Privacy

Privacy Policy

Our privacy policy

Last updated on August 1st 2025

1. General

1.1
At Secure Code Warrior, your privacy is important to us and we take our data protection and privacy obligations seriously. This privacy policy explains how we handle (or ‘process’) your personal data and your related data protection rights. It covers all our activities, products and services including:

Secure Code Warrior’s learning platform (‘SCW Learning Platform’)
Our websites listed in Appendix B (‘website’)
Social media channels (such as Twitter, Facebook, Instagram and YouTube)
Software integrations
Recruitment

1.2
This privacy policy does not cover, and we are not responsible for, the privacy practices of third-party organisations (such as our customers or third-party services linked to through our website or the SCW Learning Platform). For more information about how third parties process your personal data, please refer to the individual privacy policies of each organisation.

For information about third-party service providers who process personal data on our behalf (‘processors’ or ‘sub-processors’), please refer to Section 3.4.

1.3
When we use ‘us’, ‘we’, ‘our’ or ‘Secure Code Warrior’ in this privacy policy, we are referring to Secure Code Warrior Inc, Secure Code Warrior Limited, Secure Code Warrior Pty Ltd, Secure Code Warrior BVBA and SCW ehf together as the related bodies corporate listed in Appendix A of this privacy policy.

2. Collection

2.1

Please refer to the below table for information about whose personal data we process and a breakdown of the individual data elements for each category of data subject:

We process the personal data of…	We may process your…
Website users	IP address Cookie data (see cookie policy for more information)
Platform users	Phone number (trial users only) Email address Name (first and last) Device information (browser type, device identifier and IP address) Professional information (employer, team name, role, job title) Location information (country/region and geo-location derived from IP address) Platform performance metrics and assessment data Cookie data (see cookie policy for more information) Code commit metadata, including committer name/email (if Trust Agent is installed). Refer to this Knowledge Base article for more info.
Participants in tournaments, competitions or other promotional activities	Email address Name (first and last) Location information (country/region, unless postal address required for delivery of physical prize)
Software integration users	Product analytics and technical data related to use and interaction with our software integrations and API calls Security vulnerability data
Trust Agent users	Code commit metadata, including committer name/email. Refer to this Knowledge Base article for more info. [GitHub App only] SCW will inspect the contents of files modified in each commit to identify specific languages and frameworks in use. This data is discarded immediately after analysis and is never stored
Business contacts and representatives (such as customers, prospective customers, partners and suppliers)	Phone number Email address Name (first and last) Professional information (employer, role, job title) Location information (country/region)
Recruitment candidates	Phone number Email address Name (first and last) Qualifications Information contained in resume
Anyone who corresponds with us by post, email, social media or any other method	This will vary depending on the method of communication, but will include any information that has not been withheld (such as your phone number, email address or display name) and any information you have purposefully disclosed in your correspondence with us.

2.2
Secure Code Warrior generally collects personal data when you contact or communicate with us directly. However, there may be circumstances where we collect information about you from third parties or via other methods. In some cases, we may receive personal data about you from a customer in the context of providing services to that customer. We may also receive information about you from a partner in the context of that partner providing services to us.

2.3
For more information about our use of cookies on our website and platform, please refer to our cookie policy.

2.4
If you do not provide some requested information, we may be delayed or prevented from providing you with our services or addressing a request/inquiry related to our processing of your personal data.
‍

3. Use and disclosure

3.1
Secure Code Warrior is the data controller where we determine the purpose and means of processing personal data. In accordance with applicable data protection and privacy laws, we will only process your personal data if we have a lawful basis for doing so.

Please refer to the below table for a summary of why we may process your personal data and our lawful bases for doing so. If you are not an EEA/UK data subject, the lawful bases for processing may not apply, but our purposes for processing still stand.

