Privacy Policy — Wirescope

This Privacy Policy describes how Wirescope, Inc. (“Wirescope,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data in connection with our websites, customer portals, application programming interfaces, self-service interfaces, marketing materials, and the network, transit, IP, DDoS-mitigation, and related services we make available (collectively, the “Services”).

This Privacy Policy applies to data we collect from and about (a) visitors to the Wirescope website, (b) prospective customers, (c) account holders, billing contacts, and operational contacts at our customer organizations, (d) individuals who otherwise interact with us (for example, by sending an email, opening a support ticket, attending an event, or applying for a job), and (e) limited categories of metadata generated as part of operating the Services.

This Privacy Policy does not govern data that flows through our network as part of a customer's traffic. For that data, our customers are the controllers of the personal data of their own end users; Wirescope acts as an independent controller for limited operational metadata as described in Section 4 below.

Enterprise customers with a separately-signed Network Services Agreement (an “NSA”) are subject to the data-protection allocation in that NSA (which controls in the event of conflict with this Privacy Policy).

Prior versions of this Privacy Policy are available on request to legal@wirescope.net.

1. Quick summary

In short:

We are not a content-storage service. We operate a network. We do not access the content of your traffic except as required to operate, secure, and protect the network, to respond to abuse, or as required by law.
We process traffic metadata as an independent controller. Headers, NetFlow/sFlow/IPFIX records, BGP state, and similar telemetry are processed for operational, security, billing, and legal-compliance purposes, not on behalf of any customer.
We collect business-contact, billing, and account-management data. Standard B2B information necessary to operate a service business.
We do not sell personal data. We do not sell, rent, or trade personal data, and we have not “sold” or “shared” personal data within the meaning of the California Consumer Privacy Act in the past 12 months.
We retain data only as long as we need it. Different categories of data are retained for different periods, as described in Section 6.
You have rights. Depending on the law that applies to you, you have access, correction, deletion, portability, and other rights as described in Section 9.

2. Personal data we collect

2.1 Information you provide

We collect personal data you submit when you:

register for an account or portal login: name, business email address, business phone number, company name, job title, and (for verification) such other information as identity-verification services like Stripe Identity require;
submit a quote request, order, or contract: billing address, notice address, tax identification documents (W-9 / W-8), bank or payment information, designated operational and abuse contacts;
use the customer portal or Self-Service Interface: submissions you make, configurations, BGP and routing inputs, support tickets;
contact us: name, contact information, content of your communication;
respond to surveys, attend events, or apply for jobs: contact information, professional background, application materials.

2.2 Information collected automatically

We collect, automatically, the following when you interact with the Wirescope website or portal:

device and browser information: IP address, browser type and version, operating system, device identifiers, screen resolution, referring URL, pages viewed, time spent;
cookies and similar technologies: see Section 11 below;
portal activity: login times, actions taken in the portal, error logs.

2.3 Operational metadata of the Services

In operating the Services, we automatically generate and process the following categories of metadata. We process this metadata as an independent controller, for our own operational, security, billing, abuse-handling, and legal-compliance purposes. We are not a processor or sub-processor of this metadata on behalf of any customer (unless a written data-processing addendum says otherwise).

IP-layer and routing data: source and destination IP addresses, port numbers, protocol identifiers, packet counts, byte counts, observed BGP-session state and announced prefixes, route-server outputs;
flow data: NetFlow, sFlow, IPFIX, or equivalent telemetry summarizing traffic flows across our network;
measurement data: interface counters, latency and packet-loss measurements, mitigation-system telemetry;
security and abuse data: observed attack patterns, blocklist matches, abuse-complaint records, takedown notices, law-enforcement requests.

We do not, as part of operating the network, access the content of traffic (the application-layer payloads) except where required for technical operation, mitigation, abuse response, security investigation, legal compliance, or as expressly authorized by a customer in writing.

