Privacy Policy

Effective date: June 3, 2026

Introduction

This Privacy Policy (the “Policy”) describes the type of information that Furl, Inc. (the “Company,” “we” or “us”) gathers from visitors to our website (the “Site”) and our autonomous security remediation service (the “Service”). The Site provides information about the Company’s business activities and means through which interested users may learn more about the Company. The Service is an autonomous remediation platform that identifies, investigates and helps remediate security findings, including vulnerabilities, misconfigurations, hardening gaps and similar exposures, across a user’s endpoints and environment, within the guardrails, confidence thresholds and approval gates that the user configures.

Collection, Use, and Sharing of Personal Information

“Personal Information” means information that can be associated with a particular user. The charts below detail what Personal Information we collect separately with respect to the Site and the Service.

Collection by the Site

  • Information you provide directly
    • How it is collected: You may include information that you select in using the “Contact Us” or similar features of the Site.
    • Why it is collected: We collect information to allow us to respond to inquiries and questions from users, and to keep in touch with them in accordance with their preferences.
  • Collection of information regarding the use of the Site
    • How it is collected: We may use cookies and similar tools (with the agreement of the user through our consent banner), including analytics cookies provided by Google Analytics and HubSpot, in order to record how users interact with the Site.
    • Why it is collected: We collect this information to improve the functionality of the Site.
  • Information related to payment
    • How it is collected: We do not collect this information directly – we utilize a third-party payment processor.
    • Why it is collected: This information is necessary to confirm payments for the Service with the third-party payment processor.

Collection by the Service

  • Information related to sign up, including the user's name, role, the general size of the user's organization, the type of organization, and the organization's name.
    • How we collect the personal information: We ask for this information directly when a user signs up to use the Service.
    • Why we collect the personal information: We require this information in order to deliver the service.
  • Connection information, including user names, passwords, and (where selected by a user) authorized connections from third-party sign-in services.
    • How we collect the personal information: We request this information from authorized users.
    • Why we collect the personal information: We use this information to authenticate authorized users.

We do not share or sell this information, except as explained below under “Third-Party Contractors,” “Business Transitions,” and “Compliance with Law and Prevention of Harm.”

Third-Party Contractors – We may use contractors (“Service Providers”) to perform limited services on our behalf, such as hosting websites and providing email services. Service Providers are required to obtain only the Personal Information they need to deliver the service they were hired to perform, to maintain the confidentiality of Personal Information, and not to use Personal Information for any purpose other than the service they were hired to perform.

Business Transitions – We may share information with businesses that are legally part of the same group as the Company, or that become part of that group. We reserve the right – in the event of a business transition such as a merger – to transfer Personal Information to a new business owner, on the condition that such Personal Information must be treated in accordance with this Policy.

Compliance with Law and Prevention of Harm – We may disclose your Personal Information or any information submitted via the Site or Service if we have a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce any applicable terms of service, including investigations of potential violations thereof; (iii) detect, prevent, or otherwise address fraud or security issues; or (iv) protect against harm to the rights, property or safety of the Company, our users, yourself or the public. We may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Aggregated and De-identified Data – As noted above, this Policy addresses the collection and sharing of Personal Information, that is, information that can reasonably be connected with a particular user. We may occasionally de-identify and/or aggregate Personal Information – to the extent permitted by law – to the point that it can no longer be associated with a particular user. When that occurs, such information is no longer Personal Information.

Use, Sharing, and/or Sale of Non-personal Information – We may aggregate data on user behavior with respect to the Site or the Service, including to deliver or improve the Site or Service. This data does not enable identification of individual users and is not Personal Information as defined by this Policy. As such, our use, sharing, and/or sale of non-personal Information is not restricted by this Policy.

Choices Regarding Your Personal Information

You may request information about our collection, use, and disclosure of their information (a “Request to Know”), including:

  • the categories and specific pieces of Personal Information we have collected about the user;
  • the categories of sources from which we have collected the user’s Personal Information;
  • the business or commercial purpose for collecting or selling the user’s Personal Information;
  • the categories of Personal Information we have sold about the user, if any (we do not sell Personal Information, so this category is none); and
  • the categories of Third Parties with whom we have shared or disclosed for a business purpose the user’s Personal Information (we do not sell, or share for cross-context behavioral advertising, Personal Information, so the categories of Personal Information sold or so shared are none).

Users may also request that we delete their Personal Information (a “Request to Delete”).

Requests to Know

Users may submit a Request to Know by emailing us at info@furl.ai.

Users may submit two types of Requests to Know: (1) A request for the specific pieces of Personal Information that we have collected about you in the past twelve months; or (2) a request for the categories of Personal Information that we have collected about you in the past twelve months, and we have used and disclosed that Personal Information.

When you submit a Request to Know, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If you submit a Request to Know for the specific pieces of information that we have collected about you, we may also require you to submit a signed declaration under the penalty of perjury stating that you are the consumer whose Personal Information is the subject of the Request to Know.

