Privacy Policy
This Privacy Policy explains how Avatier Corporation ("Avatier," "we," "us," or "our") collects, uses, discloses, and protects personal data when you visit attackcost.com or cyberattackcost.com (each, "the Site") and use our cyber attack cost calculator, AI assistant, and related services. This policy applies to visitors worldwide. Region-specific rights and disclosures are addressed in the Regional Addenda at the end of this document.
1. Overview
AttackCost is a cyber attack financial impact calculator provided by Avatier Corporation. The Site allows visitors to model breach costs, generate PDF reports, interact with an AI assistant, and optionally submit contact information for follow-up. We are committed to protecting your privacy and processing your personal data transparently, lawfully, and in accordance with applicable data protection laws worldwide.
If you are located in a jurisdiction with specific data protection regulations, please review the applicable Regional Addendum below for additional rights and disclosures that apply to you.
2. Data Controller
The data controller responsible for your personal data is:
Avatier Corporation
4733 Chabot Drive, Suite 201
Pleasanton, CA 94588, USA
Email: privacy@avatier.com
Phone: (800) 609-8610 or (925) 217-5170
For EEA/UK-specific inquiries, you may also contact our designated privacy representative at the address above or via privacy@avatier.com.
3. Data We Collect
3.1 Information You Provide Directly
- Contact form submissions: Name, email address, company name, job title, and any message content you include when requesting information or a follow-up.
- Calculator inputs: Company parameters you enter into the attack cost calculator (employee count, revenue, stock ticker). These are processed client-side and are not stored on our servers unless you generate and submit a report.
- AI assistant interactions (powered by Delphi.ai): Questions and prompts you submit to the on-site AI chat assistant. If you provide your name or email address during the conversation — for example, when booking a sales call or requesting follow-up — Delphi.ai collects that contact information. Delphi.ai may also collect your email if you log in or authenticate to use the assistant. Conversation content, engagement data (message count, last active date), and any tags or properties assigned based on your interactions are stored within the Delphi.ai platform. Contact data (email and name) is automatically synced to our CRM (HubSpot) on a daily basis. For more information, see Delphi.ai's Privacy Policy.
3.2 Information Collected Automatically
- Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preference.
- Usage data: Pages visited, time spent on pages, click patterns, scroll depth, referral source (search engine, social media, direct), and exit pages.
- Cookie and tracking data: Information collected through cookies, pixels, and similar technologies as described in Section 6 below.
- Geolocation data: Approximate geographic location derived from your IP address, used to serve the appropriate cookie consent banner and (where available) localized content.
3.3 Information from Third Parties
- Public financial data: When you enter a stock ticker, the calculator may retrieve publicly available market data (market capitalization, revenue) from third-party financial APIs. This data is about the company, not about you personally.
- Analytics providers: We may receive aggregated insights about visitor demographics and interests from analytics services such as Google Analytics.
- B2B business contact data (Artisan): We use Artisan AI Inc. ("Artisan"), an AI-powered business development platform, to identify and engage potential business customers. Artisan maintains a database of verified B2B business contacts compiled from public and commercial sources, and may enrich business contact records with firmographic data (company name, industry, size, location, job title, professional email address, and publicly available professional profile information). Artisan also processes intent signals derived from publicly available business events (such as funding announcements and leadership changes). Artisan does not identify individual visitors to the Site; it provides business contact data from its own database. Artisan is SOC 2 certified. For more information, see Artisan's Privacy Policy.
4. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Data Used |
|---|---|
| Provide and operate the Site and calculator | Calculator inputs, device/browser data |
| Provide AI-powered assistance and answer visitor questions via the embedded Delphi.ai assistant | Conversation content, name, email (if provided) |
| Schedule sales calls and demos requested through the AI assistant | Name, email, conversation context |
| Sync contact data to our CRM (HubSpot) for sales follow-up and relationship management | Name, email (synced daily from Delphi.ai to HubSpot) |
| Identify and engage potential business customers via AI-powered B2B outreach (Artisan) | Business contact information (name, business email, company, job title) sourced from Artisan's B2B database |
| Respond to your inquiries and contact form submissions | Name, email, company, message content |
| Send marketing communications (only with your consent) | Name, email, company |
| Generate and deliver PDF reports | Calculator inputs, email (if provided) |
| Analyze site performance and improve user experience | Usage data, device data, cookies |
| Serve region-appropriate cookie consent banners | IP-derived geolocation |
| Detect, prevent, and address security issues | IP address, device data, usage patterns |
| Comply with legal obligations | Any data as required by law |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.
5. Legal Bases for Processing
Depending on your location and the nature of the processing, we rely on one or more of the following legal bases:
- Consent: Where you have given clear, affirmative consent for us to process your personal data for a specific purpose (e.g., marketing emails, non-essential cookies). You may withdraw consent at any time.
