Legal

Tripwire Privacy Policy

Tripwire privacy policy covering website, dashboard, and service data processing.

Version V1 · Effective March 27, 2026 · Last updated March 27, 2026

This Privacy Policy describes how ABXY, Inc., a Delaware corporation (“Tripwire,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal information in connection with our websites, documentation, dashboard, APIs, SDKs, and related products and services (collectively, the “Services”).

This Privacy Policy applies to:

  1. visitors to our websites, documentation, and dashboard;
  2. users who create or administer Tripwire accounts on behalf of themselves or an organization (“Account Users”); and
  3. information processed through customer deployments of the Services, including browser, device, network, and interaction telemetry used to detect bots, suspicious automation, fraud, abuse, and other security risks (“Security Telemetry”).

We may also publish supplemental or feature-specific notices, addenda, or disclosures for particular Services, regions, or processing activities, such as website cookie notices, U.S. state-law supplements, beta feature notices, or notices for identity-verification, biometric, or other higher-sensitivity features. If there is a conflict between this Privacy Policy and a more specific notice or addendum, the more specific notice or addendum will control for the relevant feature or processing activity.

Where a customer deploys the Services on its own websites, apps, or services, that customer may also have independent privacy and transparency obligations to its own end users.

1. Information We Collect

We collect the following categories of information:

A. Account and profile information

When you create or manage a Tripwire account, we may collect information such as:

  • name;
  • business email address;
  • password and account recovery information;
  • email verification status;
  • profile and account preferences; and
  • organization, role, and membership information.

B. Authentication and security information

To authenticate users and secure the dashboard, we may collect and process:

  • login, authentication, and session information;
  • IP address and general browser or device information;
  • timestamps and logs associated with account and session activity;
  • passkey and other authentication metadata;
  • authentication provider information if social login is enabled;
  • session validation data and fraud-prevention signals; and
  • related security, audit, and access-control information.

C. Organization, configuration, and API information

When an Account User configures the Services, we may collect:

  • organization and workspace information;
  • API key, integration, and environment metadata;
  • allowed origins, rate-limit, and security settings; and
  • audit, administrative, and configuration history.

D. Security Telemetry collected through customer deployments

When our customers deploy Tripwire, we may receive or generate Security Telemetry such as:

  • browser, device, application, and environment information;
  • page, request, network, and approximate location information, which may include URLs, referrers, IP address, headers, timing, and related server-observed characteristics;
  • network and security-risk information, such as proxy, VPN, hosting, reputation, and related intelligence;
  • interaction and form-interaction metadata used to detect bots, suspicious automation, fraud, abuse, and other security risks;
  • identifiers, fingerprinting, recognition, and linkage signals where present, available, or generated as part of the Services; and
  • scores, classifications, logs, session details, investigation data, analytics, and other outputs derived from the foregoing.

Our systems are designed for security and anti-abuse analysis. Customers are responsible for avoiding the inclusion of unnecessary sensitive data in URLs, page metadata, or other content they send through the Services.

E. Billing and transaction information

If we offer paid plans, pilot plans, or other paid Services, we or our payment service providers may collect:

  • billing contact information;
  • company name and tax or invoicing details;
  • subscription or order information;
  • payment status, transaction history, and limited payment metadata; and
  • fraud, risk, and verification information associated with a transaction.

Unless expressly stated otherwise, we do not intend this Privacy Policy to promise that Tripwire stores full payment card numbers itself.

F. Communications and support information

If you contact us, request support, attend an event, submit a demo request, join a waitlist, or otherwise communicate with us, we may collect your contact details, correspondence, support content, and any other information you choose to provide.

G. Cookies, browser storage, and similar technologies

We and our service providers may use cookies and similar technologies for security, authentication, fraud prevention, analytics, billing, and Service functionality. These technologies may include:

  • essential cookies and session technologies used to authenticate users, validate requests, and help protect the Services;
  • browser storage or similar technical identifiers used to help recognize browsers or devices, where present or enabled;
  • analytics, billing, or measurement technologies used on Tripwire-controlled properties or in connection with paid plans; and
  • similar technologies used to operate, secure, support, and improve the Services.

Some cookies and similar technologies are necessary for the Services to function. Others may be used for analytics or measurement, subject to applicable law.

