Privacy Policy
Last Updated: March 5, 2026
Malleus (operating as a sole proprietorship under the trade name “Malleus,” doing business as Spooky Industries) (“Malleus,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our software platform and related services (collectively, the “Platform”).
This Privacy Policy is designed to reasonably conform to the National Institute of Standards and Technology (NIST) Privacy Framework and to comply with applicable privacy laws, including the Tennessee Information Protection Act (TIPA), the California Consumer Privacy Act (CCPA), and Section 5 of the Federal Trade Commission Act.
1. Information We Collect
We collect information in the following categories:
1.1 Account and Contact Information
When an organization subscribes to Malleus or creates user accounts, we collect business contact information including names, email addresses, phone numbers, mailing addresses, job titles, and roles of authorized users.
1.2 Client-Submitted Business Data
Our clients input, upload, or generate data through the Platform in connection with their business operations (“Client Data”). We process Client Data solely on behalf of and at the direction of the subscribing organization.
1.3 Usage Data
We automatically collect information about how users interact with the Platform, including login times, feature usage patterns, pages viewed, actions taken, session duration, and error logs.
1.4 Device and Technical Data
We collect device type, operating system, browser type, screen resolution, IP address, approximate geographic location, and similar technical information.
1.5 Payment Information
Our third-party payment processor (currently Stripe, Inc.) collects and processes payment card information. We do not store full credit card numbers or CVV codes on our servers.
1.6 Communications Data
We collect information from communications you send to us, including emails, support tickets, feedback, and survey responses.
1.7 AI Feature Data
If you use AI Features available on the Platform, we collect and process the inputs you provide to AI Features (“AI Inputs”) and the outputs generated (“AI Outputs”) as described in Section 6.
2. How We Use Information
- Providing Services: To provide, operate, maintain, and improve the Platform
- Processing Transactions: To process payments, send invoices, and manage billing
- Communications: To communicate with users about account status, service updates, and security alerts
- Analytics and Improvement: To monitor and analyze usage trends and improve user experience
- Security: To detect, prevent, and respond to security incidents and fraud
- Legal Compliance: To comply with applicable laws and regulations
- Enforcing Agreements: To enforce our Terms of Service and Service Agreements
- AI Features: To process AI Inputs and generate AI Outputs as described in Section 6
We do not use Personal Information for purposes incompatible with those disclosed in this Privacy Policy.
3. How We Share Information
We do not sell Personal Information. We may share information in limited circumstances:
- Service Providers: With third-party service providers who assist us in operating the Platform
- AI Processing: With Third-Party AI Providers to provide AI Features
- Legal Requirements: To comply with applicable law or legal process
- Rights Protection: To enforce our agreements and protect rights and safety
- Business Transfers: In connection with a merger, acquisition, or sale of assets
- With Consent: With your consent or at your direction
4. Data Retention
- Account Information: Retained for the duration of the subscription and a reasonable period thereafter
- Client Data: Retained during the subscription term; available for export for 30 days after termination
- Usage and Technical Data: Retained for up to 24 months
- Payment Records: Retained as required by tax and financial record-keeping laws (generally 7 years)
- Communications Data: Retained as long as necessary to resolve the inquiry
5. Data Security
We implement commercially reasonable administrative, technical, and physical safeguards including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest
- Access controls based on least-privilege principles
- Regular security assessments and vulnerability testing
- Employee training on data security and privacy practices
- Incident response procedures
Data Breach Notification: We comply with all applicable breach notification laws, including Tennessee’s requirement of notification within 45 days.
6. AI Features and Data
- We process AI Inputs to generate AI Outputs. Processing may involve Third-Party AI Providers.
- We do not use identifiable Client Data to train general-purpose AI models available to other customers.
- AI Outputs are generated by automated systems and may contain errors. They should not be relied upon without human review.
- The Platform does not make fully automated decisions that produce legal effects without human involvement.
7. Your Privacy Rights
Tennessee residents (TIPA): Right to Know, Right to Correct, Right to Delete, Right to Data Portability, Right to Opt Out. We respond to verified requests within 45 days.
California residents (CCPA): Right to Know, Right to Delete, Right to Correct, Right to Opt Out of Sale. We do not sell your Personal Information.
To exercise your rights, contact us at jake@getmalleus.com.
8. Children’s Privacy
The Platform is not directed to individuals under 18. We do not knowingly collect information from children under 13.
9. Third-Party Services
This Privacy Policy does not apply to third-party services accessed through the Platform.
10. International Data Transfers
The Platform is operated from the United States.
11. Changes to This Policy
We will provide at least 30 days’ notice before material changes take effect.
12. Contact Us
Malleus (Spooky Industries)
Email: jake@getmalleus.com
13. NIST Privacy Framework Conformance
This Privacy Policy is designed to reasonably conform to the NIST Privacy Framework as contemplated by the Tennessee Information Protection Act.