Last updated: January 1, 2025
Raven.io, Inc. ("Raven.io", "we", "our", or "us") operates the website ravenio.org and provides a runtime application self-protection platform and related services (collectively, the "Services"). This Privacy Policy describes how Raven.io collects, uses, stores, shares, and protects information about individuals who visit our website, register for our Services, or interact with us in any capacity.
This Privacy Policy applies to all personal data collected through our website at ravenio.org, through our software platform, through communications with our team, and through any other means by which you interact with Raven.io. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.
Raven.io is headquartered in San Francisco, California, USA. For individuals in the European Union or European Economic Area, Raven.io acts as a data controller with respect to personal data collected through the website and marketing activities, and as a data processor with respect to operational data processed on behalf of customers using our platform.
We collect information in several ways depending on how you interact with Raven.io.
Account and Registration Data. When you register for a Raven.io account, request a product demonstration, or initiate a trial, we collect your name, work email address, company name, job title, company size, and industry. We may also collect a phone number if provided. This information is used to create your account, deliver the Services, and communicate with you about your account and our offerings.
Contact and Communications Data. When you contact us through our website contact form, send an email to info@ravenio.org, or engage with our sales or support team, we collect the content of your communications, your email address, name, and any other information you choose to include. We maintain records of these communications to provide support, respond to inquiries, and improve our Services.
Payment Information. For paid subscriptions, we collect billing contact information including name, billing address, and payment instrument details. Credit card numbers and other payment credentials are processed directly by our payment processor, Stripe, Inc., and are not stored on Raven.io systems. We retain records of payment amounts, dates, and billing addresses for accounting and fraud prevention purposes.
Survey and Feedback Data. We may collect responses to voluntary surveys, product feedback forms, or user research sessions. Participation in these activities is always optional. This data is used to improve our products and understand customer needs.
Usage and Technical Data. When you visit ravenio.org, we automatically collect technical information including your IP address, browser type and version, operating system, referring URL, pages viewed, time spent on pages, and click-through patterns. This data is collected through server logs and analytics tools and is used to understand how visitors use our website, diagnose technical issues, and improve site performance.
Cookies and Similar Technologies. We use cookies and similar tracking technologies on our website. Essential cookies are necessary for the website to function and cannot be disabled. Analytics cookies collect aggregate usage data that helps us understand site usage patterns. Marketing cookies may be used to deliver relevant content. You can manage your cookie preferences through our cookie banner or your browser settings. See our Cookie Policy for detailed information about the cookies we use.
Agent Telemetry Data. When customers deploy the Raven.io agent on their applications, the agent transmits telemetry data to Raven.io's control plane. This telemetry includes structural data about application behavior (query patterns, call stack signatures, file path hashes) and security event data (anomaly alerts, blocked operations). Telemetry data is processed in accordance with the Data Processing Agreement (DPA) between Raven.io and the customer, and Raven.io acts as a data processor for this data.
We may receive information about you from third-party sources including business intelligence providers, advertising partners, and social media platforms if you interact with our content on those platforms. We may combine this information with data we have collected directly to improve the relevance of our communications and understand our audience better.
Raven.io uses collected information for the following purposes:
Service Delivery. To create and manage accounts, provision the software platform, process transactions, authenticate users, and provide technical support. This is necessary for the performance of our contract with customers.
Communication. To respond to inquiries, send transactional notifications (account confirmations, invoices, alerts), communicate product updates, and provide security-related notifications. Transactional communications are sent as necessary for the operation of the Services. Marketing communications are sent based on your consent or our legitimate interest where permitted by law.
Product Improvement. To analyze usage patterns, identify areas for improvement, develop new features, and conduct research. We use aggregated and anonymized data for this purpose wherever possible.
Security and Fraud Prevention. To detect, investigate, and prevent fraudulent transactions, unauthorized access, abuse of our platform, and other security incidents. This processing is necessary for our legitimate interests in maintaining the security of our services.
Legal Compliance. To comply with applicable laws, regulations, and legal obligations, including responding to lawful requests from public authorities and complying with tax and accounting requirements.
Marketing and Advertising. With your consent or where permitted by applicable law, to send promotional emails about Raven.io products, display relevant advertising, and measure the effectiveness of marketing campaigns. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or contacting us at info@ravenio.org.
Raven.io does not sell personal data to third parties. We share personal data only in the following circumstances:
Service Providers. We engage third-party vendors to assist in delivering our Services. These include cloud infrastructure providers (Amazon Web Services), payment processors (Stripe), email delivery services (SendGrid), customer relationship management systems (Salesforce), and analytics providers (Mixpanel). All service providers are required to maintain appropriate confidentiality and security obligations through contractual agreements.
