Last Updated: November 7, 2023
RADAR, LLC, dba RadarFirst (“RadarFirst”), is a leading provider of data privacy incident response management software. Our software is used by our business customers to support a consistent and efficient approach to assessing risk and managing incidents. This Privacy Notice is provided to help you understand what information we collect, how we use it, secure it, and share it, and the choices available to you in accessing, updating, and correcting your personal information. This information is shared with you not only because we understand privacy is important to you, but because it is important to us and is the foundation of our business.
This Privacy Notice applies to: (i) RadarFirst websites, including www.radarfirst.com and other subdomains that form our corporate web presence (collectively, “Website”); (ii) RadarFirst software that collects and processes information of our customers who purchase a subscription to our software-as-a-service platform (app.radarfirst.com) (“Product”), and (iii) any RadarFirst internal business systems used to maintain personal information. Collectively, we refer to our Website, Product, and internal business systems as “Services”.
RadarFirst is committed to complying with laws to which it is subject, including applicable privacy laws. As part of our compliance efforts, we evaluated the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA”) and determined that RadarFirst is not currently subject to CCPA. However, we recognize that many of our customers are subject to CCPA and, as a result, we are committed to supporting our customers’ obligations under CCPA. Further, our Website and Product are not intended for individuals under age 13 and we do not knowingly collect personal information from individuals under age 13. If you are under 13, please do not provide any information on this Website. If we learn that we collected or received personal information from an individual under age 13, without verification of parental consent, we will delete that information.
Information We Collect
RadarFirst collects information as part of its business operations, to provide the Services, to respond to requests, provide customer support, to fulfill our legal and contractual obligations, and to improve our Product. The personal information we collect is never sold and is shared only as described in this Privacy Notice. You provide some of this information directly, such as when you contact customer support, or register for a RadarFirst event or publication. We also collect information automatically through your interaction with the Product and our Website, for example, where we use embedded product technologies and cookies. We also obtain data from third party sources, as more fully described in this Privacy Notice.
Business Information: When you visit our Website, contact us to receive information about RadarFirst, or participate in events we sponsor, we collect certain information about you, which may include: first name; last name; job title; business email address; phone number; IP address; and company information. All personal information collected through the Website (“Website Visitor Information”) is secured and access to that personal information is limited to individuals within our business that need access to this information to perform their job. No personal information is shared with third parties other than those service providers that we engage to (i) provide services supporting the operation and administration of our Website; (ii) provide content to you from RadarFirst or from our third-party providers; and (iii) supplement and update business contact details for our sales prospects and customers in order to ensure the contact information we have is accurate and up-to-date. We may use surveys to solicit feedback or in connection with events that request personal information. In addition to your contact information, these surveys may request demographic information or information about your personal interests.
Licensed User Information: We collect personal information from you when you create or update your profile as a licensed user of the Product (“Licensed User”) or to respond to customer service requests. Registration information includes first name; last name; job title; business email address; IP address; company information; and authentication information including username and password (when not using a single-sign-on (SSO) service). All personal information collected from Licensed Users is secured and access is limited to those individuals with a business need. No personal information of Licensed Users is shared with third parties other than those select service providers that RadarFirst has engaged as described in this Notice, typically to ensure contact details are up-to-date, for customer support and to monitor the performance of our Product.
We utilize application analytics tools to improve user interactions and monitor the performance of our Product. The information collected from these application analytics tools may include frequency and nature of a Licensed User’s use of the Product and information necessary to troubleshoot any issues reported.
Customer Information: Other than authentication information for Licensed Users, the Product does not require personal information to provide risk assessments. However, our customers may enter personal information into their Product account for record-keeping or other purposes such as documenting specific details related to an incident risk assessment. All information entered into the Product by our customers (including any personal information) is “Customer Information”. We process and store Customer Information on behalf of our customers as a data processor and service provider. Our customers, as the controllers of Customer Information, determine the purpose and any required legal basis for processing this data. Any Customer Information disclosed will be for the purposes set forth in this Privacy Notice (see Why and With Whom We Share Your Information) or as expressly set forth in the agreement with our customer.
Webinar Registration Information: We partner with select third parties to deliver webinars and other similar events. When you register to attend one of these events, we may receive your information from these third-party partners or, with your permission, share your information with these third-party partners.
Information We Obtain from Other Sources: We may receive information about you from other third-party sources. We may buy or lease contact, marketing, and demographic data from third parties, including certain profile information from marketing and sales intelligence tools, social networking platforms, and services you use to interact with the Website or Product. We may also use data enrichment services to ensure business contact details and information about our customers and business prospects is accurate and kept up to date. This information may be combined with information that we collect directly from you.