When processing your personal data is in our legitimate interest to…
Website users	provide, operate, maintain, improve, and promote our Websites and Services enable you to access and use our Websites and Services investigate and prevent fraudulent transactions, unauthorised access to our services, and other illegal activities
Platform users	carry out market research campaigns so that we can better understand the functionality of our platform and how we can improve our platform and services. prepare statistics on how our users engage with our platform and services to better understand and improve them. provide customers with metrics and visualisations related to the training performance of their users record and review customer service communications for training and performance improvements to enable us to improve customer services receive and respond to communications and requests create marketing cohorts based on the analytics information generated by our platform
Business contacts and representatives (such as customers, prospective customers, partners and suppliers)	send and receive business communications administer our relationship inform prospective customers and contracts about our services send promotional and marketing materials related to the services you have purchased
Recruitment candidates	consider applications for roles for which you may have applied negotiate employment opportunities obtain references from former employers
Anyone who corresponds with us by post, email, social media or any other method	respond to you and follow up with related/requested information at a later date
When processing is necessary…
Business contacts and representatives (such as customers, prospective customers, partners and suppliers)	for the performance of a contract to which you are party in order to take steps prior to entering into a contract
We have your consent to…
Website users	send promotional and marketing materials about us and our partners monitor and analyse trends, usage, and activities in connection with our website and services for promotional and marketing purposes personalise our website and services, including by providing features or advertisements that match your interests and preferences
Platform users	send promotional and marketing materials about us and our partners
Participants in tournaments, competitions or other promotional activities	send promotional and marketing materials about us and our partners send you a physical prize
Business contacts and representatives (such as customers, prospective customers, partners and suppliers)	send promotional and marketing materials about us and our partners

3.2
We will only process your personal data for a) the purposes listed above, or b) other related compatible purposes for which you would reasonably expect us to use it (and in such circumstances where the lawful bases are also aligned). We may also process your personal data for other purposes, but only where you have provided your express consent.

3.3
You will always have the opportunity to unsubscribe to marketing materials. You can do so by clicking the ‘unsubscribe’ links included in our messages, or by contacting us at support@securecodewarrior.com

3.4
Secure Code Warrior may disclose your personal data to fulfil the purposes outlined above. This will include sharing your personal data with other members of our corporate group (Appendix A) and with the below categories of third party service providers (‘processors’) depending on your relationship with us:

‍

We share personal data with processors who assist with and enable…
The hosting of our website, products/service, infrastructure and related databases
Product/service support, feedback and feature requests
Email communications and consent management
Analytics for our products/services, and our sales and marketing teams
Delivery of physical and virtual prizes or rewards

For a list of third-party service providers engaged by us to process personal data on behalf of our customers (‘sub-processors’), please refer to: https://www.securecodewarrior.com/trust/sub-processors

3.5

Secure Code Warrior may also disclose your personal data:

a) to specialist advisers who have been engaged to provide us with legal, accounting, administrative, financial, insurance, research, marketing or other services;
b) to law enforcement bodies and/or any other relevant supervisory/data protection authorities which may have a reasonable requirement to access your personal data; and
c) to any other person authorised and specified by you.
d) where required or authorised by or under the applicable data protection law or an order of a court or tribunal;
e) in accordance with the applicable data protection law, including where we hold a reasonable belief that the processing or disclosure is required for certain enforcement or health and safety purposes, or that processing or disclosure is necessary in relation to certain suspected unlawful activity or misconduct;
f) whilst negotiating any takeover, purchase, merger, joint venture, partnership or other similar arrangement; or
g) if reasonably necessary for the establishment, exercise or defence of a legal or equitable claim or for the purposes of confidential alternative dispute resolution.

3.6
At other times, we may notify you about additional disclosures relating to specific services.
‍

4. International transfer of personal data

4.1
Given the nature of our business and corporate structure, we may disclose your personal data internationally to one of our related companies (Appendix A) or external service providers (Section 3.4) for the provision and improvement of our services. Where the recipient territory does not offer the same level of privacy and data protection legislation, we will ensure that adequate safeguards are in place to protect your personal data.

For information about transfers of personal data, please refer to our page on international transfers of personal data or contact support@securecodewarrior.com

4.2
Secure Code Warrior Inc. complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively ‘Data Privacy Framework’ or ‘DPF’), and we have certified to the U.S. Department of Commerce that we adhere to the corresponding principles of each DPF to process personal data received from the EU, UK and Switzerland.

The Federal Trade Commission (FTC) has jurisdiction over Secure Code Warrior Inc. and our compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Secure Code Warrior commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the relevant DPF principles, the DPF principles shall govern. When we receive information under the DPF and then transfer it to a third-party service provider acting on our behalf, we remain liable if they process the information in a manner inconsistent with the DPF and are responsible for the event giving rise to the damage.

Please see Section 9 below for how you can contact us or our regulators should you have a complaint related to our compliance with the DPF principles.