- Contract performance: Where processing is necessary to fulfill a request you have made (e.g., generating a report, responding to an inquiry).
- Legitimate interests: Where processing is necessary for our legitimate business interests (e.g., site analytics, security, and fraud prevention), provided those interests are not overridden by your rights. Our legitimate interests include understanding how visitors use our Site, improving our services, and protecting against misuse.
- Legal obligation: Where processing is necessary to comply with applicable laws, regulations, or legal proceedings.
6. Cookies & Tracking Technologies
AttackCost uses cookies and similar tracking technologies. When you first visit the Site, you will see a cookie consent banner appropriate to your geographic location, powered by Cookiebot (Usercentrics). Your consent preferences are stored and respected across your session.
6.1 Categories of Cookies
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for site functionality, security, and cookie consent management. These cannot be disabled. | No |
| Analytics / Performance | Help us understand how visitors interact with the Site (e.g., Google Analytics). Data is aggregated and anonymized where possible. | Yes |
| Marketing / Advertising | Used to deliver relevant content and measure campaign effectiveness. May be set by third-party advertising partners. | Yes |
| Preferences / Functional | Remember your settings such as language preference, calculator inputs, and display options. | Yes |
6.2 Managing Your Preferences
You can change or withdraw your cookie consent at any time by clicking the cookie settings icon (privacy trigger) visible on every page of the Site, or by clearing cookies in your browser settings. You may also configure your browser to block or alert you about cookies. Note that disabling certain cookies may affect site functionality.
6.3 Do Not Track & Global Privacy Control
We honor Global Privacy Control (GPC) signals where required by applicable state law. If your browser sends a GPC signal, we treat it as a valid opt-out request for the sale or sharing of personal information where such laws apply.
7. Data Sharing & Third Parties
We do not sell your personal data. We do not rent, trade, or otherwise make your personal information available to third parties for their own marketing purposes.
We may share your data with the following categories of recipients, solely for the purposes described in this policy:
- Service providers: Hosting providers (Vercel), analytics services (Google Analytics), AI conversational assistant (Delphi.ai), CRM platform (HubSpot), AI-powered B2B outreach platform (Artisan), email delivery platforms, and cookie consent management (Cookiebot/Usercentrics). These providers process data on our behalf under contractual obligations that include data protection requirements.
- Professional advisors: Lawyers, auditors, and consultants, when necessary for legal, compliance, or business purposes.
- Law enforcement and regulators: When required by law, regulation, legal process, or enforceable governmental request.
- Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.
8. International Data Transfers
Avatier is headquartered in the United States. Your personal data may be transferred to and processed in the United States or other countries where our service providers operate. These countries may not have data protection laws equivalent to those in your jurisdiction.
When we transfer personal data from the European Economic Area (EEA), United Kingdom, Switzerland, Brazil, or other jurisdictions with data transfer restrictions, we rely on appropriate safeguards, including:
- The EU-US Data Privacy Framework (and UK and Swiss extensions), where applicable.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Binding Corporate Rules, where adopted by our service providers.
- Your explicit consent, where no other mechanism is available and you have been informed of the potential risks.
You may request a copy of the safeguards we use by contacting privacy@avatier.com.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Contact form submissions | Up to 24 months from last interaction, or until you request deletion |
| Marketing consent records | Duration of consent plus 3 years (for compliance documentation) |
| Cookie consent records | 12 months (then re-consent is requested) |
| Analytics data (aggregated) | 26 months (Google Analytics default), then automatically deleted |
| Server logs (IP, access) | 90 days |
| AI assistant interactions (Delphi.ai) | Conversation history retained in Delphi.ai for the duration of your contact record. Contact data (name, email) synced to HubSpot daily and retained per HubSpot retention below. |
| CRM contact records (HubSpot) | Retained until you request deletion or the record is no longer needed for business purposes |
| B2B outreach contact data (Artisan) | Retained for the duration of active outreach campaigns and business development activities, or until you opt out or request deletion |
10. Your Rights
Regardless of where you are located, we are committed to honoring the following data subject rights. Some rights may be subject to conditions or limitations under applicable law. Region-specific rights are detailed in the Regional Addenda below.
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete personal data.
- Erasure / Deletion: Request deletion of your personal data, subject to legal retention obligations.
- Restriction: Request that we limit how we use your data in certain circumstances.
- Data portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests or for direct marketing purposes.
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Opt-out of marketing: Unsubscribe from marketing communications at any time using the link in any email or by contacting us directly.
To exercise any of these rights, contact us at privacy@avatier.com. We will respond within the timeframe required by applicable law (generally 30 days, or as specified in the Regional Addenda).