We may also collect information about you from other third party or public sources, such as social networks, when you use “Share This” via Facebook, Twitter, or other social media “like” buttons, or plug-ins on our Website. While we do not provide your personal information to third-party advertising partners, they may combine this information with personal information that they collect directly from you or receive from other sources.
Information We Automatically Collect: When you visit our Website or use our Product, some information is automatically collected and stored in log files. This information may include: IP address; access times; browser type and language; and referral website. As is common with most websites, we also collect information about your usage and activity on our Website, including pages visited and resources accessed. We may aggregate this information to better understand our users, analyze trends, and improve our Website and/or Product.
Sensitive Information: As noted above, personal information is not required to conduct incident risk assessments and is only required to authenticate Licensed Users to permit access to the particular customer’s Product account. In no event is personal information that may be sensitive in nature, such as financial information, medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of an individual (“Sensitive Information”) required nor should it be submitted in the Product. In limited circumstances we may, however, receive Sensitive Information, such as where you register for an event and your registration includes Sensitive Information, such as dietary or accessibility needs. We consider your submission of that information as your consent for us to process that information for the limited purpose of meeting your needs. We will never use Sensitive Information for any other purpose without your opt-in consent.
Information you Post on the Forum or Blog
Our Product offers Licensed Users the opportunity to join a Product feedback forum (“Forum”), hosted by a third-party provider, to allow you to make feature requests. Access to the Forum is only allowed for Licensed Users who have authenticated their identity within the Product. If you elect to post information by using the Forum, any information you provide may be read, collected, and used by others with equal access. Please do not share information that you do not want others to view or access in the Forum. To request removal of your personal information from the Forum, contact us at [email protected].
Cookies and Similar Tracking Technologies
We utilize cookies, and other information that your browser transmits, to better understand our Website audience. Such information includes aspects of your browser’s technical capabilities, information about your device, and your geographic location. Cookies may store information that identifies your browsing device with enough specificity to be able to deliver relevant content.
Do Not Track Requests
Some browsers offer a “Do Not Track” setting. Generally, when a Website visitor turns on the “Do Not Track” setting, their browser sends a message to websites requesting that the website visitor is not tracked. Our Website currently does not respond to “Do Not Track” settings.
How We Use Information
RadarFirst does not sell your personal information and we limit the use of your personal information to the purposes set forth in this Privacy Notice and our agreements with our customers.
We may use your information to:
- operate and improve our Website and Product;
- respond to your feedback, comments, and questions and provide customer support;
- contact you to request feedback about your experience with our Product or learn about your demographics, preferences, and interests;
- provide and deliver the Product;
- send you information related to the Product and services that you use, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
- communicate with you about upcoming events and webinars and other news about products and services offered by RadarFirst and our selected partners;
- collect anonymized and aggregated personal information for business purposes; this may include market analysis, traffic flow analysis and reporting, and to deliver relevant content;
- customize or personalize your online experience (e.g. to pre-populate forms and display relevant content);
- customize or personalize communications to bring you relevant information about products and services that may interest you; and
- protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
- to meet national security or law enforcement requirements, when required to the extent necessary to meet a legal obligation to which RadarFirst is subject.
Your Choices and Rights
We understand you want to protect and control your personal information. We are also committed to complying with the laws applicable to our business and to ensuring we honor rights granted to individuals required by those laws. While RadarFirst is not currently subject to the CCPA, as a service provider, we are committed to supporting our customers’ obligations under the CCPA. In addition, as noted below, we support the rights of individuals located in the European Economic Area, Switzerland and the United Kingdom. This section details how you may review, update, or delete certain personal information and any additional rights required by applicable law.
Opting out of Promotional Emails. You may opt-out of receiving marketing or promotional emails from RadarFirst by (1) clicking the “Manage Subscriptions” link in those emails or (2) emailing [email protected]. Please keep in mind that you still may receive transactional and service related e-mails from us (such as e-mails related to your subscription, your account, password reset requests, reminder e-mails you have requested, Product notices and other similar communications essential to your use of the Platform) that may be necessary for us to make the Platform available to you or respond to your inquiries.
You may submit a request for us to delete your personal information from any of our systems. However, we may retain your personal information where allowed by law, including where deletion would: (i) prevent us from exercising our rights; or (ii) prevent us from performing our obligations under the law or any agreement with our customers. If we refuse your request, we will provide prompt written notice of the reason why, within the timeframe required by law.
