Thrombus

Privacy Policy

Effective date: March 1, 2026

1. Introduction

Extra Security LLC ("Company," "we," "us") operates the Thrombus platform at thrombus.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Service.

We take the privacy and security of your data seriously — security is our business. If you have questions, contact us at privacy@extrasecurity.io.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and optionally your company website. If you authenticate via Google, we receive your name and email from Google.

Engagement Data

When you create a security testing engagement, we collect information about the device under test, including device name, model, manufacturer, FDA classification, intended use, firmware version, communication protocols, and any notes or scheduling preferences you provide.

Documents and Files

You may upload documents related to engagements, including firmware images, technical specifications, prior test reports, and other files. These are stored in Google Cloud Storage with access controls restricted to your organization and our authorized personnel.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank account details. We retain your billing contact name, billing contact email, and Stripe customer and invoice identifiers for record-keeping.

Usage and Log Data

We collect server logs that include your IP address, request method, URL path, response status, and request duration. These logs are used for security monitoring, debugging, and service improvement.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the Service
  • Process and manage security testing engagements
  • Process payments and send invoices
  • Communicate with you about engagement status, deliverables, and account activity
  • Detect, prevent, and respond to security incidents and fraud
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising. We do not use engagement data or uploaded files to train machine learning models.

4. How We Share Your Information

We share your information only in the following circumstances:

  • Service providers: We use Google Cloud Platform for hosting and storage, Stripe for payment processing, and Firebase for authentication. These providers process your data under contract and are prohibited from using it for their own purposes.
  • Within your organization: Users in the same organization on the Service may see shared engagement data.
  • Legal requirements: We may disclose information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect the safety of any person.
  • Business transfer: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

5. Data Retention

We retain your account information for as long as your account is active. Engagement data and associated documents are retained for a minimum of three (3) years after engagement completion for compliance, audit, and contractual purposes.

You may request deletion of your account by contacting us at privacy@extrasecurity.io. Upon account deletion, we will remove your personal information within 30 days, except where retention is required by law or legitimate business need (e.g., completed engagement records).

6. Data Security

We implement technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest (AES-256 via Google Cloud)
  • Authentication via Firebase Identity Platform with support for multi-factor authentication
  • Role-based access controls separating customer and administrative access
  • Server-side session management with httpOnly, secure cookies
  • Structured logging and monitoring for anomaly detection
  • Signed, time-limited URLs for document uploads and downloads

No system is perfectly secure. If you believe your account or data has been compromised, contact us immediately at security@extrasecurity.io.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion of your personal information, subject to legal retention requirements
  • Export your data in a portable format
  • Object to or restrict certain processing of your data

To exercise any of these rights, contact us at privacy@extrasecurity.io. We will respond within 30 days.

8. Cookies

The Service uses a single session cookie ("session") to maintain your authenticated session. This cookie is strictly necessary for the Service to function and cannot be opted out of. We do not use third-party tracking cookies, analytics cookies, or advertising cookies.

9. International Data Transfers

The Service is hosted in the United States on Google Cloud Platform. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

10. Children

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Effective date" at the top of this page indicates when this policy was last revised.

Contact

For privacy-related questions or requests, contact us at privacy@extrasecurity.io.

Extra Security LLC