Privacy Policy - Symbol Security

Last updated:

At Symbol Security, Inc. (“Symbol,” “we,” “us,” or “our”), we are committed to protecting the privacy and security of the data entrusted to us. This Privacy Policy explains how we collect, use, and disclose information when you visit our website, use our SaaS platform, or interact with our services.

1. Our Role: Controller vs. Processor

To understand your privacy rights, it is important to identify Symbol’s role regarding your data:

  • Symbol as a Data Controller: When you visit our public website (symbolsecurity.com), sign up for our marketing materials, or engage with our sales team, Symbol acts as a Data Controller. In these instances, Symbol determines the purposes and means of processing that data only for its own business purposes, such as marketing and site functionality.
  • Symbol as a Data Processor: When we provide services to an organization (the “Subscriber”), a Managed Service Provider (“MSP”), or a Distributor (collectively, “Subscriber”), we process data (such as employee emails for training) solely on behalf of that organization. In these instances, Symbol acts as a Data Processor. The Subscriber’s privacy policy, as Data Controller, governs the processing of that data. Symbol strictly processes this data according to the terms of the Subscriber’s Service Order and the Data Processing Addendum (DPA).

2. Data We Collect

  • Information You Provide: Name, business email, company name, and job title.
  • Service Data: When using our platform, we process professional identifiers (email addresses) and training performance data (e.g., phishing simulation results and course completion status).
  • Automatically Collected Data: We collect IP addresses, browser types, and device identifiers. For cybersecurity purposes, this includes tracking interactions with simulated phishing emails to provide accurate risk reporting.
  • Threat Intelligence & Breach Monitoring: Publicly available information, dark web mentions, and aggregated threat data related to the Subscriber’s organization or personnel, collected for the purpose of the Cyber Threat Surveillance offering. This includes professional identifiers used to query public breach and credential databases (e.g., haveibeenpwnd and similar sources) to provide Email Threat Alerts, which inform users of potential exposure.

2.A. Cookies and Tracking Technology

  • Symbol Security uses cookies, web beacons, and similar tracking technologies on our public website (symbolsecurity.com) to provide site functionality, analyze usage, and support marketing efforts. You have the right to accept or decline the use of non-essential cookies. You can manage your cookie preferences through your browser settings or via the cookie consent banner on our website.

3. How We Use Your Information

We use your data to:

  • Provide and maintain the Symbol Security SaaS Platform.
  • Execute simulated phishing campaigns and track training compliance.
  • Improve our “Report A Phish” button functionality and threat alerting algorithms.
  • Ensure Service Functionality and Security (Contractual Necessity/Legitimate Interest): We collect technical data (IP addresses/User Agents) during simulations as a core requirement to distinguish between human interaction and automated security filters, which is necessary for the performance of our contract with the Subscriber.
  • Provide Cyber Threat Surveillance and Email Threat Alerts: Monitoring and analyzing external data sources, including publicly available breach data, to alert Subscribers to potential threats targeting their organization or personnel. This includes using professional identifiers to check external breach databases and deliver Email Threat Alerts concerning exposed credentials or PII, a key component of the Service.

3.A. Legal Basis for Processing (Controller Role)

When Symbol acts as a Data Controller (i.e., for website visitors and marketing contacts), we rely on the following legal bases for processing your Personal Data:

  • Legitimate Interest: For purposes of site improvement, fraud prevention, and communicating with you about our services where such interests are not overridden by your data protection rights.
  • Consent: For sending you marketing communications, where required, and for the use of non-essential cookies.
  • Contractual Necessity: To respond to your inquiries and fulfill a request you have made (e.g., a demo request).

4. Data Residency: The Brussels Node

Symbol utilizes a global infrastructure to support data residency requirements:

  • United States (Default): All data is processed in the United States by default.
  • EU Node (Brussels): For Subscribers who have contractually requested EU data residency in their Service Order, Symbol processes and stores Personal Data at rest within our Brussels, Belgium (EU) node. This ensures that European Union and United Kingdom data remains within a GDPR-compliant jurisdiction.