2.4 Information from third parties

We may receive personal data from:

identity-verification services: Stripe Identity or similar providers we use to verify the identity of customer signatories;
payment processors: confirmation of payment, fraud signals, dispute information;
credit-reporting and KYC services: credit reports, sanctions-screening results;
threat-intelligence providers: observed indicators of compromise, abuse blocklists, attack-attribution data;
upstream providers, peering partners, and law enforcement: abuse complaints, takedown notices, attack data, law-enforcement requests;
publicly available sources: WHOIS, RIR / IRR records, PeeringDB, court records.

2.5 We do not knowingly collect data from children

The Services are not directed to, and we do not knowingly collect personal data from, anyone under the age of 18 (or under the local age of majority, if higher). If we learn we have collected such data, we will delete it.

3. How we use personal data

We use personal data for the purposes described in this Section. We do not use personal data for any other purpose without a lawful basis under applicable law.

Purpose	Examples	Categories used
Provide and operate the Services	Provision your account, route traffic, deliver mitigation, maintain the network, troubleshoot issues, generate invoices	Account, billing, operational metadata
Communicate with you	Respond to inquiries, send notices about your account, send service updates, send required legal notices	Contact, account
Bill and collect	Generate invoices, process payments, collect past-due amounts, document chargebacks	Account, billing, payment
Maintain security	Detect and respond to attacks, investigate abuse, monitor for fraud or misuse, prevent compromise of our network and infrastructure	Operational metadata, security data, account
Comply with law	Respond to subpoenas, warrants, court orders, regulatory inquiries; report illegal content (e.g., CSAM to NCMEC); maintain tax records	All categories as required
Defend our legal interests	Investigate breach of contract, defend or assert claims, exercise rights under the NSA, AUP, or Terms of Service	All categories as relevant
Improve and develop the Services	Analyze aggregate usage, identify performance trends, plan capacity, develop new features	Operational metadata (aggregate and de-identified where practical)
Marketing and outreach	Send marketing emails to prospects and customers (subject to opt-out); host or attend events	Contact, professional
Verify identity	Confirm the identity of customer signatories through Stripe Identity or similar services	Verification
Hire and recruit	Process job applications, conduct interviews	Application
AI / ML training	We do not use your personal data, the content of your traffic, or Customer Content to train, develop, fine-tune, evaluate, or improve any machine-learning, generative-AI, or other AI system, except in aggregate / anonymized form for internal operational purposes (capacity planning, security analytics, fraud prevention, threat-intelligence development). See Section 14.	(none used)

4. Our role: independent controller, not processor

For the personal data described in Section 2 (and in particular the operational metadata in Section 2.3), Wirescope acts as an independent controller for its own purposes. We are not a processor or sub-processor of customer's data within the meaning of Regulation (EU) 2016/679 (the “GDPR”), the California Consumer Privacy Act of 2018 as amended (the “CCPA”), or analogous laws, in respect of:

traffic metadata we generate in operating the network (NetFlow, sFlow, BGP state, IP-layer headers, etc.);
account, billing, contact, and operational data of customer personnel; or
security, abuse, and law-enforcement-related records.

Our customers are the controllers (or, where applicable, processors) of the content of the traffic that flows through the Services. Wirescope does not process that content as a controller, processor, or sub-processor of any customer except as set forth in a separately-executed data-processing addendum or written instruction.

Where applicable law nonetheless characterizes Wirescope as a processor or sub-processor of any personal data, we will negotiate in good faith and execute a separate written data-processing addendum reflecting the parties' respective roles and obligations.

Indirectly-collected operational metadata (GDPR Art. 14(5)(b)). Some of the operational metadata described in Section 2.3 (including IP addresses of end users of our customers' services and other parties communicating with those end users) is not obtained from the data subject. Providing individual Article 14 notice to each such data subject is not feasible: Wirescope has no contact information for those individuals, processes the metadata only at the IP / transport layer, and would have to undertake disproportionate effort (within the meaning of GDPR Article 14(5)(b)) to identify and contact them. In place of individual notice, Wirescope makes this Privacy Policy publicly available and applies the minimization, retention, security, and access-control measures described in Sections 6, 7, and 12.