2. How We Use Information

We may use personal information and Security Telemetry to:

  1. provide, operate, maintain, and secure the Services;
  2. create and administer accounts, teams, passkeys, API keys, account settings, and paid plans;
  3. authenticate users, verify account ownership, and use identity verification and fraud-prevention measures where appropriate;
  4. detect bots, suspicious automation, manipulation, fraud, abuse, unauthorized access, payment risk, and other security threats;
  5. generate risk scores, classifications, fingerprints, verdicts, session analyses, and investigation data;
  6. support customer investigations, logging, analytics, troubleshooting, incident response, and support;
  7. communicate with you about the Services, including transactional, account-related, security, billing, support, and product communications;
  8. develop, test, tune, validate, improve, and train the performance, integrity, efficacy, and security of the Services, including our signatures, heuristics, fingerprints, rules, models, and analytics;
  9. conduct abuse research, fraud trend analysis, benchmarking, and related security research;
  10. correlate Security Telemetry, identifiers, and events across customer deployments, Tripwire-controlled properties, and other lawful data sources to identify repeat actors, coordinated activity, device or network reputation, and other security threats, and to generate derived network-level or cross-customer risk indicators and investigation outputs;
  11. incorporate customer-supplied labels, review outcomes, chargebacks, dispute results, fraud confirmations, abuse reports, false-positive or false-negative feedback, and similar adjudications or outcome data into our signatures, heuristics, models, rules, threat intelligence, analytics, reports, and other Service improvements;
  12. create and use aggregated, statistical, deidentified, or anonymized information for lawful business purposes, including publishing reports and insights that do not identify you, an individual, or a customer as the source unless we separately obtain consent;
  13. monitor usage, enforce our terms, and protect our rights, users, customers, partners, and infrastructure;
  14. process payments, invoices, taxes, collections, and related commercial operations if paid Services are offered; and
  15. comply with legal obligations and respond to lawful requests.

Where we create or use deidentified information, we will take reasonable measures designed to ensure the information cannot reasonably be associated with a particular consumer or household, publicly commit to maintain and use it in deidentified form, and not attempt to reidentify it except as permitted by law or to test our deidentification processes.

Where required by applicable law, we rely on one or more of the following legal bases:

  • performance of a contract with you or your organization;
  • our legitimate interests, such as securing the Services, preventing fraud and abuse, operating the dashboard, administering paid plans, improving our products, conducting abuse research, and communicating with customers;
  • your consent, where required;
  • compliance with legal obligations; and
  • other lawful bases available under applicable law.

4. How We Disclose Information

We may disclose personal information as follows:

A. Service providers and operational vendors

We may disclose information to vendors and service providers that help us operate the Services, including providers of:

  • hosting and infrastructure;
  • authentication, identity verification, and email delivery;
  • analytics, documentation, support, and communications;
  • payment processing, billing, and collections;
  • IP, network, device, and fraud intelligence;
  • security monitoring and operations; and
  • other tools used to provide, secure, support, or improve the Services.

B. Customers and authorized administrators

If a customer deploys the Services on its own websites, apps, or services, Tripwire may make relevant Security Telemetry, scores, investigation results, session details, logs, fingerprints, and related outputs available to that customer and its authorized administrators. These outputs may include derived indicators informed by our analysis across multiple deployments or data sources, such as device or network reputation, recurrence or cluster indicators, and related threat intelligence, but we do not disclose another customer’s identity, another customer’s confidential information, or another customer’s raw underlying data except as permitted by law.

C. Corporate affiliates and business transfers

We may disclose information to our affiliates and in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets.

We may disclose information where we believe disclosure is necessary to:

  • comply with applicable law, regulation, legal process, or governmental request;
  • enforce our agreements and policies;
  • protect the rights, property, and safety of Tripwire, our customers, users, or others; or
  • investigate or prevent fraud, abuse, security incidents, payment fraud, or other unlawful activity.

We may disclose information at your direction or with your consent.

5. Role of Tripwire and Our Customers

When a customer deploys the Services on its own digital properties, that customer generally decides how and where to deploy Tripwire, what flows to protect, what notices to provide, and what actions to take based on Tripwire’s outputs. In that context, the customer is generally responsible for:

  • providing notices required by law to its end users;
  • obtaining any legally required consents;
  • responding to end-user rights requests where applicable; and
  • making its own decisions about whether to allow, challenge, throttle, log, review, verify, or block activity.

For Security Telemetry collected through a customer deployment, Tripwire generally processes that data on the customer’s behalf as a processor, service provider, or contractor, as applicable, in order to provide the Services. The customer authorizes Tripwire to process Security Telemetry to provide, host, store, transmit, secure, support, troubleshoot, maintain, analyze, score, fingerprint, correlate, investigate, validate, tune, and improve the Services, including by:

  • detecting fraud, abuse, manipulation, account compromise, and other security incidents;
  • developing, testing, tuning, validating, and improving our signatures, heuristics, models, rules, fingerprints, and analytics;
  • correlating identifiers and events across deployments to detect repeat actors, coordinated abuse, device or network reputation, and related security threats, and to generate derived cross-customer or network-level indicators for the Services;
  • conducting fraud and abuse research and efficacy testing; and
  • creating aggregated, deidentified, or anonymized reports, benchmarks, and trend analyses.

