Welcome to ThreatModeler Academy ("Academy"). This Privacy Policy is designed to provide transparency about our privacy practices and principles. It details how we, as a Data Controller or Business, collect, use, and protect your personal data when you engage with our online training platform.
This policy is a supplement to the
ThreatModeler Global Privacy Policy. The Global Policy provides essential information about our overarching privacy framework, including detailed explanations of your rights, our security measures, international data transfer mechanisms, and the contact information for our Data Protection Officer (DPO). We strongly encourage you to read both documents.
- This Policy applies to all individuals ("Users," "you") who register for and use the Academy. This includes:
- Individual Users: Users who register directly for a personal account.
- Corporate Users: Users granted access through a subscription purchased by their employer ("Corporate Customer").
In the Corporate Users scenario:
- Your employer provides us with your data (name, email) to create your account.
- We share reports on your course progress and completion with your employer to allow them to manage their team's training.
- By registering through an invitation from your employer, you acknowledge and agree to this data sharing.
This Policy does not apply to data processed in other ThreatModeler services, which are covered by our Global Privacy Policy.
We collect information to provide and improve your learning experience. This data comes from several sources:
- Account Information: When you register, you provide your name, email address, and password.
- Profile Information: You may optionally add further details to your user profile, such as a job title or company name.
- User-Generated Content: Any comments, forum posts, or content you submit within the Academy's interactive features.
- Communications: Information you provide when you contact us for support or feedback.
- Learning & Progress Data: We track your activity, including the courses you enroll in, your progress through lessons, quiz scores, exam results, and certificates earned.
- Usage and Technical Data: We automatically collect data about your device and interaction with our platform, such as your IP address, browser type, operating system, and usage patterns. For more detail, please see our Cookie Policy.
- Single Sign-On (SSO) Providers: If you choose to register or log in using a third-party service (like Google or LinkedIn), we receive information from that service, such as your name and email address, as permitted by your privacy settings on that platform.
- Your Employer (for Corporate Users): Your employer may provide us with your name and business email address to create your account.
- Our Service Providers: We collect data through third-party tools such as Google Analytics (for usage analysis) and HubSpot (for marketing contact management).
The table below details why and how we process your personal data, our legal justification ("Lawful Basis"), and our data retention periods.
Account Registration & Administration
To create, secure, and manage your student account.
Identity & Contact Data: Name, email.
Account Data: User ID, password (encrypted).Data from SSO Provider (if used).
For as long as you maintain an active account. After deactivation, data is blocked for 5 years to address potential legal liabilities.
Delivery of Educational Content
To provide access to courses, track your learning progress, administer exams, and issue certificates of completion.
Learning & Progress Data.
Certification Data: Certificates earned, dates.
User-Generated Content (e.g., exercise submissions).
Performance of a contract. This is the core service you have requested.
While your account is active. Certification and key progress records may be retained longer for verification purposes and to address legal claims.
Platform Communication
To send essential service-related emails, such as registration confirmations, course updates, and security notices.
Contact Data: Email address.
Performance of a contract and our legitimate interest in maintaining service integrity.
For the duration of your account's active status.
Reporting to Corporate Customers
To provide your employer with reports on your training progress and completion status if you are a Corporate User.
Identity Data: Name, email.
Learning & Progress Data: Course enrollment, progress, completion status, certifications.
Our legitimate interest in fulfilling our contractual obligations to our Corporate Customer.
As per our contract with the Corporate Customer.
Analytics & Platform Improvement
To understand user behavior, troubleshoot technical issues, and improve the quality and effectiveness of our courses and platform.
Usage and Technical Data.
Aggregated and anonymized progress data.
Our legitimate interest in optimizing our service. Your Consent for non-essential cookies.
Data is anonymized or aggregated for long-term analysis. Personal data from cookies is retained per our
Cookie Policy.
Community & Interactive Features
To enable you to participate in forums or comment sections.
Identity Data: Your name/username. User-Generated Content.
Identity Data: Your name/username. User-Generated Content.
Your posts may remain public even after account deactivation but will be disassociated from your profile where possible.
We may use your contact information to send you communications about products, services, and events that we believe may be of interest to you. This may include:
- Information about new courses or certifications available in the Academy.
- Invitations to webinars or events related to the topics you are studying.
- Information about ThreatModeler's enterprise products and services that complement your learning journey.
Our marketing activities are always conducted in compliance with applicable laws. We will rely on your Consent where required (e.g., in the EU/UK for non-customers) or on our Legitimate Interest for relevant business-to-business communications, where permitted.
Your Choices: You have full control over these communications. Every marketing email we send includes a clear and easy-to-use "unsubscribe" link. You can manage your marketing preferences at any time.
For a comprehensive overview of our marketing practices, the lawful basis we rely on in different jurisdictions, and your rights, please see Section 4 of our ThreatModeler Global Privacy Policy.
We only share your data with trusted partners who help us operate the Academy. We do not sell your personal data.
- Platform Providers (LMS): LearnWorlds, which hosts the Academy on Google Cloud infrastructure (primarily in the EU).
- Certification Providers: Accredible, to generate and manage your certificates.
- Analytics and Marketing Platforms: Google Analytics and HubSpot.
- Your Employer (for Corporate Users): As described in Section 2.
For more information on our data sharing principles, please see Section 5 of our ThreatModeler Global Privacy Policy.
As a user, you have significant rights over your personal data. This includes the Right to Access, Rectify, Erase, Restrict Processing, Object to Processing, and Data Portability. In California, this includes the Right to Know and Right to Delete.
You can directly view and edit some of your information (like your name and email) in your Academy account profile. To exercise your full rights, or if you have any questions, please follow the detailed instructions in Section 8 of our ThreatModeler Global Privacy Policy.
We are committed to protecting your data. We leverage a range of technical and organizational security measures. By using the Academy, your data will be processed primarily in the European Union, where our LMS provider, LearnWorlds, hosts our instance on Google Cloud. However, some of our sub-processors (such as Google, HubSpot, Accredible) may transfer data to the U.S. under the Data Privacy Framework or other legal mechanisms like Standard Contractual Clauses (SCCs).
For complete details, please refer to Sections 6 (International Transfers) and 7 (Security) of our ThreatModeler Global Privacy Policy.
We may update this Policy to reflect changes in our practices or the law. Any updates will be posted on this page.
● For specific questions about privacy in ThreatModeler Academy: academy@iriusrisk.com or academy@threatmodeler.com
● To make a formal data rights request or contact our Data Protection Officer (DPO), please use the channels outlined in the ThreatModeler Global Privacy Policy.
