify your identity or otherwise authenticate your request(s). Please note that, under the CCPA, we are not required to grant a request to access/know or a request to delete with respect to personal information obtained from you in your role as an employee, owner, director, officer or contractor of a company and within the context of Empirical providing its services to such company.
EU and Swiss Privacy Shield
Empirical complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union and Switzerland to the United States. Empirical has certified to the Department of Commerce that we adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Empirical’s certification page, please visit .
Types of EU and Swiss Personal Data Collected. Our participation in the Privacy Shield applies to all personal information that is subject to this Privacy Policy and is received from the European Union and European Economic Area (“EU Personal Data”) and Switzerland (“Swiss Personal Data”). We will comply with the Privacy Shield Principles with respect to all EU and Swiss Personal Data.
Purposes of EU and Swiss Personal Data Collection and Use. We will only process EU and Swiss Personal Data in ways that are compatible with the purpose for which we collected the EU and Swiss Personal Data, or for purposes that the individual or entity providing the EU and Swiss Personal Data later authorizes. Before we use your EU and Swiss Personal Data for a purpose that is materially different than the purpose for which it was collected or that you later authorized, we will provide you with the opportunity to opt out. We maintain reasonable procedures to help ensure that EU and Swiss Personal Data is reliable for its intended use, accurate, complete, and current.
Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your EU and Swiss Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
Access Rights. You may have the right to access the EU and Swiss Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU and Swiss Personal Data, you can submit a written request to us at info@empiricalsecurity.com. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information. We will provide an individual with an opt-out choice before we sharing an individual’s personal data with third parties other than our agents, or before we use it for a purpose other than that for which it was originally collected or subsequently authorized. To limit the use and disclosure of your personal information, you may submit a written request to info@empiricalsecurity.com.
Data Transfers to Third Parties. Our accountability for EU and Swiss Personal Data that we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles. In particular, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process EU and Swiss Personal Data on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.
Questions or Complaints. In compliance with the Privacy Shield Principles, we have committed to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact Empirical at info@empiricalsecurity.com.
Empirical has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism administered by the Council of Better Business Bureaus (“BBB”). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, you may visit the BBB’s EU Privacy Shield website at https://www.bbb.org/EU-privacy-shield for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Empirical is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Additional European Union Privacy Rights
If you are located in the European Union, you have certain additional rights with respect to your personal information under the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), including the following:
The right of access to your personal information.
The right to rectify your personal information if it is incorrect or incomplete.
The right to have your personal information erased (“right to be forgotten”) if certain grounds are met.
The right to withdraw your consent to our processing of your personal information at any time (if our processing is based on consent).
The right to object to our processing of your personal information (if processing is based on legitimate interests).
The right to object to our processing of your personal information for direct marketing purposes.
The right to receive your personal information from us in a structured, commonly used and machine-readable format, and the right to transmit your personal information to another controller without hindrance from us (data portability).
You may contact us at info@empiricalsecurity.com to exercise any of the above rights. We may request specific information from you to confirm your identity, and in some circumstances, we may charge a reasonable fee for access to your personal information. Furthermore, if you believe that our processing of your personal information is inconsistent with your data protection rights under the GDPR and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country.
Updates to this Privacy Policy
This Privacy Policy may be updated from time to time for any reason, at our sole discretion. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on this Website. You are advised to consult this Privacy Policy regularly for any changes to this Privacy Policy. Your continued use of this Website or our services after any change in this Privacy Policy will constitute your acceptance of such change.
Empirical Security, Inc. (“Empirical”, “we” or “us”) provides this Privacy Policy to inform users of our policies and procedures regarding the collection, use and disclosure of personally identifiable information received from users of our vulnerability intelligence and analysis service and this website (the “Website”) collected via the Website, email, SMS, telephone, WAP or other means. This Privacy Policy may be updated from time to time for any reason, at our sole discretion. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Website. You are advised to consult this Privacy Policy regularly for any changes. By using or accessing the Website, you are accepting the practices described in this Privacy Policy, and you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us.
If you have any questions or comments about this Privacy Policy or our use of your personally identifiable information, please contact us at info@empiricalsecurity.com.