RedRadar Technologies Privacy Statement

---

Last updated: April 2026

This Privacy Statement explains how RedRadar Technologies Inc. ("RedRadar") collects, uses, and protects personal data when you visit our website, contact us, or engage with us as a client, partner, or candidate.

This Statement is written to be read in plain language. It does not replace contractual terms that may apply to specific services (for example, platform Master Services Agreements). Where those terms address data handling, they take precedence over this Statement for the activities they cover.

RedRadar Technologies Inc. Delaware, USA

RedRadar operates redradar.ai website and provides the RedRadar OSINT platform and the VAULT intelligence engine to government, defense, and selected enterprise clients.

This Statement covers personal data we process about:

• Visitors to redradar.ai
• People who contact us by email, web form, or other channels
• Personnel of our clients, prospective clients, partners, and suppliers
• Attendees at events we host or co-host
• Job applicants and candidates
• People referenced in publicly available sources we use for business development

This Statement does not cover the data that flows through the RedRadar platform when our clients use it to conduct open-source intelligence work. When a client uses RedRadar to collect, query, or analyze information, the client is the data controller for that activity. RedRadar acts as a data processor or service provider on the client's behalf, under the terms of our contract with that client. 

The client's own privacy policies, lawful basis for processing, and data protection obligations govern that activity. See Section 11 (Platform use by clients) for more detail. This distinction is important. A request to access or delete information that may exist inside a client's environment on the RedRadar platform should be directed to that client, not to RedRadar.

We collect different categories of personal data depending on how you interact with us. The lists below describe each category, the purpose for which we use it, and our lawful basis under the GDPR / UK GDPR.

Data collected: device and browser identifiers, pages visited, referral URL, approximate location derived from IP, and cookie identifiers. See Section 17 (Cookies) for detail.

Purpose: To operate, secure, and improve our websites; to analyze traffic patterns; to detect abuse; to improve your user experience.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in operating a secure, functional website and understanding how it is used. Where required by law, we obtain your consent before placing non-essential cookies.

Controller: RedRadar 

Data collected: Name, email address, employer, role, and the contents of your message and any attachments. If you request a demo or platform evaluation, we may also collect information about your organization's role, mission, jurisdiction, and intended use case.

Purpose: To respond to your inquiry, evaluate fit, and (where applicable) progress a procurement, partnership, or media engagement.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in responding to inquiries and developing business relationships, and steps taken at your request prior to entering a contract.

We may keep your contact information on file after the initial exchange so we can resume the conversation if you re-engage. If you would prefer we delete your details, write to us.

Controller: RedRadar

Data collected: Names, contact details, professional roles, and correspondence of individuals at our client organizations who interact with us as users, project leads, procurement contacts, legal counsel, or otherwise. Contract documentation, invoices, and account records.

Purpose: To establish and manage the contractual relationship; to deliver the platform, or services; to issue invoices and process payments; to provide support; to comply with legal and regulatory obligations including export control screening; to enforce our agreements; and to maintain account records.

Lawful basis (GDPR/UK GDPR): Performance of a contract; legitimate interest in managing a commercial relationship; compliance with legal obligations. This category does not include data that clients process inside the RedRadar platform in the course of intelligence work. That data is governed by Section 11.

Controller: RedRadar.

Data collected: Name, professional role, employer, public professional contact information (LinkedIn URL, business email where publicly listed), and notes on relevance to our work.

Purpose: To identify organizations and individuals to whom our offering may be relevant and to make initial outreach.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in business development. Where required by applicable law, we limit such outreach to recipients in their professional capacity at organizations whose mission aligns with ours. You can object to this processing at any time by writing to us.

Controller: RedRadar

Data collected: Registration details, attendance, and (where applicable) recordings. We will tell you in advance if a session is being recorded.

Purpose: To deliver the event, follow up afterward, take notes, and improve future events for attendees.

