Privacy Policy

Effective date: July 9, 2026

Company/product
Cracken / https://cracken.ai
Legal entity
CrackenAGI Ltd.
Registered office
3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT
Governing law for self-serve terms
England and Wales

1. Scope

This Privacy Policy explains how CrackenAGI Ltd. ("Cracken", "we", "us" or "our") collects, uses, discloses, protects and retains personal information when visitors, prospects, customers, account administrators, authorized users or other individuals use Cracken websites, self-serve subscriptions, dashboards, APIs, documentation, support channels, marketing pages, security-testing workflows and related services.

Cracken is an AI-assisted proactive cyber-resilience and adversarial-validation platform. Because the service can validate vulnerabilities, execute security-testing workflows and generate evidence about customer systems, we collect account, device, usage, audit, compliance and security information to operate the service safely and lawfully.

This policy should be read together with the Cookie Policy, Data Processing Agreement, Sub-processor List, Data Retention Policy, Breach-Response Policy, Acceptable Use Policy, Rules of Engagement and applicable self-serve Terms.

2. Roles: controller and processor

For account registration, billing, marketing, website analytics, security monitoring, sanctions/export screening, abuse prevention, product administration and direct communications, Cracken generally acts as an independent controller.

For personal data contained in customer-submitted targets, prompts, configurations, credentials, logs, files, vulnerability evidence, screenshots, reports, integrations, tickets or other content that a customer submits to Cracken for processing on the customer's behalf, Cracken generally acts as a processor or service provider under the Data Processing Agreement, unless the applicable agreement states otherwise.

3. Information we collect

We may collect the following categories of information:

  • Account and identity information: name, business email, company, role, team, authentication identifiers and account settings.
  • Billing and subscription information: plan, invoices, payment status, billing contact and tax or business identifiers. Payment card details are expected to be processed by the payment provider and not stored directly by Cracken.
  • Compliance and eligibility information: IP address, inferred country or region, business domain, export-control and sanctions-screening signals, account ownership information, domain/asset information, RoE acceptance records and supporting documents requested for risk users, risk features, risk actions or other risk-based triggers.
  • Technical and device information: IP address, browser, operating system, device identifiers, user agent, language, referrer, session identifiers, cookie identifiers, approximate location derived from IP address, API keys or token metadata, diagnostic logs and error reports.
  • Product usage information: pages and features used, scans configured, targets added, actions taken in the dashboard, API calls, command outputs, workflow status, system timestamps, security events, audit trails and support interactions.
  • Support-ticket information: support requests, feedback, high-risk target approval requests, comments, attachments, status, votes or prioritization signals submitted through Cracken's support ticketing portal at https://crackenai.featurebase.app/.
  • Customer content: testing targets, scope definitions, Rules of Engagement, uploaded files, prompts, instructions, credentials provided for authorized testing, scan telemetry, vulnerability evidence, screenshots, logs, exploit-validation artifacts, reports and remediation notes.
  • Marketing information: campaign source, landing page, consent status, preferences, webinar or event registrations and communications with sales or customer-success teams.
  • Communications: emails, chat messages, support tickets, meeting notes, feedback, questionnaire responses and security review correspondence.

Customers must not submit personal data, secrets, regulated data, payment-card data, health data, government identifiers, export-controlled technical data or third-party confidential data unless they have authority to do so, the data is necessary for an authorized security objective, and the applicable subscription, RoE and law permit it.

4. How we use information

We use personal information to:

  • provide, secure, maintain and improve Cracken;
  • create and manage accounts, authenticate users and administer subscriptions;
  • validate that users and targets are eligible and authorized;
  • enforce export, sanctions and restricted-territory controls;
  • request and review supporting documents for risk users, risk features, risk actions and risk-based triggers;
  • run authorized security-testing workflows and generate findings, evidence and reports;
  • detect, investigate and prevent abuse, unauthorized hacking, prohibited reverse engineering, fraud, misuse, credential sharing, circumvention, excessive load or unsafe activity;
  • monitor availability, performance, errors and security events;
  • provide support, respond to inquiries and send service communications;
  • send marketing communications where permitted and honor opt-out choices;
  • use Google Analytics to understand website activity where analytics cookies are enabled or otherwise lawful;
  • personalize website and product experiences where lawful;
  • comply with law, legal process, regulatory obligations and contractual commitments;
  • establish, exercise or defend legal claims;
  • train, evaluate, tune and improve Cracken models, agents, prompts, detection logic, safety systems and workflows only as described in Section 8 below.