Viewing or Updating Your Information
Updates and Access: To request corrections or updates to your contact information, please login to the Product and utilize the tools available for managing your personal information. Alternatively, you may submit a customer service request for assistance by emailing [email protected] with “Update My Account” in the subject line,
Please note that RadarFirst customers can update, add, or delete Licensed User and Customer Information directly by logging into their Product account. However, collection, use, and processing of some personal information within the Product is necessary to ensure the security of the information and to authenticate access.
There may be limits to what information can be deleted or amended, such as information associated with security logs.
Deactivating your account: Licensed Users must submit a request to the relevant business customer to request deactivation of an account. RadarFirst will deactivate an account upon request from our customer.
Event Attendees or Website Visitors
To request corrections, updates or deletion of your personal information, please email [email protected] with “Update My Account Information” in the subject line.
Depending on where you reside (e.g., if you reside in the European Economic Area, Switzerland, the United Kingdom, or Canada), in addition to any of the general rights granted to you under this Privacy Notice, you may have the following data protection rights associated with the personal information that we process:
- You may request access, correction, deletion, or updates to your personal information by emailing [email protected];
- You may object to our processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information by contacting us by email at [email protected];
- You may opt-out of our marketing communications at any time by clicking the “unsubscribe” or “opt-out” link in the marketing emails you receive from us. If you wish to opt-out of other forms of marketing, such as postal marketing or telemarketing, please email [email protected];
- If we collect and process your personal information with your consent, you can withdraw your consent at any time. However, please note that withdrawing your consent will not affect the lawfulness of any processing that we conducted prior to your withdrawal, nor will it affect the processing of your personal information where we have relied upon an alternate legal basis for the processing of your information; and
- You have the right to submit a complaint to your local data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA may be found here. Contact details for data protection authorities in the UK may be found here. Contact details for data protection authorities in Switzerland may be found here . Contact details for data protection authorities in Canada may be found here.
We will respond to all data protection rights requests that we receive in accordance with applicable data protection laws.
For Licensed Users and Visitors from the European Economic Area, Switzerland, the United Kingdom, and Canada
Rights of Licensed Users and Visitors from the European Economic Area, Switzerland, the United Kingdom, and Canada
Residents of the European Union as well as Norway, Iceland, and Liechtenstein (collectively, “EEA“), Switzerland, the United Kingdom (“UK”), and Canada have certain legal rights associated with their personal data (“Personal Data”) beyond the generally applicable rights set forth elsewhere in this Privacy Notice. If you are a data subject from any of these locations, this section provides you with additional information associated with those rights.
International Transfers and Our Legal Basis for Processing
RadarFirst is headquartered in the United States and Personal Data will be transferred to, processed, and maintained on computer systems located in the United States.
The United States currently is not a country the European Union has deemed “adequate” under applicable data protection laws. RadarFirst collects, transfers, and processes personal data as required by applicable law, including: when you provide your consent (where required by law), to deliver requested goods or services to you or our customers, or to fulfill a legitimate interest of RadarFirst in a manner that does not outweigh your rights and freedoms. We may enter into data protection agreements or other legally approved mechanisms with our vendors to support compliance with applicable law.
We have taken appropriate safeguards to require that Personal Data we process will remain protected in accordance with this Privacy Notice when transferred internationally, including when processed by third-party service providers and partners. The safeguards we have taken include implementing the European Commission’s Standard Contractual Clauses, relying on a third-party service provider’s lawfully approved certification, or Binding Corporate Rules. We also comply with certain data-privacy frameworks discussed in more detail below.
In addition to the foregoing safeguards, RadarFirst complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the United States Department of Commerce. RadarFirst has certified to the United States Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK (and Gibraltar) in reliance on the UK Extension. RadarFirst has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles, UK Extension, and/or the Swiss-U.S. DPF Principles, the Principles or UK Extension (as applicable) shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
For all Personal Data we collect from our Website, RadarFirst is the data controller and we collect and use this information based on our delivery of requested goods or services, legitimate business interest, or consent.
For all Personal Data we collect in our Product, RadarFirst is the data processor, our customers are data controllers, and as data controllers, our customers determine the purpose and legal basis for the data processing activities we perform for them.
Our Legal Basis for Processing Personal Data
If you are a resident of Canada or the EEA, RadarFirst’s legal basis for collecting and using your Personal Data will depend on the Personal Data concerned and the specific context in which it is collected.
Generally, we will collect Personal Data from you: (1) where we have your consent, (2) where we need your Personal Data to perform a contract with you, (3) where we have a legal obligation to do so, such as the performance of a contract with our business customer, or (4) where the processing is in our legitimate interests and not overridden by your data protection interests of fundamental rights and freedoms (such as processing for administrative purposes, product development or improvement, preventing fraud or criminal acts, or securing information that we collect).
