Skip to content
Unlisted / Security
Privacy Policy

How we handle information. In plain English.

We are a security firm. Confidentiality is not an afterthought for us — it is a core part of the work. This page explains what information we collect, why, how we protect it, and what rights you have over it.

Effective
February 12, 2022
Format
Plain English
Scope
Site & engagements
Questions
contact@unlisted.llc
/ 01

Scope and who we are

This Privacy Policy describes how Unlisted Security ("Unlisted Security," "we," "us," or "our") collects, uses, and protects personal information in connection with our website at unlisted.llc and the security review services we provide.

We are a small, technical security firm. Privacy and confidentiality are not afterthoughts for us — they are part of the work we do for our clients, and we hold ourselves to the same standard internally. This document is written to be clear and honest about what that means in practice.

/ 02

Information we collect

We collect different categories of information depending on how you interact with us.

From website visitors

  • Server logs. Standard request metadata such as IP address, user agent, referrer, and request timestamp, retained briefly for operational and security purposes (e.g. abuse mitigation).
  • No analytics or tracking pixels by default. We do not embed third-party analytics, advertising, or fingerprinting scripts. If this changes, we will say so here and obtain consent where required.

From prospects who contact us

  • Contact details you provide: name, email address, company name, project URLs, and the description of the system or engagement you're inquiring about.
  • Communications we exchange with you over email or any other channel you choose.

From engagement clients

  • Engagement materials: source code, documentation, architecture diagrams, test environments, credentials, and any other information you share with us so that we can perform the review.
  • Personnel contact information for individuals at the client who participate in the engagement.
  • Engagement records: notes, draft and final reports, proofs of concept, and similar working artifacts created during the review.
/ 03

How we use information

We use the information described above only for the following purposes:

  • To respond to inquiries and discuss potential engagements.
  • To negotiate, scope, and execute engagement contracts.
  • To perform the security reviews and deliver the agreed reports and artifacts.
  • To re-review fixes and follow up on remediation, where included in the engagement.
  • To operate, secure, and improve the website and our internal systems (e.g. abuse mitigation, error monitoring).
  • To meet legal, tax, and regulatory obligations that apply to us as a business.

We do not use information collected from prospects or clients for advertising, profiling, or any purpose unrelated to the engagement. We do not sell or rent personal information to anyone, ever.

/ 04

Engagement data — our elevated standard

Information shared with us during a security engagement is, by its nature, sensitive. We treat it accordingly:

  • Mutual NDA is signed before any code, credentials, or material engagement detail is shared.
  • Need-to-know access. Only reviewers actively assigned to the engagement may access engagement materials.
  • Encrypted at rest and in transit. Engagement data is stored in encrypted, access-controlled systems and transmitted over encrypted channels.
  • Isolated environments. Where a client provides credentials or test environments, we use them strictly for the agreed engagement scope.
  • Defined retention. Engagement materials are deleted on the schedule described in the engagement contract — typically within 90 days of engagement completion, except where you ask us to retain copies for follow-up reviews or where we are required to retain them by law.
  • No public disclosure. We do not publish findings, name clients, or reference engagements publicly without explicit written consent.

The specific terms of how we handle a given client's engagement data are governed by the engagement contract and the NDA, both of which take precedence over this Privacy Policy in case of conflict.

/ 05

How we share information

We share personal information only in the limited circumstances described below.

  • Service providers. We use a small number of vetted vendors to operate our business — for example, email hosting, cloud storage, and accounting. They process information on our behalf under appropriate contractual safeguards and only for the purposes we direct.
  • Legal requirements. We may disclose information if required to do so by law, valid legal process, or to protect our or others' rights, property, or safety. Where lawful and practical, we will notify the affected client first.
  • Business transfers. If Unlisted Security is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction. We will provide notice and, where required, choices before any such transfer affecting personal information.

We do not sell personal information. We do not share personal information with advertisers, data brokers, or analytics aggregators.

/ 06

Cookies and similar technologies

Our website does not use tracking cookies. We do not embed third-party advertising or analytics scripts. The site may use strictly necessary cookies (for example, to remember your theme preference or to support a future login area). If we ever introduce non-essential cookies, we will request consent first where required and update this section.

/ 07

How we secure information

We apply the same kinds of controls to our own systems that we recommend to our clients:

  • Encryption in transit (TLS) and at rest for engagement materials.
  • Hardware-backed multi-factor authentication for all internal accounts.
  • Principle of least privilege and access reviews for sensitive systems.
  • Audit logging and tamper-evident retention of access records.
  • Regular review of our own infrastructure, vendors, and access — by ourselves and, where appropriate, by independent reviewers.

No system is invulnerable, and we do not promise otherwise. If a security incident materially affects information you have shared with us, we will notify you promptly and in accordance with applicable law and any engagement contract.

/ 08

How long we keep information

  • Inquiry emails from prospects who do not become clients are retained for up to 24 months and then deleted, unless we're asked to delete them sooner.
  • Engagement materials are retained per the engagement contract, typically deleted within 90 days of engagement completion.
  • Final reports may be retained beyond the engagement at the client's direction (for example, to support a remediation review).
  • Business records (contracts, invoices) are retained for the periods required by tax and corporate law.
  • Server logs are typically retained for up to 30 days unless required for security investigations.
/ 09

Your rights

Depending on where you live, you may have rights under data protection laws including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar regimes. These can include:

  • The right to access the personal information we hold about you.
  • The right to request correction of inaccurate information.
  • The right to request deletion, subject to legal and contractual exceptions.
  • The right to object to or restrict certain processing.
  • The right to data portability where applicable.
  • The right to withdraw consent where processing is based on consent (without affecting earlier processing).
  • The right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at contact@unlisted.llc. We will respond within the timeframes required by applicable law (and usually much sooner). For client engagement data, we may need to coordinate with the contracting client where they are the controller of the data in question.

/ 10

International data transfers

Unlisted Security operates from its registered jurisdiction and uses vendors that may process information in other countries. Where we transfer personal information across borders, we rely on appropriate safeguards — for example, standard contractual clauses or equivalent mechanisms — to ensure your information continues to receive an appropriate level of protection.

/ 11

Children

Our website and services are intended for businesses and the adults who run them. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided information to us, please contact us so we can remove it.

/ 12

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we do, we'll update the "Effective" date at the top of the page. For material changes, we'll take reasonable steps to notify affected clients directly.

/ 13

How to contact us

For privacy questions or to exercise any of the rights described above, contact us at contact@unlisted.llc.

Questions?

We're happy to clarify anything in this document. Email contact@unlisted.llc and a real person will respond.