FortEqual

Signup Today

FortEqual PRIVACY POLICY
Effective date: November 2025

ABOUT THIS POLICY
This Privacy Policy explains how FortEqual (“FortEqual”, “we”, “us”, “our”) collects, uses, shares, and protects personal information when you visit our website, contact us, or use our services (including security hardening, monitoring, takedowns, data-broker removals, backups, incident response, and advisory services). If you do not agree with this Policy, please do not use our services.

CONTACT US
Data Controller: FortEqual
Email: [email protected]
Postal address: Arvada, Colorado
If you are in the EU/UK and want to contact our representative or Data Protection Officer, email [email protected] and write “Privacy – EU/UK” in the subject.

WHO WE PROTECT
We provide personal cybersecurity for individuals and small teams (e.g., creators, founders, executives, activists, journalists). We operate globally and are a remote-first company.

INFORMATION WE COLLECT

  1. Information you provide to us
    • Contact information: name, email, phone, handle(s), and billing address.
    • Account setup information: usernames/handles for platforms you ask us to protect; your consent choices (e.g., enabling passkeys).
    • Support and incident information: details you share during onboarding, chats, calls, tickets, and incident response.
    • Payment information: processed by our payment processor; we do not store full card numbers.
  2. Information we obtain when you use our services (with your authorization)
    • Security telemetry from devices we manage: operating system version, security posture, alerts (e.g., malware detections, suspicious sign-ins), and audit logs from email/identity systems you connect.
    • Network and DNS security events: domains blocked, threat categories, timestamps.
    • Email security signals: spam/malware detections, suspicious inbox rules, delivery/defense outcomes (not your email content).
    • Account protection signals: MFA/passkey status, OAuth/granted app changes, admin events, session revocations.
    • Takedown and brand-protection data: URLs, usernames, fake profiles, domain WHOIS data, and correspondence with platforms/registrars.
    • Data-broker removal data: name, addresses, emails, phone numbers known to be publicly listed; removal confirmations.
    • Website analytics: basic usage and performance data (e.g., pages viewed, browser type, approximate location derived from IP).
  3. Information from third parties
    • Public sources (e.g., breached credential datasets, dark-web mentions, public profiles).
    • Vendors and partners that help deliver our services (e.g., email defense, endpoint protection, DNS security, backups, ticketing, payment processing).

SENSITIVE DATA
We do not seek to collect sensitive personal data unless necessary for security-protection work you request (e.g., a doxxing response may require us to process home address or phone numbers already exposed online). We minimize what we store and delete when no longer needed.

CHILDREN
Our services are not directed to children under 16. If you believe a child has provided us personal information, contact us so we can delete it.

HOW WE USE YOUR INFORMATION
• Provide and maintain services, including onboarding, security hardening, monitoring, takedowns, data-broker removals, backups, and incident response.
• Detect, investigate, and prevent security incidents and fraud.
• Communicate with you (service updates, security alerts, invoices, customer support).
• Improve and develop features, run diagnostics, and quality-assure detections and playbooks.
• Comply with law, enforce agreements, and protect rights, safety, and property.

LEGAL BASES (EU/UK ONLY)
We process personal data on the following bases:
• Contract: to provide services you request.
• Legitimate interests: to secure accounts/devices, prevent fraud/abuse, improve services.
• Consent: where required (e.g., connecting new data sources, marketing emails).
• Legal obligation: to comply with applicable laws and requests from authorities.

HOW WE SHARE INFORMATION
We do not sell your personal information.
We may share information with:
• Service providers (sub-processors) who help us operate (e.g., endpoint security, DNS protection, email defense, data-broker removal, backups, ticketing, payment processing, cloud hosting). These providers process data under contracts that require confidentiality and appropriate safeguards.
• Platforms, registrars, and carriers when you ask us to submit impersonation/doxxing takedowns, SIM-swap protections, or account-recovery requests.
• Law enforcement or regulators when we believe disclosure is necessary to comply with law, respond to lawful requests, or prevent harm.
• Business transfers if we are involved in a merger, acquisition, or asset sale. We will notify you if your information becomes subject to a different policy.