5. Legal bases for processing (EU/UK)

For individuals in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing personal data are:

Purpose	Lawful basis (GDPR Art. 6)
Performing a contract with you (e.g., providing the Services, billing)	Contract (Art. 6(1)(b))
Operating, securing, and protecting our network	Legitimate interests (Art. 6(1)(f)), our interest in operating a secure, reliable network and protecting our customers and the internet community
Responding to abuse complaints, investigating attacks, attributing malicious activity	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Responding to law-enforcement and regulatory requests	Legal obligation (Art. 6(1)(c))
Marketing to prospects	Legitimate interests (Art. 6(1)(f)), subject to opt-out
Where required, where you have given consent (e.g., certain cookies, certain marketing)	Consent (Art. 6(1)(a))
Identity verification of customer signatories	Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for anti-money-laundering / KYC; legitimate interests (Art. 6(1)(f)) for fraud prevention
Defending or asserting legal claims	Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

You have the right to object to processing based on legitimate interests; see Section 9.

6. Retention

We retain personal data only as long as needed for the purposes for which it was collected, plus a reasonable additional period for legal, accounting, audit, and dispute-resolution purposes. Typical retention periods:

Category	Typical retention
Account and billing records of active customers	Duration of the customer relationship plus seven (7) years (or longer where required for tax or regulatory purposes)
Account records of inactive prospects	Up to two (2) years from last interaction, then deleted or anonymized
Operational metadata (NetFlow, sFlow, BGP state)	Typically 30 to 180 days for active rolling logs; aggregated / anonymized data may be retained longer for capacity planning and security analysis
Security and abuse records (incident tickets, attack signatures, attribution data)	Up to three (3) years for incident records; indefinitely (in anonymized / aggregated form) for security-research purposes
Identity-verification records (Stripe Identity outputs, KYC results)	Duration of the customer relationship plus the period required by applicable anti-money-laundering and tax-compliance law (typically 5 to 7 years)
Support tickets and correspondence	Three (3) years from closure
Website analytics and cookie data	Per the cookie's stated expiration; aggregate analytics may be retained longer
Marketing-list data	Until the recipient opts out, plus a reasonable suppression-list retention to honor opt-outs
Job-applicant data	Up to two (2) years from application, then deleted unless the applicant joins Wirescope

Where a longer retention is required by applicable law, court order, regulatory directive, or pending litigation hold, we retain the data for the required period.

Notwithstanding the periods above, Wirescope may retain security, abuse, routing, billing, mitigation, law-enforcement, operational, and related metadata for longer periods where Wirescope reasonably determines that retention is necessary or appropriate for one or more of the following purposes: abuse prevention and response; repeat-offender analysis; threat-intelligence development and sharing under Section 7.4; routing-security investigation; fraud prevention; billing verification and dispute resolution; indemnity, cost-recovery, or other contractual claims; litigation hold; law-enforcement cooperation; regulatory compliance; or protection of Wirescope's network, customers, upstream providers, peering partners, vendors, or legal rights. Where Wirescope retains data under this paragraph, Wirescope minimises retention to what is reasonably necessary for the relevant purpose and applies the security measures described in Section 12.

7. Disclosure of personal data

We disclose personal data only as described in this Section. We do not sell, rent, or trade personal data.

7.1 Service providers (processors)

We share personal data with the following named service providers, each of which acts as a processor on Wirescope's behalf (or, where noted, as its own independent controller). We require each provider to maintain confidentiality and to use the data only for the purposes set out below or as required to provide the relevant service. We maintain the data-processing agreements and (where applicable) Standard Contractual Clauses, UK IDTA, or Swiss Addendum addenda required for cross-border transfers under Section 17.