Lawful basis (GDPR/UK GDPR): Performance of a contract (your registration), our legitimate interest in operating educational events, and consent for any optional uses such as inclusion in promotional material.

Controller: RedRadar

Data collected: As described in our Candidate Privacy Notice. In summary: identification and contact data, CV / résumé, application materials, interview notes, references, and (where the role and jurisdiction require) background check results and right-to-work documentation.

Purpose: To assess your application and, if you are hired, to onboard you.

Lawful basis (GDPR/UK GDPR): Steps taken at your request prior to entering a contract, our legitimate interest in evaluating candidates, and compliance with legal obligations.

We collect personal data:

• Directly from you, when you visit our sites, fill in a form, write to us, subscribe to the blog, attend an event, or apply for a role or any similar direct or indirect form of engagement with us, our digital assets or infrastructure.
• Automatically, through cookies and similar technologies on our websites (see Section 17).
• From service providers and partners who help us run our business (for example, payment processors, delivery platforms, identity verification providers or other involved in any business operations or maintenance process).
• From public sources, including company websites, professional networks, regulatory filings, and other publicly available material, in connection with business development and client/partner due diligence.

We use personal data to:

• Operate, secure, and improve our websites for you.
• Respond to inquiries and progress potential client, partner, and media relationships.
• Manage contractual relationships with clients, suppliers, and partners, potential leads, and prospects.
• Identify prospective clients and make initial business outreach.
• Operate events.
• Recruit and assess job candidates.
• Comply with legal, regulatory, tax, accounting, anti-fraud, and export-control obligations.
• Establish, exercise, and defend legal claims, and enforce our agreements.
• Protect the rights, property, and safety of RedRadar, our personnel, our clients, and others.

We do not use personal data to train any third-party AI or large language model. We do not sell personal data. We do not engage in cross-context behavioral advertising. We do not share personal data with advertising networks for targeting purposes.

We share personal data only where necessary, and only with recipients who are bound by appropriate confidentiality and data protection obligations. Recipients fall into the following categories:

• Service providers (processors) who act on our instructions: hosting and infrastructure, email delivery, blog and CRM platforms, delivery platforms, payment processors, identity verification, accounting and tax advisors, professional services firms, and similar. A current list of material sub-processors is available on request.
• Professional advisors, including lawyers, auditors, and insurers, where needed.
• Government and regulatory authorities, where we are required by law to disclose information, including in response to lawful court orders, regulatory inquiries, tax reporting, and export-control screening.
• A successor entity, in the event of a merger, acquisition, investment, financing, restructuring, or sale of all or part of our business. We will inform affected individuals where required by law.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

RedRadar Technologies Inc. is established in Delaware, USA. Our service providers are located the US only. As a result, your personal data may be transferred to, stored in, and processed in countries other than the one in which you live (storage servers, cloud providers, third party hosting infrastructure, applications, platforms).

When we transfer personal data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we put in place appropriate safeguards. These typically include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss equivalents, supplemented where necessary by additional technical and organizational measures.

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, exposure, leakage or destruction. These include access controls based on least privilege, encryption in transit and (where appropriate) at rest, infrastructure hardening, logging and monitoring, employee confidentiality obligations, vendor due diligence, and an incident response process.

However, since we rely on third party products for communication, delivery of platform access and other functions relevant for business operations, we cannot directly or indirectly control those third party vendors (e.g., cloud providers, site hosting, data storage and others) from being breached, compromised, or targeted (that includes your data). No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your information, we will notify the relevant supervisory authorities and affected individuals where required by applicable law and within the timeframes those laws specify.

We keep personal data only as long as we need it for the purposes described in this Statement, plus any additional period required to:

• Comply with legal, tax, accounting, and regulatory obligations.
• Establish, exercise, or defend legal claims.
• Honor our internal record-keeping and audit requirements.