To learn more about the DPF program, and to view our certification, please visit
https://www.dataprivacyframework.gov/

5. Storage and Security

5.1
We may hold your personal data in a number of different formats (either on or off site), including software programs, databases, filing systems and in backup storage.

5.2
For more information about how we protect your data, please visit our Trust Center.
‍

6. Retention

6.1
Our data retention periods vary depending on your relationship with us. Please see the table below for more detail.

If you are a…	Unless otherwise requested, we will retain your personal data…
Website users	For twelve (12) months from the date of our last contact with you
Platform users	While you have access to our platform, then for a following twelve (12) months
Participants in tournaments, competitions or other promotional activities	For the duration of the event or promotion, then for a following twelve (12) months
Prospective customers	For twenty-four (24) months from the date of our last contact with you
Business contacts and representatives (such as customers, partners and suppliers)	For seven (7) years from the date of our last contact with you
Recruitment candidates	For twelve (12) months for unsuccessful candidates
Anyone who corresponds with us by post, email, social media or any other method	For twelve (12) months from the date of our last contact with you

6.2
Where we receive personal data that was not requested from us or was sent to us in error, we will delete and destroy that information as soon as is practicable. With your consent, if the information was sent for the purpose of securing employment with us, we may keep this information subject to the retention periods in the above table.

7. Your rights

7.1
You may have certain rights relating to your personal data, including the right to:

a) request access to your personal data;
b) request correction of the personal data that we hold about you as described below;
c) where required by law, request erasure of your personal data where there is no good reason for us continuing to process it or where you have exercised a right to object to processing (see (d) below);
d) object to processing of your personal data where we are relying on a “legitimate interest” (or the interests of a third party) and there is no compelling reason for us to continue processing your personal data;
e) object to processing your personal data for direct marketing purposes;
f) object to automated decision-making including profiling by us using your personal data which has a legal effect or similar significant effect on you;
g) request the restriction of processing of your personal data (for example, to suspend the processing of your personal data due to inaccuracy or our stated reason for processing it);
h) request that we provide you or a third party the personal data we hold regarding you in an electronically useable format; and
i) withdraw your consent for those purposes where we rely on consent, in which case we will no longer process your information for the purpose or purposes to which you originally consented, unless we have another lawful basis for doing so.

7.2
Please also note that your rights above are not absolute, may vary depending on applicable data protection law, and we may be unable to comply with your request (in whole or in part). If we reasonably determine that your request is manifestly unfounded, we reserve the right to refuse to comply with your request. We will provide you with a basis for any objection in this case.

7.3
If you wish to exercise a right that you have regarding your personal data, please contact us at support@securecodewarrior.com. We will process your request within a reasonable time and respond within one month from the date of receipt. In the event of particularly complex requests, we may have to extend this period by up to two further months, but we will notify you of this.

7.4
If you have cause for complaint about our processing of your personal data, you have the right to lodge a complaint with your national data protection supervisory authority (Section 9.2 for details), although we ask that you contact us in the first instance at support@securecodewarrior.com

8. Changes to our privacy policy

8.1
This privacy policy was last updated on March 23rd 2025.

8.2
We may amend our privacy policy occasionally by publishing a revised version on our website, or supplement its terms with additional notices. Any changes will be effective as of the date they are published. In the event of any material changes to this privacy policy, we may also take additional reasonable steps to notify you of the changes.

9. Contact details

9.1
If you have any questions in relation to privacy, wish to access or correct your personal data, or make a complaint, please contact us at support@securecodewarrior.com

9.2
For more information about data protectionprinciples and obligations, or to raise a complaint with our regulators, please refer to the following websites:

Office of the Australian Information Commissioner (Australia) - www.oaic.gov.au
European Data Protection Board (EU/EEA) - https://edpb.europa.eu/edpb_en
Information Commissioner’s Office (UK) - www.ico.org.uk
Federal Data Protection and Information Commissioner (Switzerland) - https://www.edoeb.admin.ch/edoeb/en/home.html

9.3
If you have a complaint related to our compliance with the DPF principles (see Section 4.2 above), you may:

Contact us directly at support@securecodewarrior.com
Contact the free independent recourse mechanism listed under ‘Dispute Resolution’ on our DPF certification page.
Contact your local data protection authority (see Section 9.2 above).
Contact the U.S. Federal Trade Commission (FTC) using their report service.
If (1) to (4) have been exhausted with no resolution, you may also invoke binding arbitration via the International Centre for Dispute Resolution.

