Effective Date: March 14, 2026 Last Updated: March 14, 2026
Third Division Labs LLC A Massachusetts Limited Liability Company
Mallcop is a security monitoring tool for small cloud operators. It is operated by Third Division Labs LLC, a Massachusetts limited liability company ("we," "us," "our," "3DL," or "Third Division Labs").
This Privacy Policy applies to: - The mallcop.app website and dashboard (the "Site") - The Mallcop Pro account and inference services (the "Service") - Any interactions between your Mallcop CLI and our servers
It does not apply to the Mallcop open-source CLI itself, which runs entirely in your own environment. When you run the Mallcop CLI locally, no data is sent to us unless you have a Mallcop Pro account and are using managed inference.
For questions or privacy requests, contact: privacy@mallcop.app
We collect only what we need to run the service. This section is specific and complete.
When you create a Mallcop Pro account via GitHub OAuth, we receive and store:
| Field | Source | Why We Store It |
|---|---|---|
| Email address | GitHub | Account identification, transactional email (billing, security alerts) |
| GitHub username | GitHub | Account display, support identification |
| GitHub user ID | GitHub | Stable identifier linking your account across username changes |
| Avatar URL | GitHub | Dashboard display only |
We do not receive your GitHub repositories, code, commits, or any data about your GitHub activity during sign-up. GitHub OAuth grants us only the read:user and user:email scopes necessary for account creation.
Legal basis (GDPR): Performance of a contract — you need an account to use the Service.
We use Polar as our payment processor and merchant of record. Polar handles all payment transactions, billing, and subscription management.
We never see or store: credit card numbers, bank account details, or any payment instrument data.
What we receive from Polar: - A Polar customer ID (an opaque reference identifier) - A Polar subscription ID (to track your active plan) - Your plan tier and billing cycle dates
Polar's handling of your payment data is governed by Polar's Privacy Policy (polar.sh/privacy). By purchasing a subscription, you agree to Polar's terms.
Legal basis (GDPR): Performance of a contract.
When you use Mallcop Pro for managed inference, we record:
| Field | What It Is |
|---|---|
| Account ID | Which account consumed the inference |
| Timestamp | When the operation ran |
| Operation type | Category of operation (e.g., "triage", "investigate") |
| Model used | Which model was routed (e.g., "glm-4.7-flash") |
| Input token count | Number of tokens sent |
| Output token count | Number of tokens received |
| Donuts used | Billing units deducted |
We do not store prompt content, findings data, event data, security context, or any content from your monitored environment. The inference proxy forwards your request to the model provider and returns the response. We record only the metadata above for billing and metering purposes.
This is functionally identical to how a cellular carrier tracks call minutes without recording call content.
Legal basis (GDPR): Performance of a contract (billing requires metering); Legitimate interests (fraud detection, capacity planning).
Mallcop stores its findings, events, and baseline data in a Git repository that you own and control. This is a core architectural principle: your security data never touches our servers.
The Mallcop dashboard reads findings from your repository via the GitHub API using the OAuth token you granted during sign-up. This read is performed in your browser session and via our proxy service. We do not store, cache, or persist findings data on our servers.
What this means in practice: - Your findings live in your GitHub repo. You control who has access. - We can read your findings to display them in the dashboard. We do not retain copies. - Revoking Mallcop's GitHub OAuth access immediately cuts off our ability to read your findings.
Legal basis (GDPR): Performance of a contract; your explicit consent (you configure which repository to use).
When you use Mallcop Pro managed inference, your prompts (which may contain security finding details) are sent to an AI model provider for processing.
Which model provider receives your data depends on your sovereignty tier:
| Tier | Providers | Data Routing |
|---|---|---|
| Open | Z.AI (GLM models), Alibaba (Qwen), DeepSeek | US AWS region (Bedrock); provider may be based outside the US/EU |
| US-only | AWS Bedrock US-region models only | Stays in AWS US regions |
| Anthropic | Anthropic API | Anthropic's servers and data handling policies |
These requests are routed through our inference proxy running on AWS Bedrock (us-east-1). We act as a data processor when forwarding your requests. The model provider acts as a sub-processor.