We will not discriminate against you for exercising your privacy rights. You will not receive different pricing, quality of service, or access to features based on your privacy choices.
11. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS/HTTPS), access controls, regular security assessments, and employee training. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.
12. Children's Privacy
The Site is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@avatier.com and we will promptly delete the information.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, provide you with notice (for example, via a banner on the Site or an email to affected individuals). Your continued use of the Site after any changes constitutes acceptance of the updated policy.
14. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
Avatier Corporation — Privacy Team
4733 Chabot Drive, Suite 201
Pleasanton, CA 94588, USA
Email: privacy@avatier.com
Phone: (800) 609-8610 or (925) 217-5170
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (see Regional Addenda for specifics).
Regional Addenda
The following sections provide additional information and rights specific to your jurisdiction. These addenda supplement — and where they conflict, override — the general provisions above.
GDPR European Economic Area, United Kingdom & Switzerland
This addendum applies if you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland. Your personal data is protected under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and/or the Swiss Federal Act on Data Protection ("revFADP").
Legal bases for processing: We process your data based on one or more of the legal bases described in Section 5. For analytics cookies and marketing, we rely on your consent. For responding to inquiries, we rely on contractual necessity or pre-contractual steps. For security and fraud prevention, we rely on legitimate interests.
Your additional rights under GDPR:
- Right to lodge a complaint with your local supervisory authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany). A list of EEA data protection authorities is available at edpb.europa.eu.
- Right to object to processing based on legitimate interests, including profiling.
- Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
- Right to data portability in a structured, commonly used, machine-readable format.
International transfers: Data transferred from the EEA/UK/Switzerland to the United States is protected under the EU-US Data Privacy Framework and/or Standard Contractual Clauses. You may request a copy of these safeguards from privacy@avatier.com.
Response time: We will respond to data subject requests within 30 days, extendable by up to 60 additional days for complex requests, with notice to you.
LGPD Brazil
This addendum applies if you are located in Brazil. Your personal data is protected under the Lei Geral de Proteção de Dados ("LGPD"), Law No. 13.709/2018.
Data controller (Controlador): Avatier Corporation, as identified in Section 2.
Legal bases under LGPD: We process your personal data based on one or more of the following LGPD-specific legal bases: your consent (Art. 7, I), performance of a contract or preliminary procedures (Art. 7, V), legitimate interests of the controller (Art. 7, IX), or compliance with a legal or regulatory obligation (Art. 7, II).
Your rights under LGPD (Art. 18):
- Confirmation of the existence of processing.
- Access to your personal data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
- Portability of data to another service provider.
- Deletion of data processed with your consent.
- Information about public and private entities with whom data has been shared.
- Information about the possibility and consequences of not providing consent.
- Revocation of consent.
Supervisory authority: You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
International transfers: Where your data is transferred to the United States, we rely on standard contractual clauses or your explicit consent, in accordance with LGPD Art. 33.
Response time: We will respond to requests within 15 business days.
CCPA + State Laws United States
This addendum applies if you are a resident of a US state with a comprehensive privacy law. As of 2026, this includes California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Iowa (Iowa CDPA), Delaware (DPDPA), Florida (FDBR), Tennessee (TIPA), Nebraska (NEDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA), Minnesota (MNCDPA), Indiana (ICDPA), Kentucky (KCDPA), and Rhode Island (RI-DTPPA).
Categories of personal information collected (CCPA disclosure):
- Identifiers: name, email address, IP address, company name.
- Internet or electronic network activity: browsing history on the Site, interactions with the calculator and AI assistant, referral data.
- Geolocation data: approximate location derived from IP address.
- Professional information: job title, company (if provided via form).
- Inferences: preferences and interests inferred from usage data.
We do not sell or share your personal information as those terms are defined under the CCPA/CPRA or any other US state privacy law.
Your rights under US state privacy laws:
- Right to know / access the personal information we have collected about you.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt-out of the sale or sharing of personal information (we do not sell or share, but you may exercise this right as a precaution).
- Right to opt-out of targeted advertising.
- Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.
- Right to non-discrimination for exercising your rights.
- Right to data portability (where applicable).
Universal Opt-Out Mechanism (UOOM): We honor Global Privacy Control (GPC) signals. If your browser is configured to send a GPC signal, we will treat it as a valid opt-out request under applicable state laws.
How to exercise your rights: Submit a request to privacy@avatier.com or call (800) 609-8610. We may need to verify your identity before fulfilling your request. We will respond within 45 days (California) or the timeframe required by your state's law.
Authorized agents: California residents may designate an authorized agent to make requests on their behalf. The agent must provide written authorization signed by you, and we may verify your identity directly.
California "Shine the Light" (Civil Code § 1798.83): California residents may request information about personal data disclosed to third parties for direct marketing. As stated, we do not disclose personal data to third parties for their direct marketing purposes.