INTERNATIONAL TRANSFERS
We may transfer, store, and process information in countries other than where you live. When we transfer personal data outside the EU/UK, we use approved safeguards (e.g., Standard Contractual Clauses) or other lawful mechanisms.

RETENTION
We keep personal information only as long as needed to deliver services, meet legal/regulatory requirements, resolve disputes, and maintain security records. Typical retention examples:
• Security alerts and logs: generally 12–24 months unless a longer period is required for investigations.
• Ticketing and incident records: generally 3–7 years for legal and insurance reasons.
• Data-broker removal records: retained to confirm removals and re-submit if data reappears.
We anonymize or delete data when retention ends.

YOUR PRIVACY CHOICES AND RIGHTS
Email preferences: you can opt out of non-transactional emails by using the unsubscribe link or contacting us.
Access, correction, deletion: you can request a copy of your data, ask us to correct it, or delete it when legally permissible.
Restriction and objection (EU/UK): you may ask us to restrict or object to processing in certain cases.
Data portability (EU/UK): you may request export of data you provided.
Verification: for your security, we may ask for proof of identity and ownership of protected accounts before acting.
To exercise rights, email [email protected].

CALIFORNIA PRIVACY NOTICE (CPRA)
If you are a California resident, you have the right to know the categories of personal information we collect, the sources, purposes of use, and whether we “sell” or “share” personal information. We do not sell or share personal information for cross-context behavioral advertising. You may request access, correction, or deletion, and you have the right to limit the use of sensitive personal information to what is necessary to perform services. We will not discriminate against you for exercising your rights.

COOKIES AND TRACKING
We may use strictly necessary cookies (for security and session integrity) and basic analytics to understand website performance. You can control cookies through your browser settings. If we use additional analytics or advertising cookies in the future, we will update this Policy and provide choices.

SECURITY
We use a combination of technical and organizational measures to protect personal information, such as encryption in transit and at rest where appropriate, role-based access, least-privilege internal controls, hardware security modules for select secrets, and regular reviews of vendors. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

ACCOUNT PROTECTION WORKFLOW
For urgent or high-risk changes (e.g., account recovery, SIM-swap prevention, emergency takedowns), we verify your identity via out-of-band methods before acting. We keep audit trails of actions taken on your behalf.

CUSTOMER-DIRECTED SHARING
At your direction, we may coordinate with your insurance broker, legal counsel, PR firm, talent/MCN, or employer/board contacts. We share only what is necessary and document those disclosures in your case file.

THIRD-PARTY LINKS
Our website may link to third-party sites or platforms. Their privacy practices are not governed by this Policy.

SUB-PROCESSORS
We rely on vetted service providers to deliver parts of our services (for example: cloud infrastructure, email defense, endpoint protection, DNS security, backups, ticketing, payments). A current list is available on request at [email protected] or on our website’s Trust/Privacy page. We will notify customers before adding or materially changing sub-processors where required.

DATA FOR INCIDENT RESPONSE AND EVIDENCE
If we are engaged for incident response, we may temporarily collect and process system artifacts, logs, or screenshots solely for investigation and recovery. We limit access, retain only as long as needed, and then delete or anonymize.

DO NOT TRACK
Because there is no consistent industry standard for “Do Not Track” signals, our website does not respond to them.

CHANGES TO THIS POLICY
We may update this Policy to reflect changes in our practices or applicable laws. We will post the new Policy on our website and update the effective date above. If changes are material, we will provide additional notice (e.g., email).

HOW TO CONTACT US OR APPEAL A DECISION
If you have questions, complaints, or want to appeal a decision about a privacy request, email [email protected] with “Privacy” in the subject. If you are in the EU/UK, you may also lodge a complaint with your local data protection authority.