Privacy Policy

This is the core of what Specter does. During your assessment, we discover vast amounts of publicly available data about you. We access:

• Data broker networks and people search databases
• Public social media profiles and activity archives
• Public records (property ownership, court filings, business registrations)
• Financial filings and SEC documents
• News archives and press mentions
• Historical domain registrations and website information
• Online directories and professional networking sites

Critical distinction: We discover this data because it's publicly accessible. We do not hack, breach, or access private systems. Everything in your Specter Report comes from legally accessible, public sources.

When you access Specter's platform:

• Device information (type, OS, browser)
• IP address and general location
• Session data and authentication logs
• Usage metrics (pages viewed, time on platform)

We maintain records of:

• Encrypted communications with your assigned Handler
• Secure messages and notifications sent through the platform
• Documentation of threat assessments and remediation requests

All communications are encrypted end-to-end. We retain these records to provide continuity of service and document the work we've done on your behalf.

We use aggregated, anonymized threat data to:

• Improve our threat detection algorithms and detection capabilities
• Identify emerging patterns in threats against high-profile individuals
• Strengthen our security and data protection measures
• Test and validate our remediation processes

Your data is anonymized in this process. We never use identifiable information from your assessment for these purposes.

During your threat assessment, we discover potentially hundreds of data points about you across the public internet. This includes:

• Personal information on data broker sites
• Social media activity and archived posts
• Public records and filings
• Historical information about past addresses, employers, relatives
• Login information exposed in previous breaches (if detected)

This data already exists publicly. We don't create it. We find it.

We only retain the data necessary for your protection and service delivery:

• Your Specter Report (your threat assessment document)
• Remediation requests we've submitted on your behalf
• Removal status from data brokers
• Ongoing monitoring alerts (for subscription clients)
• Your Handler communication logs
• Authentication and access logs for security purposes

We do not maintain comprehensive databases of your personal information. We do not keep copies of every piece of data we discover. We keep what's needed to protect you and serve your account.

All communication between your device and Specter's platform uses TLS 1.3 encryption. Your data is encrypted before it leaves your device and decrypted only on our secure servers.

All stored data is encrypted using AES-256 encryption. This includes your Specter Report, communication logs, and stored threat assessments. Encryption keys are managed separately from stored data.

All communications with your assigned Handler occur through end-to-end encrypted channels. Your Handler cannot access your data without proper authentication. All Handler sessions are logged and audited.

Your Report is delivered via secure, encrypted channel only. You receive a unique link that expires after a defined period. Downloads are logged for security purposes.

We employ zero-knowledge architecture for certain data types, meaning Specter staff cannot access encrypted data even in an emergency. This applies to your most sensitive threat assessments and Handler communications.

Specter undergoes regular third-party security audits and penetration testing. We maintain SOC 2 Type II compliance and follow NIST cybersecurity guidelines. Security assessments are conducted at least annually.

While you're an active Specter client, we retain your data for the duration of your engagement. This includes your threat assessment, Reports, communication logs, and remediation history.

Your initial Report and any updated assessments are retained for 90 days after delivery. After 90 days, the Report is automatically deleted unless you request extended retention. You can request your Report be retained for longer at any time, and we will accommodate this request.

For active subscription clients with ongoing monitoring, we retain relevant threat intelligence and monitoring logs for the duration of your subscription plus 30 days after cancellation.

When your engagement with Specter ends, we permanently destroy all your personal data within 30 days of account termination. This includes:

• Your assessment data and Reports
• Communication logs with your Handler
• Technical data and session information
• Remediation history and removal status

Backups are overwritten and log data is purged. We retain no copies of your data after the 30-day window expires.

At any point, you can request that all your data be permanently destroyed. We will comply with this request within 24 hours. Contact your Handler or privacy@specter.security.

You can request a complete copy of all data we've collected and stored about you. We'll provide this in a structured, portable format within 10 business days.

You can request deletion of any or all of your data at any time. We will delete your information within 30 days. Once deleted, this data cannot be recovered.

If any information in your assessment is inaccurate, you can request correction. We will review and update your data accordingly.

Subscription clients can disable ongoing threat monitoring while maintaining access to their previous Reports. Contact your Handler to modify your subscription settings.

You can export your Specter Report and all associated data in standard formats (PDF, JSON, CSV) at any time through your client portal.

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). You can request disclosure of what personal information we've collected, the categories of sources, and our business purposes. You can opt-out of any "sale" of personal information (which we don't do).

If you're in the EU or UK, GDPR applies. You have rights to access, rectification, erasure, restriction of processing, data portability, and the right to object. We process your data based on your explicit consent. You can withdraw consent at any time.

We access licensed people search and data broker databases. These are legal, regulated services that aggregate publicly available information. We use these to identify exposed personal data and initiate removal requests on your behalf.

We access publicly available government records including property ownership, court filings, business registrations, and UCC filings. These are legally accessible public information.

We monitor publicly available social media profiles and archived web content. This includes indexed pages, historical snapshots, and public posts.

For executives and founders, we review SEC filings, stock holdings, insider trading disclosures, and other regulatory filings that are publicly available.

When we discover your data on broker networks, we submit removal requests on your behalf using legitimate opt-out mechanisms. We follow up on these requests and document removal status. You can track removal progress through your client portal.

All communications between you and your Handler are treated as confidential and privileged. These communications are encrypted end-to-end and protected from unauthorized access.

All Handlers undergo:

• Comprehensive background checks (criminal, financial, employment history)
• Security clearance verification (if applicable)
• Annual training on data protection and client confidentiality
• Regular audits and compliance reviews

Handlers can only access the client data necessary to serve your account. Access is logged and monitored. Handlers cannot download, export, or share client data outside of their work serving your account.

If a Handler leaves Specter, all access to client data is immediately revoked. Your data is transferred to your new assigned Handler under the same confidentiality standards.

We may discover publicly exposed information about your minor children during your threat assessment, including information on people search sites, social media, or public records.

Any data we collect or discover about minors is handled with additional encryption, restricted access, and shorter retention periods. Only your assigned Handler can access this data.

We prioritize removal of minor children's data from data broker networks. When we discover a child's information exposed, we immediately initiate removal requests and advocate for expedited processing.

We do not directly collect information from minors. Specter's platform is not designed for use by anyone under 18. If a minor gains access to their parent's account, no additional data about the minor is collected.

Any material changes will be communicated to you via encrypted channel through your client portal. For active subscription clients, we'll also email notification to your registered contact.

If a material change affects how we collect, use, or protect your data, we will notify you at least 30 days before the change takes effect. You will have the opportunity to review and provide feedback.

For material changes to data practices, we may require your re-authorization to continue service. This ensures you remain in control of how your data is handled.

Non-material clarifications or administrative updates to this policy may be made without advance notice. The effective date at the top of this page will reflect any changes.

Your assigned Handler is your primary contact. They can answer any privacy questions, process data requests, or discuss concerns about how your data is handled.

For formal privacy requests (data access, deletion, CCPA/GDPR requests):

privacy@specter.security

We respond to all privacy inquiries within 10 business days. For urgent matters, contact your Handler directly.