vCSO.ai, Inc. (“Company,” “we,” “us,” or “our”) operates the Theodolite cybersecurity decision-making platform, accessible at app.theodolite.io (the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect information when you use our Service.
By accessing or using Theodolite, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
When you create an account or are invited to the beta program, we collect your name, email address, company name, and job title.
To provide our scanning and assessment services, you may connect cloud provider accounts (AWS, Azure, GCP). When you do, we access infrastructure configuration data, security posture information, and compliance-related metadata necessary to perform our scans. We access only the resources and permissions you explicitly authorize.
Our data discovery features scan your connected storage (S3, Azure Blob, GCS, and local filesystems) to identify sensitive data such as personally identifiable information (PII), protected health information (PHI), financial records, and credentials. We process this data to generate classification results and risk assessments. We do not store the underlying sensitive data itself — only the metadata, classifications, and findings.
When you import vulnerability scan reports (Nessus, OpenVAS) or complete compliance assessments (SOC 2, ISO 27001, NIST CSF), we process and store that data to generate risk quantification outputs, compliance scoring, and recommendations.
We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, browser type, device information, IP address, and referring URLs.
When you provide feedback, submit bug reports, or communicate with us, we collect the content of those communications.
| Purpose | Data Used |
|---|---|
| Provide and operate the Service | Account info, cloud data, scan results, compliance data |
| Generate risk quantification and compliance assessments | Vulnerability data, infrastructure data, assessment responses |
| Identify sensitive data in your environments | Connected storage metadata and classifications |
| Improve and develop the Service | Usage data, feedback, aggregated analytics |
| Communicate with you about the Service | Account info, email address |
| Ensure security and prevent abuse | Usage data, IP addresses, access logs |
| Comply with legal obligations | As required by applicable law |
We process your information based on the following legal grounds:
We do not sell your personal information. We do not share your data with third parties for their marketing purposes. We may share information only in these limited circumstances:
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Policy. Specific retention periods:
You may request deletion of your data at any time by contacting us. We will process deletion requests within 30 days, except where retention is required by law.
We implement reasonable administrative, technical, and physical safeguards to protect your information, including:
While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
Depending on your jurisdiction, you may have the following rights regarding your personal information:
To exercise any of these rights, contact us at the address below. We will respond within 30 days (or sooner where required by law).
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
To submit a request, contact us at privacy@vcso.ai. We will verify your identity before processing any request. You may designate an authorized agent to make a request on your behalf.
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), including the rights listed in “Your Rights” above. Additionally:
For GDPR-related inquiries, contact our Data Protection contact at privacy@vcso.ai.
Theodolite is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States. We implement appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where required.
Theodolite is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us immediately.
The Service may integrate with third-party cloud providers (AWS, Azure, GCP), project management tools (Jira), and other services at your direction. When you connect these services, their respective privacy policies govern their handling of your data. We encourage you to review those policies. We access third-party services only with your explicit authorization and only to the extent necessary to provide our Service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on this page and updating the “Effective” date. For significant changes, we will provide notice through the Service or by email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.
If you have questions about this Privacy Policy, want to exercise your rights, or have a privacy concern, contact us:
vCSO.ai, Inc.
Email: privacy@vcso.ai
Website: www.vcso.ai
For GDPR or CCPA-specific requests, please include “Privacy Request” in the subject line and specify the right you wish to exercise.