If you have questions about, or need further information concerning, the legal basis on which we collect and use your Personal Data, please send an email to RadarFirst’s Chief Privacy Officer at [email protected].
Accountability for Onward Transfers
RadarFirst engages trusted third-party providers to provide system infrastructure, email, and tools that are necessary for the orderly and efficient function of our business. Such third parties act in accordance with the terms of our agreements, which include data protection provisions and business associate agreements, as appropriate. These agreements require that these third parties use your personal information only in a manner consistent with our instructions and in accordance with the DPT Principles for transfers. We further require that any such third parties notify us in the event of any use (intentional or unintentional) that is inconsistent with the DPF Principles or where the third-party provider determines that it is no longer able to meet such obligations. RadarFirst remains liable under the DPF Principles if its agent processes personal information in a manner inconsistent with the DPF Principles, unless RadarFirst proves that it is not responsible for the event giving rise to the damage.
When We Share Your Information
Once your personal information is collected by RadarFirst, as detailed above, we may share it with third parties for various reasons including to effectively operate our business and deliver the Services to you. These third parties support RadarFirst in delivery of the Services in the areas of marketing, finance, business administration, and computer hosting infrastructure and support, as well as those providers used by us to support our compliance with legal or regulatory requirements, such as legal and tax advisors. When we share your personal information with a third party provider, we require that third party to protect that information consistent with this Privacy Notice and limit use of that information to performing the services they provide to us.
In addition, we may share your personal information with third parties, such as webinar or other event co-sponsors, for the limited purpose of your participation in a webinar or other event. Where law requires, we will ensure we have your consent to share that information.
Eventual successors may access information
In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or a portion of our assets, any user information owned or controlled by us may be among the assets transferred to third parties as successors in interest. As part of this type of transaction, we reserve the right to transfer or assign your personal information to third parties. Other than to the extent ordered by a bankruptcy or other court, or as otherwise agreed to by you, the use and disclosure of all transferred user information will be subject to this Privacy Notice.
We need to comply with legal requirements
We may disclose your information to government authorities or other third parties if any lawful circumstances arise, including when:
- You have given us permission to share your information,
- We are required to do so by law, or in response to a subpoena or court order,
- We believe in our sole discretion that disclosure is reasonably necessary to protect against fraud, or to protect our property or other rights or those of other users of the Website, Product, third parties, or the public at large; or
Information Security; Integrity; Retention
RadarFirst employs robust administrative, physical and technology-based security measures to protect your personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction reflective of the type of personal information and the risks associated with our processing of the information. For example, RadarFirst conducts annual third-party audits and penetration testing. We use encryption, passwords, security questions, multi-factor authentication, and other appropriate security measures to prevent unauthorized access to your personal information.
RadarFirst uses appropriate measures to ensure that your personal information is accurate and remains separate from another individual, customer, or Licensed User. These measures include: (i) updating records upon request; (ii) applying quality control procedures to software development; (iii) limiting employee access to personal information on the basis of need in order to perform job function; (iv) prohibiting sharing of user accounts; and (v) other appropriate administrative, quality assurance, and technical safeguards.
We will retain your personal information where we have an ongoing legitimate business need to do so, such as to provide our Product or to comply with applicable legal, tax, or accounting requirements. When we no longer have an ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, where your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until it is deleted. In addition, we will retain your personal information for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Recourse, Enforcement, and Liability
RadarFirst takes your privacy rights seriously. We provide mechanisms to resolve your concerns and any disputes that may arise under this Privacy Notice. If you have any questions or concerns regarding this Privacy Notice or how we use your personal information, please contact us via email at [email protected] or send a letter to:
520 SW 6th Avenue
Portland, OR 97204
RadarFirst will respond to your message within the time period required under applicable law.
In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, RadarFirst commits to resolve Data Privacy Framework Principles-related complaints about our processing of Personal Data. EEA, UK, and Swiss individuals with inquiries or complaints regarding our processing of Personal Data in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF should first contact RadarFirst at: [email protected].
RadarFirst commits to refer unresolved complaints concerning our processing of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF to JAMS, an independent alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your Data Privacy Framework Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain conditions (more fully described on the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
The Federal Trade Commission has jurisdiction over RadarFirst’s compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF.
Third Party Sites & Services
Changes To This Policy
We reserve the right to modify this Privacy Notice at any time, so please review it frequently. When we make material changes to this Privacy Notice, we will notify you prior to the changes becoming effective.
How to Contact Us
If you have any questions about this Privacy Notice or RadarFirst’s commitment to your privacy, RadarFirst can be contacted via email at [email protected] or you may send a letter to:
520 SW 6th Ave
Portland, OR 97204