PIPEDA Canada
This addendum applies if you are located in Canada. Your personal data is protected under the Personal Information Protection and Electronic Documents Act ("PIPEDA") and, if you are in Québec, the Act respecting the protection of personal information in the private sector (commonly referred to as "Law 25" or "Québec's Privacy Law").
Consent: We obtain your meaningful consent before or at the time of collecting personal information, except where permitted by law. Consent may be express (e.g., form submission, cookie acceptance) or implied (e.g., for low-risk analytics with clear notice). For sensitive information, we obtain express consent.
Your rights under PIPEDA:
- Right to access your personal information and be informed of its use and disclosure.
- Right to challenge the accuracy and completeness of your information and have it corrected.
- Right to withdraw consent (subject to legal or contractual restrictions).
- Right to complain to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
Québec residents (Law 25): You additionally have the right to data portability, the right to de-indexing (removal from search results in certain contexts), and the right to be informed of automated decision-making. The Commission d'accès à l'information du Québec (CAI) is your applicable supervisory authority.
Response time: We will respond to access requests within 30 days.
APAC Asia-Pacific
This addendum applies if you are located in Australia, New Zealand, Japan, South Korea, India, China, Singapore, Thailand, the Philippines, Indonesia, Vietnam, Taiwan, Hong Kong, or Malaysia.
China (PIPL): If you are in China, processing of your personal information is governed by the Personal Information Protection Law ("PIPL"). We process your data based on your consent or contractual necessity. You have the right to access, correct, delete, and port your data, and to withdraw consent. Cross-border transfers are conducted in compliance with PIPL requirements, including standard contracts filed with the Cyberspace Administration of China where applicable.
India (DPDPA): If you are in India, we process your personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA"). We rely on consent as the default legal basis. You have the right to access, correct, erase, and receive grievance redressal. We are committed to making consent mechanisms available in relevant languages as India's implementation rules are finalized.
Japan (APPI): Under the Act on the Protection of Personal Information, we provide clear notice of use purposes and allow you to opt out of third-party data provision.
South Korea (PIPA): Under the Personal Information Protection Act, we obtain consent prior to collecting and processing your personal information. You have the right to access, correct, delete, and suspend processing. We designate a personal information protection officer as required.
Australia (Privacy Act / APPs) & New Zealand (Privacy Act 2020): We comply with the Australian Privacy Principles and NZ Information Privacy Principles. You may lodge complaints with the OAIC (Australia) or OPC (New Zealand).
Southeast Asia (Singapore PDPA, Thailand PDPA, Philippines DPA, Indonesia PDP Law, Vietnam PDPD, Malaysia PDPA): We comply with applicable local data protection requirements, including obtaining consent where required, providing notice of processing purposes, and honoring data subject access and correction requests.
Response time: We will respond to data subject requests within the timeframe required by applicable local law, generally 30 days.
Additional Other Regions
Latin America (Argentina, Colombia, Chile, Mexico, Peru, Uruguay, Ecuador, Costa Rica, Panama): We comply with applicable data protection laws in your jurisdiction, including Argentina's PDPA, Colombia's Law 1581, Chile's updated Data Protection Law, Mexico's LFPDPPP, and similar legislation throughout the region. You have the right to access, rectify, cancel, and object to processing of your personal data (known as "ARCO" rights in several jurisdictions). Contact your local data protection authority for complaint procedures.
Africa (South Africa, Nigeria, Kenya, Ghana, Egypt, Morocco, Algeria, and others): If you are in South Africa, your data is protected under the Protection of Personal Information Act ("POPIA"). You have the right to access, correct, and delete your personal data, and to object to processing. You may lodge a complaint with the Information Regulator. For Nigeria, we comply with the Nigeria Data Protection Act 2023 (NDPA). For Kenya, the Data Protection Act 2019 applies. For other African jurisdictions with data protection laws, we honor applicable local requirements.
Middle East (Saudi Arabia, UAE, Bahrain, Qatar, Kuwait, Oman, Israel, Turkey): We comply with applicable data protection legislation in your jurisdiction, including Saudi Arabia's PDPL, the UAE's federal data protection law, Israel's Privacy Protection Law, and Turkey's KVKK. For Israel, we note the country has received a GDPR adequacy decision from the European Commission.
Russia (FZ-152): We comply with Russian Federal Law No. 152-FZ on Personal Data to the extent applicable. Personal data of Russian citizens is processed in accordance with local requirements regarding consent and data localization.
All other jurisdictions: If you are in a country not specifically listed above, we will process your personal data in accordance with the general provisions of this Privacy Policy and any locally applicable data protection requirements. We are committed to transparency and will honor reasonable data subject requests regardless of your location.