5. Artificial Intelligence & Data Privacy

Symbol may utilize Artificial Intelligence (AI) and Machine Learning (ML) to enhance threat detection and negativity ratings.

  • Anonymization: Data used to train our proprietary security models is anonymized and stripped of personally identifiable information (PII).
  • No Automated Decisions: Symbol does not use AI to make automated decisions that have legal or significant effects on individuals (e.g., employment termination).

5. Data of Minors

The Symbol Security Platform and public website are not intended for use by individuals under the age of sixteen (16). We do not knowingly collect or solicit Personal Data from children. If we become aware that we have collected Personal Data from a child without parental consent, we will take steps to delete that information promptly.

6. Your Data Rights

Depending on your location (including the EEA, UK, and states like California), you may have the following rights:

  • Right to Access/Know: Request a copy of the Personal Data we hold about you.
  • Right to Portability: Request that we move your data to another service provider.
  • Right to Deletion: Request that we erase your Personal Data (subject to legal retention requirements).
  • Right to Object: Object to the processing of your data for direct marketing.
  • Right to Limit Use: Limit the use of sensitive personal information.
  • How to Exercise & Response Timeframe: Please email [email protected]. We will respond to all verified requests within the timeframes required by applicable law, typically one month (30 days) from the date of receipt. If you are a User/Employee of a Subscriber, Symbol Security cannot act on your request directly. We are a Data Processor and legally obligated to refer your request to your employer (the Data Controller). Symbol will cooperate with the Subscriber as required by the DPA to fulfill verified requests..

7. International Transfers

When data is transferred from the EEA, UK, or Switzerland to the United States, we utilize the EU Commission’s modern Standard Contractual Clauses (SCCs) as amended by any required UK Addendum, and other approved legal mechanisms as outlined in our Data Processing Addendum (DPA) located at symbolsecurity.com/legal/dpa.

7.A. Additional Privacy Rights for California Residents

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to Know and Access: Request the specific pieces of Personal Information we have collected about you.
  • Right to Delete: Request the deletion of your Personal Information, subject to certain exceptions.
  • Right to Opt-Out of Selling or Sharing: Request to opt-out of the “selling” or “sharing” of your Personal Information (as those terms are defined under the CCPA/CPRA). Note: Symbol Security does not sell or share the Personal Data of Subscribers’ Users/Employees processed in our role as a Data Processor. We provide a Do Not Sell/Share My Personal Information link on our website for Data Controller activities (e.g., marketing contacts).
  • Right to Limit Use of Sensitive Personal Information: Request to limit the use of Sensitive Personal Information to what is necessary for our services.
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any of your CCPA/CPRA rights.

8. Security & Retention

We implement industry-standard technical and organizational measures to protect data. We retain Personal Data only as long as necessary to provide the Services or as required by law (typically the duration of the Subscriber’s contract plus a standard wind-down period).

9. Third Party Service Providers and Sub Processors

Symbol utilizes third-party vendors (Sub-Processors) to assist in providing our services, including cloud hosting, support, and billing. We enter into written agreements with every Sub-Processor, requiring them to meet our security and privacy standards and to process data only according to our instructions. For our Subscribers, a list of all current Sub-Processors is maintained and made available in our Data Processing Addendum (DPA).

Note on Channel Partners: Managed Service Providers (MSPs) and Distributors who resell Symbol Security services are considered independent Data Controllers or Processors with respect to their own customers. They are not considered Sub-Processors of Symbol Security unless explicitly engaged as such through a separate written agreement.

10. Changes to This Privacy Policy

Symbol reserves the right to modify this Privacy Policy at any time. We will indicate the date of the latest revision at the top of the policy. For material changes that affect how we process your Personal Data, we will notify you by email (if you are a Subscriber or registered user) or by placing a prominent notice on our website prior to the change becoming effective.

11. Contact Us

If you have questions about this Policy, please contact:

Symbol Security Privacy Office

115 Route 46 West, Bldg F
Mountain Lakes, NJ 07046
Email: [email protected]

Questions about this policy?

Contact our team for clarification on any legal matters.

Contact Support