If we are able to verify your identity, we will respond to your Request to Know by: (a) providing the requested information; or (b) explaining why we are not required to provide the requested information. If we are unable to verify your identity, we will respond by explaining why we cannot verify your identity. We will confirm receipt of your Request to Know within 10 days and will respond to your Request to Know within 45 days. If a response requires additional time, we will notify you of the basis for the delay and may extend our response period up to an additional 45 days.

If we provide the information requested, we will provide the information free of charge and in a readily useable portable format. We have no obligation to provide Personal Information to you more than twice in a 12-month period. If a Request to Know or series of Requests to Know are manifestly unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Know, or may refuse to process the Request(s) to Know.

Requests to Delete

Users may submit a Request to Delete by emailing us at info@furl.ai. When you submit a Request to Delete, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If we are able to verify your identity, we will respond to your Request to Delete by (a) deleting your Personal Information and, if applicable, directing any of our Service Providers to delete your Personal Information; or (b) explaining why we are not required to delete your Personal Information. We may choose to delete Personal Information by de-identifying, aggregating, or completely erasing the Personal Information. We will specify the manner in which we delete your Personal Information.

If a Request to Delete or series of Requests to Delete are manifestly unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Delete, or may refuse to process the Request(s) to Delete.

Requests to Correct

California residents also have the right to request that we correct inaccurate Personal Information that we maintain about them (a “Request to Correct”), subject to certain exceptions. You may submit a Request to Correct by emailing us at info@furl.ai. We may ask you to provide information to verify your identity and to identify the information you believe is inaccurate before we process your request.

You have the right to limit our use and disclosure of any sensitive Personal Information we collect to those uses necessary to provide the Service or otherwise permitted by applicable law. We may collect certain information that constitutes sensitive Personal Information, such as account log-in credentials, passwords, API keys, and access credentials. We use this information solely to authenticate authorized users and to provide the Service, and not for purposes that would give rise to a right to limit its use under applicable law.

We will not discriminate against you for exercising any of your privacy rights. We will not deny you the Service, charge you different prices, or provide a different level or quality of the Service because you exercised any of your rights, except as permitted by law.

Protection and Retention of Personal Information

We follow generally accepted industry standards, including the use of appropriate administrative, physical and technical safeguards, to protect Personal Information. The appropriate administrative, physical, and technical safeguards employed by us may vary depending on the nature of Personal Information collected, with more stringent measures applied to information of a sensitive nature.

However, no method of transmission over the Internet or method of electronic storage is entirely secure. Therefore, while we strive to use commercially reasonable means to protect Personal Information, we cannot guarantee its absolute security or confidentiality. Please be aware that certain Personal Information and other information provided by you in connection with your use of the Site may be stored on your device (even if that information is not collected by us). You are solely responsible for maintaining the security of your device from unauthorized access.

Personal Information will be retained for as long as is reasonably necessary to achieve the purposes set forth in this Policy, and to comply with all applicable laws.

Other Provisions

Accessibility and Language - Any person that is unable to access this Policy may request this Policy in an alternative format or language by contacting us at info@furl.ai.

International Users - The Company and its servers are located in the United States and are subject to applicable local, state, and federal laws. Users who choose to access the Site or Service do so on their own initiative and at their own risk, and are responsible for complying with all applicable laws, rules and regulations. Users who choose to access the Site or Service consent to the use and disclosure of information in accordance with this Policy and subject to such laws. We may limit the Site's or Service's availability, in whole or in part, to any person, geographic area or jurisdiction we choose, at any time and in our sole discretion. We do not represent or warrant that the Site or Service or any part thereof is appropriate or available for use in any other jurisdiction.

Children's Privacy - The Site and Service are neither directed to nor structured to attract Users under the age of 16. If you are under the age of 16, you are not permitted to use the Site or Service. The Company does not knowingly collect Personal Information from users under the age of 16. If you are a parent with concerns about children's privacy issues in conjunction with the use of the Site, please contact the Company at info@furl.ai.

Cookies, Analytics, and Do Not Track Signals - The Company is required to disclose how it responds to “Do Not Track Signals” and whether third parties collect personally identifiable information about users when they use online services. We use cookies and similar technologies on the Site, including analytics cookies provided by Google Analytics and HubSpot, to understand how visitors interact with the Site and to improve its functionality. We manage these technologies through a consent banner that allows you to accept or decline non-essential cookies by category. Our consent banner also offers a Marketing category for cookies that may be used for targeted advertising; this category is off unless you opt in, and you may enable or disable it, or withdraw your consent, at any time through the banner. We do not use your information for targeted advertising, and do not authorize the collection of personally identifiable information from our users for third-party advertising, unless you have opted in to the Marketing category. Because there is not yet a uniform industry standard for interpreting “do not track” signals, we respond to Global Privacy Control (GPC) signals and provide the cookie controls described above in lieu of a separate “do not track” response.

Amendments - We may modify or amend this Privacy Policy from time to time. If we make any material changes, as determined by us, to this Privacy Policy, including in the way in which Personal Information is collected, used or transferred, we will notify you by e-mail to the address specified in your profile or by means of a notice on the Site prior to the change becoming effective.

Last Updated: June 3, 2026