Service provider	Role	Categories of personal data
Stripe, Inc. (United States)	Payment processing, subscription billing, invoicing	Customer name, billing address, tax ID, payment-method last four, transaction amounts and history
Stripe Identity (a service of Stripe, Inc.)	Identity verification of customer signatories; processed by Stripe as an independent controller under its own privacy and biometric-information notices	Government-issued ID document, selfie / facial-similarity comparison, verification outcome
PayPal Holdings, Inc. (United States)	Alternative payment processing	Customer name, email, payment-method information, transaction amounts and history
Google LLC (United States)	Email delivery (transactional and any marketing), calendar, contacts, document and file storage, and productivity infrastructure (Google Workspace)	Business contact data (name, email, phone, company), correspondence and support-ticket contents, documents and files we create in the course of providing the Services
Cloudflare, Inc. (United States)	DNS, content delivery, web hosting, and edge security for our corporate website and customer portal	Website-visitor IP, user-agent, request metadata, abuse-blocklist matches, edge-security telemetry

Minimal supply chain. Wirescope intentionally maintains a narrow processor footprint. We do not currently use a third-party customer-relationship-management (CRM) platform, marketing-automation platform, third-party web-analytics platform, or any other processor not listed above. If we engage a new processor or materially expand an existing processor's role, we will update this Section 7.1 (and, for enterprise customers with a Data Processing Addendum, provide notice in accordance with that addendum) before the new processing begins.

7.2 Affiliates and successors

We share personal data with our affiliates, with any successor entity (in connection with a merger, acquisition, corporate reorganization, financing, or sale of all or substantially all of our assets or the relevant business line), and with prospective acquirers and their professional advisors under appropriate confidentiality protections.

7.3 Law-enforcement, regulatory, and legal requests

We disclose personal data in response to:

valid subpoenas, court orders, and warrants issued by U.S. federal or state courts;
valid requests under the Mutual Legal Assistance Treaty (MLAT) and analogous instruments;
valid requests from regulatory authorities in jurisdictions in which we do business;
emergency-disclosure requests under 18 U.S.C. § 2702(b)(8) or analogous law where we reasonably determine that an emergency involving danger of death or serious physical injury requires immediate disclosure;
statutory reporting obligations, including reports of CSAM to NCMEC under 18 U.S.C. § 2258A; and
in defense of our legal interests, including breach-of-contract, indemnification, and similar claims.

7.4 Abuse, security, and threat-intelligence sharing

We share information about observed attacks, attack signatures, abuse incidents, and attribution data with other network operators, computer-emergency-response teams (CERTs), threat-intelligence sharing communities, and information-sharing and analysis organizations (ISAOs), in each case for the purpose of protecting the internet community against denial-of-service activity and other abuse. We minimize personal data in such sharing where practical.

7.5 With customer consent or at customer direction

We share personal data with third parties at the customer's direction or with the customer's express consent (for example, sharing routing information with a peer at the customer's request).

8. International transfers

Wirescope is based in the United States. Personal data we collect or process may be transferred to, stored in, and processed in the United States and in other countries where we or our service providers operate. The privacy and data-protection laws of those countries may differ from the laws of your country.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been designated as providing an adequate level of protection, we rely on appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission, as supplemented by additional measures where necessary.

To obtain a copy of the safeguards we use for such transfers, please contact privacy@wirescope.net.

9. Your rights

Depending on the law that applies to you, you may have some or all of the following rights with respect to your personal data:

access: request a copy of the personal data we hold about you;
correction (rectification): request that we correct inaccurate or incomplete personal data;
deletion (erasure): request that we delete your personal data, subject to legal-retention requirements and our legitimate interests;
portability: request a copy of certain personal data in a structured, machine-readable format;
restriction: request that we limit certain processing;
objection: object to processing based on legitimate interests or to direct marketing;
withdrawal of consent: where processing is based on consent, withdraw consent at any time (without affecting the lawfulness of prior processing);
opt-out of sale or sharing: under the CCPA, opt out of the “sale” or “sharing” of personal data. We do not sell or share personal data in the past 12 months and do not currently do so.
non-discrimination: under the CCPA, we will not discriminate against you for exercising your privacy rights;
lodge a complaint: file a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact privacy@wirescope.net. We will respond within the timeframes required by applicable law (typically 30 days, extendable in limited circumstances). We may need to verify your identity before processing your request.

You may also designate an authorized agent to make a request on your behalf. We may require written authorization and verification of the agent's identity and authority.

10. California residents, additional disclosures

If you are a California resident, the CCPA gives you the rights described in Section 9. In addition:

Categories of personal information collected, sources, purposes, and recipients: as described in Sections 2, 3, and 7.
Categories of personal information disclosed for a business purpose: identifiers, commercial information, internet/network activity, professional/employment information, and (for individuals applying for jobs) education information, in each case to the service-provider categories listed in Section 7.1 and to the recipients in Sections 7.2 through 7.5.
Sale or sharing of personal information: we do not sell or share personal information as those terms are defined in the CCPA. We do not collect, sell, or share sensitive personal information for purposes that would require disclosure or right of limitation under Cal. Civ. Code § 1798.121.
Right to know, delete, correct, opt out, limit, and non-discrimination: as described in Section 9. To exercise, contact privacy@wirescope.net or use any “Do Not Sell or Share My Personal Information” link we publish on our website.

Sensitive personal information. Wirescope does not collect sensitive personal information (as that term is defined under the CCPA) for the purpose of inferring characteristics about you. Wirescope does not knowingly collect government identifiers (such as Social Security numbers), precise geolocation, racial or ethnic origin, religious beliefs, biometric data (other than biometric information processed by our identity-verification service Stripe Identity for the limited purpose of verifying the identity of customer signatories, which is collected, processed, and stored by Stripe as an independent controller under its own privacy notice and biometric-information notice; Wirescope itself does not collect, store, or process biometric information for any purpose, including under the Illinois Biometric Information Privacy Act (BIPA) or analogous state biometric-privacy laws), the content of any communications, or other sensitive personal information, except where you submit such information to us in the course of opening an account, submitting a payment, or otherwise transacting with us. We do not use any sensitive personal information for purposes that would, under Cal. Civ. Code § 1798.121, require disclosure or give rise to a right of limitation.

10A. Other US state privacy laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), New Hampshire (NHDPA), New Jersey (NJDPA), or any other US state with a comprehensive consumer-privacy law, you may have rights similar to those described in Section 9 above, including (depending on the law that applies to you) the right to access, correct, delete, or obtain a portable copy of your personal data; the right to opt out of “sales” or “targeted advertising” (we do not engage in either); and the right to opt out of “profiling” in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling).

To exercise these rights, contact privacy@wirescope.net. We will verify your identity and respond within the timeframes required by the applicable law. If we deny a request, you have the right to appeal that decision; appeals may be sent to the same address with “Privacy Appeal” in the subject line. If your appeal is denied, you may complain to the attorney general of your state.

11. Cookies and similar technologies

The Wirescope website uses cookies and similar technologies for the following purposes:

strictly necessary cookies: required for the website to function (login, security, load-balancing). These cannot be disabled in our systems.
performance / analytics cookies: help us understand how visitors use the website, so we can improve it.
functional cookies: remember preferences (e.g., language).
marketing cookies: may be used to deliver relevant ads or measure campaign effectiveness, subject to consent where required.

You can manage cookies through your browser settings. Blocking all cookies may impair some functionality. Where required by applicable law, we will request your consent before placing non-essential cookies.

12. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include access controls, encryption in transit and (where appropriate) at rest, secure development practices, vendor due-diligence, and incident-response procedures.

No system is perfectly secure. We cannot guarantee that personal data will not be accessed, altered, disclosed, or destroyed by breach of our security safeguards. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at security@wirescope.net.