Any cross-customer or network-level outputs described above are intended for security, fraud, abuse, integrity, research, or service-improvement purposes and not for advertising or unrelated commercial profiling.

Tripwire may also process certain information as an independent controller or business, as applicable, for our own account administration, billing, website and documentation operations, support and communications, legal compliance, corporate operations, security of our own systems, and our creation and use of deidentified, aggregated, statistical, or otherwise transformed Tripwire-generated service data to the extent permitted by law.

If we receive a privacy rights request, deletion request, or similar inquiry relating to Security Telemetry we process on behalf of a customer, we may direct the requester to the relevant customer, notify the customer, or otherwise handle the request in coordination with the customer as permitted by law and contract.

Tripwire uses scoring, correlation, profiling, and similar analytical methods to assess fraud, abuse, automation, identity, and security risk. Tripwire generally provides scores, indicators, and investigation tools to customers and does not generally make solely automated decisions on behalf of customers that produce legal or similarly significant effects for end users. Customers remain responsible for how they use Tripwire outputs, including any human review, appeal, notice, opt-out, adverse-action, or other downstream legal requirements. Unless expressly stated otherwise in feature-specific terms, the Services are not intended to be used as a consumer report, to make decisions governed by the Fair Credit Reporting Act or similar laws, or for other prohibited or high-risk uses.

6. Cookies and Choices

You can usually control cookies and certain browser storage mechanisms through your browser or device settings. However, disabling essential technologies may affect the availability, performance, or security of certain features.

Where required by law, we will provide notices or obtain consent for non-essential cookies and similar technologies used on Tripwire-controlled properties.

Customers that deploy Tripwire on their own properties are responsible for providing any required cookie, privacy, or transparency notices to their end users.

7. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

  • provide and secure the Services;
  • maintain fraud, abuse, billing, and investigation records;
  • support customers and paid plans;
  • conduct service improvement, abuse research, and fraud trend analysis;
  • comply with legal obligations;
  • resolve disputes; and
  • enforce agreements.

Retention periods vary based on the type of information, the context in which it was collected, customer configuration, legal requirements, contractual obligations, and operational needs. Some session-related or operational data may be retained only briefly, while certain fraud, fingerprint, investigation, audit, billing, and analytics records may be retained longer to detect repeat abuse, investigate incidents, support customers, collect amounts owed, and improve the Services.

Deleting a dashboard account or organization may not immediately remove all related logs, backups, security records, billing records, or data that must be retained for legal, contractual, or legitimate operational reasons.

8. Security

We use reasonable administrative, technical, and organizational measures designed to protect personal information and Security Telemetry. These measures may include access controls, encryption, environment separation, authentication controls, API key controls, rate limiting, session protections, vendor management, and other security safeguards.

No security measure is perfect, and we cannot guarantee absolute security.

Account Users are responsible for maintaining the confidentiality of their credentials, passkeys, and API keys, using origin restrictions where available, and notifying us promptly of any suspected unauthorized access or compromise.

9. International Data Transfers

We and our service providers may process information in countries other than the country in which you reside. Where required by law, we will use appropriate safeguards for cross-border transfers.

10. Your Rights and Choices

Depending on where you live, you may have the right to request access to, correction of, deletion of, restriction of, objection to, or portability of certain personal information. You may also have the right to withdraw consent where our processing is based on consent.

You may update certain account information through the dashboard. To exercise privacy rights or appeal a decision where required by law, contact us using the information below.

We may need to verify your identity and authority before responding to your request, including through reasonable authentication or identity verification steps. We may deny or limit requests as permitted by law.

11. Children’s Privacy

The Services are not directed to children, and we do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information to us unlawfully, contact us and we will take appropriate steps.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version, update the date information above, and, where appropriate, provide additional notice by email, dashboard notice, website posting, or a feature-specific notice or addendum. We may also maintain archived prior versions of this Privacy Policy for reference.

Changes to this Privacy Policy will apply prospectively unless otherwise permitted by law. We will not materially use previously collected personal information for new purposes that are materially inconsistent with the disclosures in effect at the time of collection without providing any notice, and where required by law, obtaining consent.

13. Contact Us

If you have questions or requests regarding this Privacy Policy, please contact:

ABXY, Inc.
Attn: Privacy
455 Market St Ste 1940
San Francisco, CA 94105
privacy@abxylabs.com

For support questions, you may also contact support@abxylabs.com.
For legal inquiries, you may contact legal@abxylabs.com.