5. Export, sanctions and restricted-territory controls

Cracken may collect and process IP addresses, browser and device data, account details, payment signals, domain information and supporting documentation to assess whether a user, customer, affiliate, end user, target, transaction or use case is permitted under applicable export-control, sanctions, anti-boycott and cyber-tool restrictions.

Cracken treats export compliance as broader than a static country list. Controls may consider embargoed destinations, targeted sanctions, prohibited countries, restricted regions, military end-use/end-user licensing requirements and prohibited-party lists under applicable export and sanctions regimes, including EAR, ITAR, OFAC, EU, UK, UN and similar rules.

Cracken does not permit access to or use of the service from, for the benefit of, or in connection with restricted territories or prohibited parties. Current restricted territories for the self-serve model are, at minimum: Russia; Belarus; Cuba; Iran; North Korea / DPRK; Syria; Crimea / Sevastopol / occupied or non-government-controlled Ukrainian territories, including Donetsk, Luhansk, Kherson and Zaporizhzhia areas. Cracken may add other countries, regions, parties, end uses or transactions where required by applicable sanctions, export controls, cyber-tool controls or internal risk decisions.

Cracken may block registration, deny access, require additional verification, suspend usage, terminate accounts, cancel subscriptions, refuse transactions, withhold service delivery or preserve relevant evidence where Cracken reasonably believes that use may involve a restricted territory, restricted party, prohibited end use, military end use/end user, evasion attempt or legal violation.

6. Authorized security testing and supporting documents

Users must only test systems, applications, networks, accounts, cloud resources and data that they own or are legally authorized to test. Cracken does not require domain verification before every scan by default. However, Cracken may request evidence such as domain verification, asset ownership proof, written authorization, Rules of Engagement, engagement letter, customer contact confirmation, corporate identification, billing verification or other supporting documents for risk users, risk features, risk actions and other risk-based triggers.

Failure to provide requested documentation may result in delayed onboarding, feature limitation, suspension, termination or refusal to run a requested workflow.

7. Cookies, analytics and marketing tracking

Cracken uses cookies and similar technologies as described in the Cookie Policy. Essential cookies support authentication, security, consent management and service operation. Analytics cookies, including Google Analytics, help us understand how visitors interact with the website by collecting and reporting information. Functional cookies support enhanced features such as chat widgets, video players and personalized preferences. Marketing cookies may be used for first-party campaign attribution, conversion tracking and personalization. Cracken does not currently use third-party marketing or retargeting providers.

8. AI model, agent and system improvement

Cracken uses the following approved AI processing architecture for the self-serve model:

  • Anthropic models accessed through AWS Bedrock, with processing in configured AWS Bedrock regions including US East and EU West regions.
  • Self-hosted LLM processing on Google Cloud Platform in an EU West region.

Cracken's self-serve posture is: aggregated and de-identified telemetry may be used for self-serve product and system improvement. For all plans below the Pro plan, storage for product, safety, abuse-prevention, model, agent and system improvement is enabled by default, subject to this policy, the Terms and applicable law. For Pro plan and higher subscriptions, customers may opt out of optional improvement storage where Cracken makes that control available; operational, security, billing, legal, export/sanctions, abuse-prevention, incident-response and service-delivery retention may still apply. Customer-content training for cross-customer model improvement is not used by default and requires separate negotiated permission or an applicable customer setting. Customer content may be used during the subscription for customer-specific model adaptation, safety tuning, retrieval, evaluation, workflow improvement and similar customer-specific service improvements.

The baseline commitments are:

  • Customer content remains the customer's content.
  • Cracken may use aggregated, anonymized or de-identified telemetry and usage statistics to improve the service where the data cannot reasonably identify a customer, user, target or third party.
  • For plans below Pro, optional improvement storage is enabled by default for data eligible under this policy. For Pro plan and higher subscriptions, customers may opt out of optional improvement storage where the control is available, without limiting Cracken's necessary operational, security, legal, export/sanctions, abuse-prevention, incident-response or service-delivery retention.
  • Cracken may use customer content, prompts, scan artifacts, findings, reports, screenshots, logs or vulnerability evidence for customer-specific model adaptation and service improvement during the subscription.
  • Cracken will not use self-serve customer content for cross-customer model training or general model fine-tuning unless separately agreed, authorized or enabled under an applicable customer setting.
  • Cracken will not intentionally permit third-party AI providers to use customer content for their own model training.
  • Cracken may use customer content internally to provide the service, debug issues, improve safety for that customer, detect abuse, investigate incidents and comply with law.
  • Where practical, Cracken will minimize, mask, filter or remove secrets, credentials, personal data and exploit-sensitive details before using data for improvement.