13. Breach notification

In the event of a personal-data breach, Wirescope will notify the relevant supervisory authority and affected individuals to the extent and within the timeframes required by applicable law. Where the GDPR (or the UK GDPR) applies, Wirescope will notify the competent supervisory authority under Article 33 without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the breach, and will notify affected data subjects under Article 34 without undue delay where the breach is likely to result in a high risk to the rights and freedoms of those data subjects. Wirescope will also comply with the notification timing and content requirements of any applicable U.S. state breach-notification law.

Enterprise customers with an NSA or executed data-processing addendum are subject to the breach-notification provisions of those instruments, which control over this Section.

14. No use of personal data for AI or ML training

Wirescope does not use personal data, Customer Content, or the content of traffic transiting the Services to train, develop, fine-tune, evaluate, or improve any machine-learning model, large-language model, generative-AI system, recommender system, behavioral-profiling system, or other AI system, except (a) where the data subject has expressly consented in writing, or (b) where the data has been aggregated, anonymized, or de-identified such that it cannot reasonably be associated with any individual or customer. We may use aggregate, anonymized, and de-identified data for internal purposes such as capacity planning, security analytics, threat-intelligence development, fraud prevention, and product improvement.

We do not sell, license, share, transfer, or otherwise make available personal data or Customer Content to any third party (including any AI-development company, model-training-data broker, or data marketplace) for the purpose of training, developing, fine-tuning, evaluating, or improving any AI system.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted at wirescope.net/legal/privacy-policy with a revised effective date and, where we have your email address on file and applicable law permits or requires it, by email. Where required by law, we will obtain your consent before applying changes to your previously-collected personal data.

Prior versions of this Privacy Policy are available on request to legal@wirescope.net. The version of this Privacy Policy in effect at the time of the relevant processing governs.

16. Contact

If you have questions about this Privacy Policy, our privacy practices, or to exercise any privacy right described above, please contact:

Wirescope, Inc. · Privacy
16192 Coastal Hwy
Lewes, DE 19958, USA
privacy@wirescope.net

For EU/UK / Swiss data-protection-specific questions, the same address applies; if you reside in the EU/UK/Switzerland and wish to exercise your statutory rights and prefer to contact us by post, please mark your communication “Attn: Data Protection.”

You also have the right to lodge a complaint with the data-protection supervisory authority in your jurisdiction (in the EU) or the California Privacy Protection Agency (in California).

17. EU, UK, and Swiss representatives; international transfer mechanisms

Wirescope is a United States-based service provider. Our website and Services are accessible globally, but Wirescope does not currently market to, target, or systematically monitor individuals or organizations located in the European Economic Area, the United Kingdom, or Switzerland, and accordingly Wirescope has not appointed a representative under Article 27 of the GDPR, Article 27 of the UK GDPR, or the Swiss Federal Act on Data Protection (FADP). If and when Wirescope begins targeting customers in any of those jurisdictions, this Privacy Policy will be updated to identify the appointed representative(s) before the targeted activity commences.

Notwithstanding the foregoing, if you are an EU, UK, or Swiss data subject and you wish to exercise any right described in Section 9, you may contact Wirescope directly at privacy@wirescope.net and Wirescope will respond to your request in accordance with the applicable law, to the extent that law applies to Wirescope's processing of your personal data.

International transfer mechanisms (supplement to Section 8). For transfers from the EEA, Wirescope relies on the European Commission Standard Contractual Clauses (Module 1 controller-to-controller, or Module 2/3 as applicable) supplemented as necessary by the additional measures described in our Data Transfer Impact Assessment. For transfers from the United Kingdom, Wirescope relies on the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs. For transfers from Switzerland, Wirescope relies on the EU SCCs as supplemented by the Swiss Addendum recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Copies of the safeguards Wirescope uses for any such transfer are available on request to privacy@wirescope.net.

Wirescope, Inc.
16192 Coastal Hwy, Lewes, DE 19958, USA
privacy@wirescope.net · security@wirescope.net · legal@wirescope.net