Legal
Privacy Policy
Effective: 1 June 2025 · Last revised: 27 June 2026
Alastor Infosec Private Limited ("Alastor", "we", "us") operates Pulse and provides managed security services. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with those activities. We are committed to processing personal data lawfully, transparently, and in a manner consistent with applicable data-protection law, including the Information Technology (Amendment) Act 2008, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("SPDI Rules"), and, where applicable, the General Data Protection Regulation ("GDPR").
1.Data Controller
The data controller for personal data processed in connection with the Services is:
Alastor Infosec Private Limited
India
Privacy inquiries: privacy@alastorinfosec.com
Where Alastor processes personal data on behalf of a Customer (e.g., personal data contained within vulnerability findings or reports), Alastor acts as a data processor and the Customer acts as the data controller. The Customer's privacy obligations to their own data subjects are governed by the Customer's own privacy policy and applicable law.
2.Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity & Contact | Name, work email, job title, organisation name | Directly from you at registration or onboarding |
| Authentication Data | Hashed credentials, SSO tokens, MFA records | Automatically upon account creation |
| Usage & Technical Data | IP address, browser type, pages accessed, session duration, API call logs | Automatically via server logs and analytics |
| Communications | Support tickets, email correspondence, feedback submissions | Directly from you |
| Customer Data | Vulnerability findings, asset records, remediation notes, comments you input into Pulse | Directly from you or your systems |
| Billing Data | Invoice details, company registration number (no raw card numbers — payment is handled by our payment processor) | Directly from you |
We do not knowingly collect personal data from individuals under 18 years of age. The Services are intended for enterprise use by business professionals.
3.Legal Basis for Processing
We rely on the following legal bases to process personal data:
- Contractual necessity — to create and manage your account, provide the Services, and fulfil our obligations under the Terms of Service.
- Legitimate interests — to secure the Services, prevent fraud, analyse usage patterns to improve product quality, and send service-related communications. We balance these interests against your privacy rights.
- Legal obligation — to comply with applicable law, regulatory orders, or judicial process.
- Consent — for optional communications (e.g., marketing updates or product newsletters) where we ask for and obtain your explicit consent. You may withdraw consent at any time.
4.How We Use Personal Data
We use personal data to:
- Provision, operate, maintain, and secure the Services.
- Authenticate users and enforce access-control policies.
- Send transactional communications (account alerts, security notifications, finding updates).
- Process invoices and manage subscription billing.
- Respond to support requests and resolve disputes.
- Conduct internal analytics to improve the platform's security and usability.
- Comply with applicable legal and regulatory obligations, including responding to lawful requests from Indian government or law-enforcement authorities.
- Detect, investigate, and remediate security incidents affecting the Services.
We will not use Customer Data to train, fine-tune, or improve AI or machine-learning models without your explicit written consent.
5.Data Sharing & Disclosure
We do not sell personal data. We may share it with:
- Service providers acting as sub-processors (cloud infrastructure, email delivery, payment processing, authentication) under contractual data-protection obligations that are no less protective than this Policy.
- Professional advisors (lawyers, auditors) bound by confidentiality.
- Law enforcement or regulators when required by applicable law, valid legal process, or to protect the rights, property, or safety of Alastor, its customers, or the public. Where legally permissible, we will notify you before disclosing.
- Acquirers in the event of a merger, acquisition, or asset sale, provided the acquirer agrees to honour this Policy or provides you with a materially equivalent policy.
A current list of our sub-processors is available on request at privacy@alastorinfosec.com.
6.Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account and identity data | Duration of the subscription + 2 years post-termination |
| Customer Data (findings, reports) | Duration of the subscription + 30-day export window; then securely deleted |
| Server and audit logs | 12 months from creation |
| Billing records | 7 years (statutory requirement) |
| Support correspondence | 3 years from resolution |
Deletion is performed via cryptographic erasure or secure overwrite in accordance with NIST SP 800-88 guidelines. Upon request, we will provide a written confirmation of deletion.
7.Security Measures
Alastor implements technical and organisational security measures appropriate to the risk of processing, including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
- Role-based access controls and least-privilege enforcement for all internal systems.
- Multi-factor authentication required for all Alastor staff accessing production systems.
- Continuous vulnerability scanning and periodic penetration testing of our own infrastructure.
- Formal incident-response procedures with defined escalation paths and Customer notification obligations.
- Annual security-awareness training for all personnel with access to personal data.
- SOC 2 Type II audit (in progress); interim findings available to Customers under NDA.
Notwithstanding the above, no security measure is infallible. In the event of a personal data breach, Alastor will notify affected Customers without undue delay and in any case within 72 hours of becoming aware of the breach, in accordance with applicable law.
8.International Data Transfers
Alastor's primary infrastructure is hosted within India. Where data is transferred to sub-processors located outside India (e.g., authentication or email service providers based in the United States or the European Union), we ensure that adequate safeguards are in place, including Standard Contractual Clauses approved by the relevant supervisory authority or equivalent mechanisms.
For Customers subject to GDPR, data transfers outside the EEA are governed by Standard Contractual Clauses (Module 2: Controller to Processor) incorporated by reference into the Data Processing Agreement and available on request.
9.Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
| Right | Description |
|---|---|
| Access | Obtain confirmation of whether we process your data and request a copy. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your data where it is no longer necessary or where you withdraw consent. |
| Restriction | Request that we restrict processing in certain circumstances. |
| Portability | Receive your data in a structured, machine-readable format and transmit it to another controller. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent | Withdraw previously given consent at any time without affecting prior processing. |
To exercise any of these rights, submit a request to privacy@alastorinfosec.com. We will respond within 30 days. We may require identity verification before processing the request. If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant data-protection authority in your jurisdiction.
10.Cookies & Tracking Technologies
The Pulse platform uses strictly necessary session cookies to maintain authenticated sessions and prevent cross-site request forgery. We do not deploy third-party advertising trackers or behavioural profiling cookies. We may use first-party analytics (e.g., Vercel Analytics) to collect aggregated, anonymised usage data to improve platform performance.
You may configure your browser to reject all cookies; however, session cookies are required for the authenticated portions of the Services to function.
11.Children's Data
The Services are not directed at, and we do not knowingly collect personal data from, children under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will promptly delete it. If you believe we have collected such data, please contact us at privacy@alastorinfosec.com.
12.Changes to this Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated by email or in-product notice at least fourteen (14) days before the effective date. We maintain a version history and prior versions are available on request. Continued use of the Services after the revised Policy takes effect constitutes acceptance of the changes.
13.Contact & Grievance Officer
For questions, concerns, or to exercise your rights under this Policy, contact our designated Privacy Officer:
Privacy Officer — Alastor Infosec Private Limited
Email: privacy@alastorinfosec.com
General: legal@alastorinfosec.com
In compliance with the Information Technology Act 2000 and rules thereunder, the name and contact details of the Grievance Officer shall be published and shall be accessible to users of the Services.