9. Sharing and disclosures

Cracken may disclose personal information to:

  • service providers and sub-processors listed in the Sub-processor List;
  • cloud infrastructure, AI-inference, analytics, support, communications, security, logging, compliance and business operations vendors;
  • customer administrators and authorized users within the same workspace;
  • professional advisers, auditors, insurers and legal representatives;
  • regulators, courts, law-enforcement or government bodies where legally required or necessary to protect rights, safety or security;
  • counterparties in a merger, acquisition, financing, reorganization or sale of assets;
  • third parties with the customer's or individual's direction or consent.

Cracken does not sell personal information in the ordinary meaning of selling a customer list for money. Cracken does not currently use third-party marketing or retargeting providers. If Cracken later uses technology that could be considered a "sale," "sharing" or targeted-advertising disclosure under applicable privacy law, Cracken will update its Cookie Policy and provide the required notice and opt-out or consent mechanism.

10. International transfers and data residency

Cracken's main infrastructure is hosted in Microsoft Azure UK South. AI processing may occur through AWS Bedrock in US East and EU West regions and through self-hosted LLM infrastructure on Google Cloud Platform in an EU West region. Cracken may also process information in the countries where Cracken, its personnel and service providers operate, subject to the restricted-territory rules above.

Where required, Cracken will use appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, UK transfer addenda, Data Privacy Framework certifications, transfer impact assessments or other lawful mechanisms.

11. Security

Cracken uses administrative, technical and organizational safeguards designed to protect information, including access controls, least privilege, encryption in transit, encryption at rest where supported, logging, monitoring, vulnerability management, secure development practices, personnel confidentiality commitments, incident-response procedures and sub-processor diligence.

Cracken tracks user activities and reviews them through monitoring systems to detect rule violations, abuse, unauthorized testing, export/sanctions issues and security incidents.

No system can be guaranteed completely secure. Customers remain responsible for their own configurations, credentials, target scope, user access, exports and downstream use of reports.

12. Individual rights and choices

Depending on location and applicable law, individuals may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent and appeal of certain decisions. Requests should be sent to privacy@cracken.ai. Where Cracken processes personal data as a processor for a customer, Cracken may refer the request to the customer or act on the customer's documented instructions.

Marketing emails include an unsubscribe mechanism. Cookie choices can be managed through the consent banner or cookie settings where available.

13. Children

Cracken is intended for business and professional security use and is not directed to children or minors. Users must meet the minimum age and authority requirements stated in the Terms.

14. Retention

Cracken retains information according to the Data Retention Policy and applicable customer agreements. Cracken aims to retain personal data for the minimum period reasonably necessary for the relevant purpose and applicable law. Customer data in main storage may be deleted by request, subject to legal, security, abuse-prevention, export/sanctions, backup and dispute exceptions. Backups are retained only for as long as reasonably necessary for resilience, security, legal or operational purposes and are protected from ordinary use.

15. Suspension, termination and refunds

Privacy-related records may be retained where necessary to investigate, enforce or document violations. If Cracken suspends or terminates a subscription for illegal, unethical or unauthorized activity, including unauthorized hacking, sanctions/export violations, RoE violations, abuse, fraud, or prohibited reverse engineering of code, prompts, playbooks, skills, "tentacles" or other proprietary components, Cracken may deny refunds where permitted by law and the Terms. If service ends for convenience or a mutually agreed non-violation reason, unused prepaid fees may be handled on a pro-rata basis according to the Terms.

16. Changes

Cracken may update this policy. Material changes should be communicated through the website, dashboard, email or other reasonable means, consistent with the approved Terms and change-notice process.

17. Contact

Privacy contact: privacy@cracken.ai

Legal contact: legal@cracken.ai

Security contact: security@cracken.ai

Support and high-risk target approval requests: https://crackenai.featurebase.app/

Legal entity: CrackenAGI Ltd.

Registered office: 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT