Privacy Policy
This policy explains what personal data Dark Manager ("we", "the platform") collects, how DarkEye Industries processes it on your behalf, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and equivalent regimes.
1. Data we collect
1.1 Account data
When a customer creates an account, we store: username (typically a work email), a hashed password, role, the company they belong to, account status and the timestamp of their last login. We never store passwords in plaintext.
1.2 Tenant configuration
For each customer tenant we store the monitored domains, executive email addresses, registered third-party provider domains and per-category alert recipients. This information is provided directly by the customer.
1.3 Dark web monitoring data
We continuously ingest credential leak feeds from public and private sources. Email addresses associated with our customers' monitored domains are stored as SHA-256 hashes. The plaintext email is retained only in the per-tenant JSON feed used to render dashboards, never written to relational storage.
1.4 Operational telemetry
We log breach events, status transitions and remediation actions taken inside the platform. These logs are retained for the lifetime of the subscription and 90 days after termination, for audit and dispute resolution purposes.
1.5 Contact form submissions
If you contact us via the website form we retain your name, work email, company name (optional), job title (optional), inquiry type and message. We use this information only to respond to your request.
2. Legal basis for processing
- Contract performance: processing account and tenant configuration data to deliver the platform.
- Legitimate interest: processing dark-web monitoring data to alert customers about compromised credentials affecting their workforce, executives, clients and supply chain.
- Consent: for marketing communications. You can opt out at any time.
- Legal obligation: retention of operational logs for tax, accounting and security incident response.
3. How we share data
We do not sell personal data. We share data only with:
- Sub-processors listed in our DPA (hosting provider, transactional email provider, optional AI report provider). All sub-processors are bound by GDPR-equivalent contractual terms.
- Customers within their own tenant boundary. Cross-tenant access is enforced at the application and database level.
- Authorities when compelled by a valid legal order.
4. International transfers
Production data is stored within the European Economic Area. Where a sub-processor operates outside the EEA, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
5. Retention
- Account credentials: until the user is deleted by the customer, plus 30 days for backup recovery.
- Breach records: indefinitely while the subscription is active, then anonymized and aggregated 90 days after termination.
- Operational logs: 12 months rolling.
- Contact form submissions: 24 months unless converted to a customer account.
6. Your rights
If you are a data subject located in the EU/EEA, UK, or any jurisdiction with equivalent law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Request erasure of data we hold under the contract performance or consent bases.
- Restrict or object to processing.
- Data portability.
- Lodge a complaint with your national supervisory authority.
To exercise any of these rights, email [email protected]. We respond within 30 calendar days.
7. Security
The platform enforces TLS in transit, hashed credential storage, tenant isolation at the application layer, role-based access control, audit logging and least-privilege operational access. A breach affecting personal data will be notified to the impacted controllers within 72 hours, as required by GDPR Article 33.
8. Cookies
We use only essential session cookies required for authentication. We do not deploy tracking, advertising or analytics cookies on darkmanager.com.
9. Contact
Data Protection contact: [email protected]
General: [email protected]
Controller: DarkEye Industries.
10. Changes to this policy
We will notify customers by email at least 15 days before any material change. The most current version is always available at darkmanager.com/privacy.