Important: Prompts sent for inference may contain security finding details from your environment. Choose your sovereignty tier based on your data sensitivity requirements. If you are subject to data residency requirements, use the US-only or Anthropic tiers.
Legal basis (GDPR): Performance of a contract; your explicit consent to the sovereignty tier you selected.
We maintain a server-side audit log of security-relevant actions on your account:
The audit log records your IP address for each action. We retain the audit log for 90 days.
Legal basis (GDPR): Legitimate interests (security, fraud prevention, abuse detection).
When you sign in to the Mallcop dashboard, the dashboard application stores your session credentials in browser memory and uses a single temporary sessionStorage value during the OAuth flow. See Section 7 for the full browser storage disclosure.
We do not set server-side cookies, tracking cookies, advertising cookies, analytics cookies, or any third-party cookies.
To be explicit about what is outside our scope:
We use the information we collect for the following purposes only:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing and operating the Service | Account info, usage records, session cookie | Contract |
| Processing billing and managing subscriptions | Account info, Polar IDs, billing cycle dates | Contract |
| Routing inference requests to the correct model | Account ID, plan tier, sovereignty tier selection | Contract |
| Donut metering and overage billing | Usage records (tokens, donuts, timestamps) | Contract |
| Security and fraud prevention | Audit log, IP addresses, JTI blacklist | Legitimate interests |
| Responding to your support requests | Account info, usage records (as needed) | Legitimate interests |
| Legal compliance | As required by applicable law | Legal obligation |
We do not: - Sell your data to third parties - Use your data for advertising or marketing - Share your data with third parties for their own commercial purposes - Use your security findings or inference prompt content for model training
The following third-party services process data in connection with Mallcop Pro. We share data with them only to the extent necessary to operate the Service.
What: OAuth authentication, user profile retrieval, findings data access.
Data shared: During OAuth, GitHub shares your username, email, user ID, and avatar with us. For dashboard display, we make read-only API calls to your configured findings repository.
Their privacy policy: github.com/privacy
Your control: You can revoke Mallcop's GitHub access at any time from your GitHub account settings (Settings → Applications → Authorized OAuth Apps). Revoking access will disable dashboard login and findings display.
What: Payment processing, subscription management, merchant of record.
Data shared: Name, email, and payment details you provide during checkout. We receive only opaque customer and subscription IDs in return.
Their privacy policy: polar.sh/privacy
Note: Polar acts as merchant of record, which means they handle tax collection and remittance. Your payment relationship is with Polar, not Third Division Labs.
What: AI inference for managed Mallcop operations. Our inference proxy runs on Azure Container Apps and routes requests to AWS Bedrock.
Data shared: Inference prompts (which may contain security finding summaries from your environment, depending on the operation type). AWS receives these as API requests under our account.
Sovereignty note: AWS Bedrock processes requests in the AWS region we specify (us-east-1 by default). Model providers whose models are hosted on Bedrock (Z.AI, Alibaba, DeepSeek, Mistral, etc.) may have their own data handling practices at the model layer. AWS's foundational security and data handling apply at the infrastructure layer.
AWS privacy policy: aws.amazon.com/privacy
Your control: Select your sovereignty tier in your Mallcop configuration. US-only and Anthropic tiers keep inference within providers subject to US law and standard enterprise data commitments.
What: Hosting for Mallcop Pro services (Azure Container Apps, Azure Files for SQLite persistence). All backend services run in Azure us-east region.
Data stored on Azure: Account records, usage records, audit log (the database described in Section 2).
Azure privacy policy: privacy.microsoft.com
If you use the Open sovereignty tier, your inference prompts may be processed by:
These companies are based outside the EU and US. If your security monitoring environment involves sensitive data subject to data residency requirements (GDPR, HIPAA, ITAR, etc.), do not use the Open tier. Use the US-only tier (AWS-native models) or the Anthropic tier.
