Privacy Policy

Hijack ("we," "us," or "our") provides an intelligence and investigation platform ("Services"). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website and Services. It should be read together with our Terms of Service.

This policy is for informational purposes and does not constitute legal advice. If you need wording for a specific jurisdiction or regulated industry, consult qualified counsel.

Who This Applies To

This policy applies to visitors, registered users, and organizations that use the Services. If you use the Services on behalf of a company, you represent that you are authorized to bind that organization to this policy where applicable.

Information We Collect

How We Use Information

We use information to:

• Provide, operate, and improve the Services
• Authenticate users, enforce session and access rules, and prevent fraud and abuse
• Apply technical limits (such as per-account usage caps on certain integrations) and protect the integrity of the Services
• Communicate about the Services, security notices, and policy updates
• Comply with law, respond to lawful requests, and enforce our Terms

Third-Party Services and Onward Transfers

To deliver enrichments and integrations, we may transmit the information required for each request to third-party data or infrastructure providers when you use those parts of the product. Those providers process data under their own terms and privacy notices. We do not control their practices; we select providers to deliver functionality you request.

We also use subprocessors for hosting, analytics, security, payments (including providers such as Qyzar), email, and captcha or bot-detection services where enabled.

Legal Bases (EEA / UK users)

Where we act as a controller under the GDPR or UK GDPR, we may rely on: (1) performance of a contract with you, (2) legitimate interests (such as securing the Services and understanding aggregate usage), provided those interests are not overridden by your rights, (3) consent where required, and (4) legal obligation.

Retention

We retain information for as long as your account is active, as needed to provide the Services, and as required for security, dispute resolution, and legal compliance. Retention periods vary by data category; some operational or technical records may be kept in aggregated or minimized form where appropriate.

Security

We use appropriate technical and organizational measures designed to protect information against unauthorized access, loss, or misuse. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Sharing

We do not sell your personal information. We may share information: with service providers bound by confidentiality; to comply with law or protect rights; in connection with a merger or asset sale (with notice where required); or with your direction or consent.

Law Enforcement and Legal Requests

We may disclose information if we believe in good faith that disclosure is necessary to comply with applicable law, regulation, legal process, or governmental request; to enforce our policies or contracts; to detect or prevent fraud, security, or technical issues; or to protect the rights, property, or safety of Hijack, our users, or others. Unless prohibited by law, we may attempt to notify you of such requests where feasible.

Government and law-enforcement partners: see our Law Enforcement & Government page for high-level process and contact information.

Controller, Processor, and Organization Accounts

For personal information tied to your individual account, Hijack typically acts as a controller (or business under U.S. state laws) with respect to platform operations and billing. If you use the Services as part of an organization that has contracted with us, we may process certain workforce or end-user data as a processor or service provider on the organization's instructions; in that case, the organization's agreement and notices may also govern, and we may direct you to them for certain requests.

International Transfers

We may process and store information in countries other than where you live. Where required, we use appropriate safeguards (such as standard contractual clauses) for transfers from the EEA, UK, or Switzerland.

Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal information, to object to certain processing, to lodge a complaint with a supervisory authority, and to receive a portable copy where applicable.

To exercise rights, contact us at the email below. We may need to verify your identity. If we process information on behalf of an organization, we may refer you to that organization where appropriate.

United States State Privacy (California and others)

Depending on your U.S. state of residence, you may have rights to access, correct, delete, or opt out of certain processing of personal information, and to appeal our decisions regarding your requests. We do not sell personal information or share it for cross-context behavioral advertising as those terms are commonly defined in state privacy laws. We do not knowingly process sensitive personal information for purposes restricted by those laws without appropriate notices and, where required, consent.

California residents (CCPA/CPRA): In the past twelve months, we may have collected identifiers (such as name, email, account ID), commercial information (subscriptions), internet or network activity (such as device or connection information), and professional or employment-related information if you provide it. Sources include you, your device, our service providers, and integrations you enable. Purposes include providing the Services, security, analytics, and legal compliance. We retain categories only as long as reasonably needed for those purposes.

To submit a privacy request, contact privacy@hijack.gg. We will verify your request as required by law. You may designate an authorized agent with written permission (and we may require proof of identity). We will not discriminate against you for exercising privacy rights.

Children

The Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

Automated Processing

We use automated systems to help secure accounts (for example, risk scoring, rate limiting, and bot challenges). We do not use solely automated decision-making that produces legal or similarly significant effects solely on the basis of profiling without human review where such review is required by law.

Do Not Track and Global Privacy Control

Some browsers transmit "Do Not Track" signals. There is no consistent industry standard for how to respond. We look to evolving guidance on Global Privacy Control and similar mechanisms where legally required. For choices about cookies, see our Cookies Policy.

Breach Notification

If we become aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data under our control, we will investigate and, where required by law, notify affected individuals and regulators in accordance with applicable timelines.

Cookies and Similar Technologies

We use cookies and similar technologies for authentication, preferences, security, and analytics. For details, see our Cookies Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, where appropriate, provide additional notice. Continued use after updates constitutes acceptance where permitted by law.