APPENDIX A - SECURE CODE WARRIOR ENTITIES

SCW Entity	Incorporation	Company No	Address
Secure Code Warrior Ltd	England and Wales	08559432	Ironstone House 4 Ironstone Way Brixworth Northampton NN6 9UD
Secure Code Warrior Inc.	Delaware (U.S.A)	-	265 Franklin st. Suite 1702 Boston MA 02110
Secure Code Warrior BVBA	Belgium	-	Baron Ruzettelaan 5 bus 3 8310 Brugge
Secure Code Warrior Pty Ltd	New South Wales (Australia)	608 498 639 (ACN)	C/- Level 3 360 Kent Street Sydney 2000
SCW ehf	Iceland	-	Katrinartun 4 105 Reykjavik

‍

APPENDIX B - SECURE CODE WARRIOR WEBSITES

www.securecodewarrior.com

help.securecodewarrior.com

learn.securecodewarrior.com

portal.securecodewarrior.com

Document summary

At Secure Code Warrior, your privacy is important to us and we take our data protection and privacy obligations seriously. Our privacy policy explains how we handle (or ‘process’) your personal data and your related data protection rights. It covers all our activities, products and services including our learning platform, websites, social media channels and recruitment. Read our full Privacy policy below or click on the button to download the PDF.

Download PDF

Appendix A - Secure Code Warrior Legal Entities

a. ENGLAND AND WALES
Secure Code Warrior Limited
Company Number 08559432
Ironstone House
4 Ironstone Way
Brixworth, Northampton. NNG 9UD
United Kingdom

b. NEW SOUTH WALES
Secure Code Warrior Pty Limited
ABN 97 608 498 639
c/o Vital Addition
5, 120 Sussex Street
Sydney. NSW 2000
Australia

c. BELGIUM
Secure Code Warrior BVBA
Baron Ruzettelaan 5
bus 3 8310 Brugge
Belgium

d. DELAWARE
Security Code Warrior Inc
265 Franklin Street, Suite 1702
Boston MA 02110
USA

e. ICELAND
Motherji ehf
Borgatun 24, 105,
Reykjavik,
Iceland

Appendix B - Collection of Personal Information

a. PLATFORM USER

User email address (username)
First Name, Last Name
Employer/Company Name/ Team name
Test results /Metrics information/Assessment data
IP Address (Anonymised)
Machine ID (Anonymised)
Geo-location (derived from IP)
Password
Roles/Job Title
Inviter details (email address of inviter/First Name/Last Name)
Country/Region
Browser Type
Phone Number*

* Only required for Trial Users

Whilst you have access to our platform, and thereafter for a period of 12 months, unless otherwise agreed.

CUSTOMERS

Name
Business Email Address
Phone Number
Employer/Company Name
Job Title
Billing address
Company/Tax Registration Number

We will retain this information in accordance with applicable laws and our privacy policy for a period of 7 years from the date of our last contact with you unless, where you are entitled, request that we delete this information.

‍
PRospects / leads

Name
Business Email Address
Phone Number
Employer/Company Name
Job Title
Physical Location

We will retain this information for a period of 24 months from the date of our last contact with you unless, where you are entitled, request that we delete this information.

PARTICIPANTS IN TOURNAMENTS AND / OR COMPETITIONS: Registrant / participant

Name
Email address
Physical address in circumstances where there may be a physical prize to be delivered
Country/Region

We will retain this information for the duration of the Competition, and for a period of 12 months from the date of our last contact with you unless, where you are entitled, request that we delete this information

SUPPLIER

Name
Business/Company Name
Email Address
Phone Number
Bank Details
Billing address
Company/Tax Registration Number

We will retain this data for up to 7 years from our last contact with you, unless you request that we delete the data beforehand.

recruitment candidates

CV/ Resume
Phone Number
Date of Birth
Qualifications
Email address
Physical address (if provided)

For unsuccessful we will retain this data for a period of twelve (12) months so that we may contact you regarding any future opportunities, unless you request that we delete the data beforehand.

Website visitor

Name³
Contact information³ (company, role/title, business email address and phone number)
IP Address¹
Cookie Data¹ ²

¹ When you communicate with us through our websites:
We use Drift as one of our chatbots to allow customers to interact with us through our websites. Drift will only use the IP address for data enrichment, i.e. to determine if it is associated with a business to provide Secure Code Warrior with information such the industry and # of employees of the business.