Indicative retention periods (the numbers are approximate):

• Blog subscriber data: Until you unsubscribe, then deleted within 60 days, except for a suppression record retained to ensure we do not contact you again.
• Demo and inquiry contacts: Up to 24 months from the last interaction, unless you re-engage or show interest to re-engage directly or indirectly.
• Payment and billing records: up to 7 years, to comply with tax law.
• Client contractual records: Term of the contract plus up to 7 years.
• Job applicant data (unsuccessful candidates): 12-24 months, then deleted unless you ask us to keep it on file longer.
• Website analytics and security logs: 12-24 months. 

These periods are indicative and may be longer where required by law or shorter where the purpose has been fulfilled. Specific retention is documented in our internal data retention schedule, which is available to supervisory authorities on request.

Depending on where you live and which laws apply, you may have rights in relation to your personal data, including:

• The right to access your personal data and obtain information about how it is processed.
• The right to correct inaccurate or incomplete personal data.
• The right to delete your personal data, subject to legal exceptions.
• The right to restrict or object to certain processing, including processing for direct marketing.
• The right to data portability, where it applies.
• The right to withdraw consent at any time, only where processing is based on consent.

You can exercise these rights by writing to us. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request, and we may decline or limit a request where the law allows us to do so — for example, where granting it would conflict with the rights of others, expose confidential information, or undermine an active legal claim. 

Our websites and services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

This section supplements the rest of the Statement for individuals protected by the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection.

Lawful bases. The lawful bases on which we rely are identified in Section 3 for each processing activity.

Right to object to processing based on legitimate interests. You may object to processing of your personal data that we carry out on the basis of our legitimate interests. Where you object, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is needed to establish, exercise, or defend legal claims.

Right to object to direct marketing. You can object to direct marketing at any time, and we will stop. Unsubscribe links are included in every marketing email.

Automated decision-making. We do not make decisions producing legal or similarly significant effects on you based solely on automated processing.

This section applies to individuals who are residents of US states whose comprehensive consumer privacy laws apply to RedRadar, including (as applicable) California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.

Categories of personal information we collect. As described in Section 3. In the categories used by the California Consumer Privacy Act:

• Identifiers (e.g., name, email, country / city of residence based on IP address)
• Customer records information (e.g., billing address, payment identifiers)
• Internet or network activity (e.g., website interactions)
• Professional or employment information
• Audio and visual information (e.g., event recordings, Zoom sessions where applicable)
• Inferences drawn from the above

Sources, purposes, and recipients. As described in Sections 3, 5, and 6.

Sale and sharing. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California and other US state privacy laws. We do not knowingly sell or share the personal information of consumers under 16.

Your rights. Subject to verification and statutory exceptions, you have the right to:

• Know what personal information we have collected, used, disclosed, and (if applicable) sold or shared.
• Request a copy of your personal information in a portable format.
• Request correction of inaccurate personal information.
• Request deletion of your personal information.
• Opt out of any sale or sharing for cross-context behavioral advertising (not applicable to us, but the right is available).
• Limit the use and disclosure of sensitive personal information (California).
• Appeal a denial of a rights request (Colorado, Connecticut, Virginia, and others).
• Not be discriminated against for exercising any of these rights.

How to exercise rights. Email us with the subject line "US Privacy Request" and identify the right you wish to exercise. We may ask you for information necessary to verify your identity. You may use an authorized agent; we may require proof of authorization.

Our records about clients, prospects, and individuals identified through public sources may include information whose disclosure would compromise legal claims, contractual confidentiality, security, or the rights and freedoms of third parties. Where applicable law allows us to do so, we may redact or withhold information from a response on these grounds, and we will explain the reason. Requests will not be denied on these grounds where the law does not permit it.

Our websites use cookies and similar technologies for the following purposes:

• Strictly necessary cookies, which are required for the site to function (for example, to remember a cookie preference).
• Analytics cookies, which help us understand how people use our sites. Where required by law, these are set only with your consent.
• We do not use advertising or cross-site tracking cookies.

You can control cookies through your browser settings and through the cookie banner on our sites. A more detailed Cookies Notice is available at redradar.ai