Customer Direction. We may share data as directed by the customer who controls the relevant data, such as sharing agent telemetry with a customer-designated SIEM or log management platform.
Business Transfers. In the event of a merger, acquisition, financing, or sale of substantially all of our assets, personal data may be transferred as part of the transaction. We will provide notice of any such transfer and any choices you may have regarding your data.
Legal Requirements. We may disclose personal data when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Raven.io, our users, or the public.
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law.
Account Data. Customer account data is retained for the duration of the customer relationship plus three years following account closure, to enable reactivation, resolve disputes, and comply with legal obligations.
Agent Telemetry Data. Security event logs and anomaly alerts are retained for 12 months by default, with options to extend to 24 months on Enterprise tier plans. Behavioral baseline data is retained for the duration of the customer contract.
Communications and Support Data. Records of support interactions are retained for three years following closure of the support ticket. General communications are retained for two years.
Website Analytics. Aggregate website usage data collected through analytics tools is retained for 24 months. IP address data collected through server logs is retained for 90 days.
When data is no longer needed for the purposes for which it was collected and no legal retention obligation applies, we delete or anonymize it using secure deletion procedures.
Individuals in the European Union, European Economic Area, and United Kingdom have the following rights under the General Data Protection Regulation (GDPR):
Right of Access. You may request a copy of the personal data we hold about you, along with information about how we process it. We will respond to access requests within 30 days.
Right to Rectification. If you believe personal data we hold about you is inaccurate or incomplete, you may request correction. Account holders can update profile information directly through the account settings portal.
Right to Erasure. In certain circumstances, you may request that we delete personal data we hold about you. This right is not absolute — it may not apply where processing is necessary for legal compliance, the exercise of legal claims, or other legitimate purposes described in GDPR Article 17.
Right to Restriction of Processing. You may request that we restrict processing of your personal data in certain circumstances, such as while accuracy is being verified or where processing is unlawful but you prefer restriction over deletion.
Right to Data Portability. Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your personal data for transfer to another controller.
Right to Object. You may object to processing based on legitimate interests, including processing for direct marketing purposes. We will cease direct marketing processing immediately upon objection.
Right Not to Be Subject to Automated Decision-Making. We do not make solely automated decisions that produce significant legal or similarly significant effects on individuals without human review.
California residents have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, the right to opt out of sale or sharing, and the right to non-discrimination for exercising privacy rights. Raven.io does not sell personal information as defined under CCPA.
To exercise any of these rights, contact us at info@ravenio.org with the subject line "Privacy Rights Request." We may require identity verification before processing requests. We will acknowledge receipt within 5 business days and provide a substantive response within 30 days.
We use cookies and similar technologies on ravenio.org. Essential cookies enable basic website functionality. Analytics cookies help us understand how visitors use our site. Marketing cookies may be used to display relevant content. For full details about the cookies we use, their purposes, and how to manage them, see our Cookie Policy.
Raven.io implements technical and organizational security measures appropriate to the sensitivity of the personal data we process. These measures include: encryption of data in transit using TLS 1.2 or higher; encryption of data at rest using AES-256 for stored customer data; access controls based on the principle of least privilege; multi-factor authentication requirements for all internal systems; annual penetration testing by qualified external security firms; and SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.
Despite these measures, no security program is perfect. In the event of a data breach affecting your personal data, we will notify you as required by applicable law, including within 72 hours of discovery under GDPR where the breach is likely to result in a risk to your rights and freedoms.
Raven.io is headquartered in the United States. Personal data collected from individuals in the EU/EEA may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home country.
For transfers from the EU/EEA to the United States, Raven.io relies on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transfer. Customers may request a copy of the applicable SCCs by contacting us at info@ravenio.org. We also participate in the EU-US Data Privacy Framework where applicable.
Raven.io's Services are not directed to children under 16 years of age, and we do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us at info@ravenio.org.
Our website may contain links to third-party websites or services. This Privacy Policy applies only to ravenio.org and Raven.io's services. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing personal data.
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, provide notice through the platform or by email to registered users. We encourage you to review this policy periodically. Your continued use of our Services after changes take effect constitutes acceptance of the updated policy.
For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us:
Raven.io, Inc.
Attn: Privacy Team
San Francisco, California, USA
Email: info@ravenio.org
Subject line: Privacy Inquiry
For EU/EEA individuals who wish to lodge a complaint about our data processing practices, you have the right to contact the supervisory authority in your EU member state. For Ireland, this is the Data Protection Commission (www.dataprotection.ie).