This is your decision to make. We provide the tier options and this disclosure. You select the tier that matches your sensitivity requirements.
| Data Category | Retention Period | How Deleted |
|---|---|---|
| Account information (email, GitHub ID, plan) | Duration of account + 30 days after deletion request | Account deletion flow |
| Inference usage records | 12 months rolling | Automated deletion; on-demand via account deletion |
| Audit log | 90 days rolling | Automated deletion |
| Browser session state (JWT, GitHub token) | Duration of browser session | In-memory only; cleared on page close/refresh |
| sessionStorage PKCE verifier | Duration of OAuth flow (seconds) | Deleted by application immediately after OAuth completes |
| Billing identifiers (Polar IDs) | Duration of account (required for billing history) | Account deletion flow; Polar retains their own records per their policy |
| Findings data in your GitHub repo | Your control, not ours | Delete your deployment repository |
When you request account deletion, we delete or anonymize your personal data within 30 days, except where we are required to retain records for legal compliance (e.g., tax records associated with payments, which Polar retains on our behalf).
If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the following rights:
Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You can request deletion of your personal information. We will honor deletion requests subject to limited exceptions (e.g., legal obligations).
Right to Opt Out of Sale: We do not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination: Exercising your CCPA rights will not result in different service quality or pricing.
Categories of personal information we collect:
| CCPA Category | Examples We Collect |
|---|---|
| Identifiers | Email, GitHub username, GitHub user ID, IP address, account ID |
| Internet or other electronic network activity | Session activity, API usage, inference operation logs |
| Commercial information | Subscription plan, billing cycle dates, donut balance |
| Geolocation data | IP-level geolocation (country/region, derived from IP in audit log) — not precise location |
We do not collect: Social Security numbers, financial account numbers, health information, biometric data, contents of communications, precise geolocation.
To submit a CCPA request: Email privacy@mallcop.app with subject "CCPA Request" and describe what you are requesting. We will verify your identity by confirming your email address and may request additional verification. We respond within 45 days.
If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR/UK GDPR:
Right of Access (Article 15): Request a copy of the personal data we hold about you.
Right to Rectification (Article 16): Request correction of inaccurate personal data.
Right to Erasure (Article 17): Request deletion of your personal data, subject to our legal obligations and legitimate interests exceptions.
Right to Restriction (Article 18): Request that we limit how we process your data in certain circumstances.
Right to Data Portability (Article 20): Request a machine-readable copy of your personal data where processing is based on contract or consent.
Right to Object (Article 21): Object to processing based on legitimate interests. For audit log processing (security/fraud), we will assess whether our legitimate interests override your rights.
Right to Withdraw Consent: Where processing is based on consent (e.g., your selection of a sovereignty tier), you can withdraw consent at any time.
To exercise GDPR rights: Email privacy@mallcop.app. We respond within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).
Legal entity for GDPR purposes: Third Division Labs LLC is the data controller. We are not currently required to appoint an EU or UK representative given our limited scale and the nature of data we process, but we will monitor this as we grow.
International transfers: Your data is stored in Azure US-east. When we use model providers in the Open sovereignty tier, data may be transferred outside the EU. The legal basis for such transfers depends on the provider; AWS Bedrock operates under AWS's Standard Contractual Clauses. Open tier model providers (Z.AI, Alibaba, DeepSeek) do not have SCCs in place — do not use the Open tier for data subject to GDPR data residency requirements.
Any account holder can request full account deletion at any time by emailing privacy@mallcop.app. We will:
Your findings data in your GitHub repository is not affected — that is your data in your repo. Delete it yourself by deleting the repository.
