XThreat Logo

Privacy Policy

Last updated: 2026-02-05

At XThreat, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in accordance with GDPR and Lithuanian data protection law.

1. Data Controller

This Privacy Policy describes how MB XThreat ("we", "us", or "our") collects, uses, and protects your personal information.

Data Controller:

MB XThreat

Company code: 307258262

Registered address: Narėpų g. 40, Narėpų k., LT-54470 Kauno r., Lithuania

Email: info@tryxthreat.com

2. Information We Collect

We collect the following categories of personal information:

  • Account Information: Name, email address, job title, organization name when you create an account
  • Authentication Data: Login credentials (passwords are encrypted and not stored in plain text)
  • Usage Data: IP address, browser type, device information, pages visited, features used, time spent on platform
  • Training Performance Data: Quiz results, phishing simulation interactions, course completion status, progress tracking
  • Communication Data: Messages you send us, support requests, feedback
  • Payment Information: Billing details processed by our payment provider (we do not store full credit card numbers)

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: To provide our cybersecurity training services and manage your subscription (GDPR Article 6(1)(b))
  • Legitimate Interest: To improve our services, prevent fraud, ensure platform security (GDPR Article 6(1)(f))
  • Consent: For marketing communications and optional features (GDPR Article 6(1)(a)) - you may withdraw consent at any time
  • Legal Obligation: To comply with Lithuanian and EU regulations, tax requirements, and law enforcement requests (GDPR Article 6(1)(c))

4. How We Use Your Information

We use collected information for the following purposes:

  • Provide and maintain the cybersecurity training platform
  • Process your subscription and manage billing
  • Track training progress and generate compliance reports
  • Send service-related notifications and updates
  • Provide customer support and respond to inquiries
  • Improve platform features and user experience
  • Analyze usage patterns to enhance security and performance
  • Send marketing communications (only with your consent)
  • Detect and prevent fraudulent activity or security threats
  • Comply with legal obligations and regulatory requirements

5. Data Sharing and Disclosure

We may share your personal information with:

  • Service Providers: Third-party vendors who help us operate our platform (hosting, payment processing, email delivery) under strict data protection agreements
  • Payment Processors: Stripe or other payment providers to process subscription payments (they have their own privacy policies)
  • Analytics Services: Tools that help us understand platform usage (with data minimization and anonymization where possible)
  • Legal Authorities: When required by law, court order, or to protect our legal rights
  • Business Transfers: In connection with a merger, acquisition, or asset sale (you will be notified of any ownership changes)
  • With Your Consent: Any other third parties you explicitly authorize

6. International Data Transfers

Your personal data may be processed on servers located outside the European Economic Area (EEA), including services hosted in the United States or other jurisdictions.

When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Adequacy decisions for countries recognized as providing adequate data protection

• Service providers certified under relevant data protection frameworks

Our primary hosting infrastructure is located within the EU where possible.

7. Data Retention

We retain your personal data only as long as necessary:

  • Active Accounts: Data retained while your subscription is active
  • After Account Deletion: Personal data deleted within 90 days, except data we must retain for legal compliance
  • Training Records: Compliance-related training data may be retained for up to 7 years to meet regulatory requirements (e.g., NIS2 documentation)
  • Usage Logs: Anonymized analytics data retained for 12 months
  • Backup Data: Deleted from active backups within 30 days of account termination
  • Marketing Data: Removed immediately upon unsubscribe or consent withdrawal

8. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest

• Access Controls: Role-based access and multi-factor authentication

• Regular Security Audits: Ongoing vulnerability assessments and penetration testing

• Secure Infrastructure: Hosting with reputable providers with SOC 2 compliance

• Employee Training: Staff trained on data protection and confidentiality

• Incident Response: Procedures to detect, respond to, and notify of data breaches

While we strive to protect your data, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to minimize risks.

9. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

  • Right to Access: Request a copy of your personal data we hold
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain circumstances
  • Right to Restriction: Limit how we process your data in specific situations
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority (see Section 12)

10. Exercising Your Rights

To exercise any of your data protection rights, contact us at info@tryxthreat.com with "Data Privacy Request" in the subject line.

We will respond to your request within 30 days as required by GDPR. In complex cases, we may extend this by an additional 60 days with notification.

We may need to verify your identity before processing certain requests to protect your data security.

There is no fee for exercising your rights unless your request is clearly unfounded or excessive.

11. Cookies and Local Storage

We use browser local storage (not traditional cookies) for essential functionality only:

• Authentication: Securely maintain your login session

• User Preferences: Remember your settings and language preferences

• Essential Features: Enable core platform functionality

We do NOT currently use:

• Analytics cookies (no Google Analytics, tracking pixels, etc.)

• Marketing cookies (no advertising or retargeting)

• Third-party tracking technologies

All storage is strictly necessary for the service to function. You can clear this data through your browser settings, but doing so will log you out and reset your preferences.

12. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR or Lithuanian data protection law, you have the right to lodge a complaint with the supervisory authority:

Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate)

Address: L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania

Phone: +370 5 271 2804

Email: ada@ada.lt

Website: www.ada.lt

You may also contact your local data protection authority in your EU member state.

13. Children's Privacy

Our services are designed for business users and are not intended for children under the age of 18.

We do not knowingly collect personal information from individuals under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

Upon verification, we will delete such information from our systems within 30 days.

Organizations using our platform are responsible for ensuring their employees meet age requirements for service use.

14. Third-Party Services

Our platform may integrate with or link to third-party services (e.g., payment processors, hosting providers). These third parties have their own privacy policies.

We are not responsible for the privacy practices of third-party services. We recommend reviewing their privacy policies before providing them with personal information.

We conduct due diligence on third-party processors to ensure they meet GDPR standards and execute Data Processing Agreements (DPAs) where required.

15. Marketing Communications

We may send you marketing emails about our services, product updates, and industry insights only if:

• You have provided explicit consent, or

• You are an existing customer and the communications relate to similar services (soft opt-in)

Every marketing email includes an unsubscribe link. You can opt out at any time without affecting your service access.

We will process your unsubscribe request within 2 business days.

Service-related emails (account notifications, security alerts, billing) are not marketing and cannot be unsubscribed from while you maintain an active account.

16. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Valstybinė duomenų apsaugos inspekcija within 72 hours of becoming aware

• Notify affected users without undue delay if the breach poses a high risk

• Provide information about the nature of the breach, likely consequences, and measures taken

We maintain an incident response plan and conduct regular security assessments to minimize breach risks.

17. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Training results and compliance reports are generated automatically, but these are informational tools for your organization and do not constitute automated decisions with legal or significant effects.

If we introduce any automated decision-making in the future, we will update this policy and provide appropriate safeguards as required by GDPR Article 22.

18. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features.

Material changes will be notified via:

• Email to your registered address (at least 30 days before changes take effect)

• Prominent notice on our platform

• Updated "Last Updated" date at the top of this policy

We encourage you to review this policy periodically. Continued use of our service after changes constitutes acceptance of the updated policy.

For significant changes affecting your rights, we may require your renewed consent before continuing to process your data.

19. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MB XThreat

Email: info@tryxthreat.com

Address: Narėpų g. 40, Narėpų k., LT-54470 Kauno r., Lithuania

Data Protection Officer: info@tryxthreat.com (for data protection inquiries)

We will respond to all privacy-related inquiries within 30 days as required by GDPR.