Drift will only use cookies to track the activities of site visitors within Secure Code Warrior’s sites, e.g. whether they visited a particular product page or the pricing page before engaging with the messaging widget. Drift will NOT track users across domains or build profiles.

² Cookiebot

We use Cookiebot to manage all cookies across our websites. Cookiebot allows Secure Code Warrior to:

Enable prior consent.
Provide clear and specific information about data types and purpose of the cookies.
Fully document all given consents.
Allow our visitors to reject superfluous cookies and still use our websites.
Allow our visitors to withdraw their consent whenever they want.

³ Information is collected after consent is given

Refer to our cookie policy

We will retain this data for a period of 12 months from the date of our last contact with you unless, where you are entitled, request that we delete this information.

Appendix C - Purposes for which we process your personal information, and the lawful basis on which we carry out such processing

1. PLATFORM USER

1.Necessary to enable us to perform our contract with you:

to set up, administer and manage a user’s account, verify a user’s identity, provider users with our platform and services, and to receive and respond to a user’s communications and requests.
to notify our users of updates to our platform and services necessary for the performance of the contract we have with you.
to support any other purpose necessary for performance of our contractual obligations or specifically stated at the time at which you provided your personal information.

2. Necessary for the performance of our contract with you where such communication relates specifically to our services, and legitimate interest to be able to handle such queries:

to receive and respond to a user’s communications and requests.

3. For legitimate interest to enable Secure Code Warrior to:

carry out market research campaigns so that we can better understand the functionality of our platform and how we can improve our platform and our services.
prepare statistics relating to the use of our platform and services by our users so that we can understand the use of, and improve our platform and services.

4. For legitimate interests to allow Secure Code Warrior to improve customer services offering:

to record and review customer service communications for training and performance improvements to enable us to improve customer services.
To enable Secure Code Warrior to comply with legal obligations.

5. With consent:

to send users marketing materials where marketing materials have been specifically requested.

2. Customers

1. Necessary for the performance of a contract

conducting business and make our services available to customers,

2. For legitimate interests to enable Secure Code Warrior to conduct business

to send and receive business communications
to administer our relationship with customers, prospective customers and business contacts

3. For legitimate interests to contact those who may benefit from our services

informing prospective customers and business contacts about our services.

4. With consent

to send out marketing materials where these have been specifically requested.

3. email contact / prospective customer

1.For legitimate interests to enable Secure Code Warrior to conduct business

to send and receive business communications
to administer our relationship with customers, prospective customers and business contacts

2. For legitimate interests to contact those who may benefit from our services

informing prospective customers and business contacts about our services.

3. With consent

to send out marketing materials where these have been specifically requested.

‍
4. participants in tournaments and / or competitions: registrant / participant

1. Necessary for the performance of our contract with you, namely for the running of the competition and/ or tournament

2. With consent: to send out marketing materials

‍

5. SUPPLIER

1. For legitimate interests to enable Secure Code Warrior for the performance of a contract where the supplier is an individual

to assess and appoint suppliers
Legitimate interests to conduct business

2. To send and receive business communications.

3. To administer our relationship with our suppliers.

6. recruitment candidates

To enable Secure Code Warrior to recruit employees and assess potential candidates, that is to:

consider applications for roles for which you may have applied, directly or via a recruitment, and the negotiation of employment opportunities,
consider applicants for other roles within Secure Code Warrior for which they may be suited,
obtain references from former employers.

7. website visitor

For legitimate interest to enable Secure Code Warrior to,

provide, operate, maintain, improve, and promote our Websites and Services;
enable you to access and use our Websites and Services;
send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners (you can opt-out of receiving marketing communications from us by unsubscribing from any communication we send you);
monitor and analyze trends, usage, and activities in connection with our Websites and Services and for marketing or advertising purposes;
investigate and prevent fraudulent transactions, unauthorized access to our Websites and Services, and other illegal activities;
personalize our Websites and Services, including by providing features or advertisements that match your interests and preferences; and for other purposes for which we obtain your consent.

Appendix D - Secure Code Warrior Related Websites

securecodewarrior.com
help.securecodewarrior.com
discover.securecodewarrior.com
leadersinappsec.com
leadersindevsec.com
softwaresecuritygurus.com
scw.io
learn.securecodewarrior.com

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Visit Trust Center

Developer-driven coding.

Securely.

Contact us today and make software security an intrinsic part of your development process.

Book a demo