We use minimal browser storage for authentication. We do not use tracking cookies.
| Storage Mechanism | Name | Purpose | Duration | Type |
|---|---|---|---|---|
sessionStorage |
pkce_verifier |
Temporary PKCE code verifier during GitHub OAuth flow | Deleted immediately after OAuth completes | First-party, cleared on tab close |
| Memory (JavaScript) | Auth state (JWT + GitHub token) | Dashboard session authentication — JWT and GitHub OAuth token held in Preact application state | Duration of your browser session; cleared on page close or refresh | In-memory only, never written to disk |
No persistent cookies are set by mallcop.app. The JWT used for dashboard authentication is held in browser memory only, not written to a cookie or localStorage. This means:
Because we set no persistent cookies and use no tracking scripts, a cookie consent banner is not required for EU visitors under the ePrivacy Directive. The sessionStorage use is strictly necessary for the OAuth flow to function and requires no consent.
We implement security practices appropriate for a small SaaS:
Limitation: We are a small company without a dedicated security team. We do not hold SOC 2, ISO 27001, or similar certifications. We do not guarantee that our security measures are complete or that your data will never be subject to unauthorized access. If you become aware of a security vulnerability in Mallcop Pro, please report it to security@mallcop.app.
Mallcop is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact privacy@mallcop.app and we will delete it promptly.
We may update this Privacy Policy as the Service changes. When we make material changes, we will:
Your continued use of the Service after the effective date of a material change constitutes your acceptance of the updated policy. If you do not agree to a change, you may close your account before the change takes effect.
For non-material changes (e.g., clarifications, corrections, adding third-party subprocessors we already use), we may update the policy without notice beyond updating the date.
For privacy questions, requests, or concerns:
Email: privacy@mallcop.app
Mailing address:
Third Division Labs LLC
c/o Northwest Registered Agent Service Inc
82 Wendell Ave, Ste 100
Pittsfield, MA 01201
Massachusetts, USA
For security vulnerability reports: security@mallcop.app
We aim to respond to all privacy requests within 5 business days and to complete requests within the timeframes required by applicable law (30 days for GDPR; 45 days for CCPA).
Security monitoring tools raise legitimate questions about data access. Here is an explicit accounting of what we do not have:
We do not have: - Your Azure logs, AWS CloudTrail events, GitHub events, M365 audit logs, or any other events from the platforms you monitor — these live in your Mallcop deployment repo - The content of your security findings — findings are stored in your GitHub repo and displayed via browser-side API calls - Your prompts to the AI models — these are forwarded to the model provider and not retained by us - Your source code or any content in your GitHub repositories beyond the findings repo you configure - Your SSH keys, API keys, credentials, or secrets from your environment — the CLI runs locally and never sends credentials to our servers - Any data about your employees, customers, or users — we only see your account info
The architecture is designed so that sensitive security data stays in your environment. We sell compute tokens (donuts), not security-as-a-service. Our servers never see what you're monitoring.
The following subprocessors have access to personal data as part of operating the Service:
| Subprocessor | Purpose | Location | Privacy Reference |
|---|---|---|---|
| GitHub (Microsoft) | OAuth authentication | US | github.com/privacy |
| Polar | Payment processing, merchant of record | US | polar.sh/privacy |
| Amazon Web Services | Inference proxy hosting (Bedrock) | US (us-east-1) | aws.amazon.com/privacy |
| Microsoft Azure | Account service hosting, database | US (eastus) | privacy.microsoft.com |
| Z.AI | GLM model inference (Open tier only) | China | z.ai |
| Alibaba Cloud | Qwen model inference (Open tier only) | China | alibabacloud.com/privacy |
| DeepSeek | DeepSeek model inference (Open tier only) | China | deepseek.com/privacy |
Open-tier subprocessors are only engaged if you have selected the Open sovereignty tier. US-only and Anthropic tier users do not have data sent to Chinese-origin model providers.
We will update this list when we add or remove subprocessors. Updates that add new subprocessors will be accompanied by notice per Section 10.
This Privacy Policy was drafted by Third Division Labs LLC with the assistance of an AI legal research tool. It is intended to be accurate and complete based on the current Service design. It is not a substitute for professional legal advice. We recommend review by a licensed attorney before launch and whenever material Service changes occur.
mallcop