Privacy Policy
This Privacy Policy describes how Salian Defense ("Water Hawk", "we", "us") collects, uses, and shares personal information through the Water Hawk service ("Service") and the marketing properties at waterhawk.io. The Service is a business-to-business analytical product. Most of what we process is commercial-party data; this policy covers the limited personal information we touch.
What we collect
- Account info. Name, work email, employer, role, password (hashed), authentication state.
- Session and security telemetry. IP address, user-agent, multi-factor state, and a fingerprint we use to detect coordinated multi-account access.
- Billing identifiers. Stripe customer ID, subscription ID, invoice metadata. Stripe holds your card data; we do not store full card numbers.
- Customer Data. Bids, watchlists, notes, and other content you submit.
- Click-through evidence. Each time you accept a legal document, we record the user, the document slug, the document version, the document hash, the IP address, the user-agent, and the timestamp.
- Communications. Email, support tickets, outreach content sent to or from us.
How we use it
To provide the Service, authenticate users, secure the platform, bill subscribers, send transactional notices, send product updates and marketing communications to the contact on the Order Form, build de-identified aggregated analytics, comply with legal obligations, and defend legal claims.
How we share it
We do not sell or rent personal information. We share with:
- Subprocessors that provide infrastructure, payments, email, support, and security services. List available on request.
- Customer admins can see usage metadata for users in their org.
- Legal authorities when compelled by valid legal process.
- Successors in connection with a merger, acquisition, or sale of substantially all assets, subject to continued protections.
We do not share Customer Data with other customers except as de-identified aggregated cohort outputs subject to the safeguards described in our internal aggregation rules.
Lawful bases (where GDPR applies)
Contract (necessary to deliver what you subscribed to), legitimate interest (security, anti-abuse, product improvement), consent (where it is the sole basis, like optional analytics cookies), and legal obligation (tax, accounting).
International transfers
We are based in the United States. Where GDPR, UK GDPR, or Swiss FADP applies, we rely on the EU Standard Contractual Clauses, the UK IDTA, or the Swiss-U.S. DPF, as applicable. Copies are available on request.
Your rights
Subject to applicable law, you may request access, rectification, erasure, restriction, portability, objection, or withdrawal of consent. Email [email protected]. We respond within thirty (30) days. We may verify identity. If a user request conflicts with the Customer's contractual interests, we route it to the Customer admin.
California, Colorado, Connecticut, Texas, Utah, Virginia, and similar U.S. state privacy laws afford analogous rights. We do not sell personal information; "do not sell or share" is handled the same as access and erasure.
Retention
Account info: subscription term plus seven years. Session telemetry: thirteen months rolling. Billing: seven years. Customer Data: subscription term plus thirty days, after which we may delete. Click-through acceptances: indefinitely as evidentiary records.
Security
Encryption in transit, encryption at rest for sensitive fields, role-based access control, multi-factor for admins, secret rotation, audit logging, vulnerability scanning, and code review. No security program is perfect; we will notify you without undue delay of any confirmed unauthorized access to your data.
Children
The Service is not directed to and not intended for children under sixteen (16). We do not knowingly collect children's data.
Changes
We will post any material change at least thirty (30) days before the effective date.