Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

BLACK KITE PRIVACY NOTICE

Last updated Apr 22, 2026

BLACK KITE PRIVACY NOTICE

Version: 2.0

Effective Date: April 22, 2026

Replaces: Privacy Notice dated June 21, 2023

Owner: Bob Maley, Chief Security Officer

GRC Contact: Michael Sillanpaa, Director, GRC — [email protected]

Legal Entity: NormShield, Inc. dba Black Kite | 800 Boylston St, Suite 2905, Boston, MA 02199

1. INTRODUCTION

Black Kite® (NormShield, Inc.) operates a third-party cyber risk intelligence platform and associated websites, including blackkite.com and cyber.riskscore.cards. This Privacy Notice describes how Black Kite collects, uses, shares, and protects personal information in connection with:

  • Our websites and marketing properties ("Websites")
  • Our software platform, services, and applications ("Services")
  • Events, webinars, and conferences we host or participate in ("Events")
  • Employment applications and HR processes ("Employment")

This Notice applies to all individuals whose personal data Black Kite processes, including website visitors, platform users, prospective customers, event registrants, job applicants, and employees. It covers all jurisdictions in which Black Kite operates or whose residents interact with our Websites or Services.

Black Kite does not process healthcare data, patient data, cardholder data, or financial account numbers. References to personal information in this Notice pertain to business and professional contact data, platform usage data, and related operational data only.

2.  WHO WE ARE AND HOW TO CONTACT US

The data controller for personal information processed through our Websites, Services, and Events is:

Legal Entity: NormShield, Inc. dba Black Kite
Address: 800 Boylston St, Suite 2905, Boston, MA 02199
Email: [email protected]
Trust Center: https://trust.blackkite.com

For data subjects in the European Economic Area (EEA), UK, or Switzerland, Black Kite acts as a data controller for personal data processed in connection with Websites and Events, and as a data processor for personal data processed on behalf of platform customers.

For employment-related data, Black Kite acts as the data controller for all applicant and employee personal information.

3. WHAT INFORMATION WE COLLECT

3.1 Information You Provide

Websites and Events

  • Contact details: name, email address, phone number, job title, company name
  • Demo and inquiry form submissions
  • Event and webinar registration information
  • Survey and feedback responses
  • Correspondence and support communications

Platform Services

  • Account registration data: name, email address, username, job title
  • Content you upload or input into the platform
  • Support requests and communications

Employment

  • Application materials: resume, cover letter, work history, education, references
  • Contact and identification information
  • Right-to-work documentation
  • Information provided during interviews or assessments
  • Background check results (where legally permitted and required)

3.2 Information We Collect Automatically

  • Device identifiers and IP addresses
  • Browser type, version, and settings
  • Pages visited, time on page, referring URLs, click paths
  • Platform usage and feature interaction data
  • Log files and session data
  • Cookie and tracking technology data (see Section 8)

3.3 Information From Third Parties

  • Publicly available business contact data from commercial data providers for marketing purposes
  • Information from analytics and advertising partners
  • Information provided by event co-sponsors with your consent

Black Kite combines third-party data with information we hold only where a valid legal basis exists and in accordance with this Notice.

4. HOW WE USE YOUR INFORMATION

4.1 Websites and Events

  • Operating and improving our Websites
  • Fulfilling demo, content, or information requests
  • Delivering and administering events and webinars
  • Marketing and demand generation (with appropriate consent or legitimate interest)
  • Analytics and audience measurement
  • Security monitoring and fraud prevention

4.2 Platform Services

  • Provisioning and operating customer accounts
  • Delivering contracted services
  • Providing customer support and responding to inquiries
  • Sending product updates, security notifications, and administrative communications
  • Improving platform performance, reliability, and features
  • Detecting and preventing unauthorized access and fraudulent activity
  • Complying with legal obligations

4.3 Employment

  • Evaluating job applications and conducting recruitment processes
  • Communicating with applicants about their applications
  • Conducting background checks and right-to-work verification where required
  • Onboarding and managing the employment relationship
  • Complying with employment law obligations

4.4 Legal Bases for Processing (EEA, UK, and Switzerland)

For data subjects in the EEA, UK, and Switzerland, Black Kite processes personal data under the following legal bases:

Legal Basis

Examples of Processing

Contract performance

Delivering platform services; managing accounts

Legitimate interests 

Marketing to business contacts; security monitoring; analytics; fraud prevention

Legal obligation 

Regulatory compliance; responding to lawful government requests

Consent 

Marketing communications where consent is required; optional cookies and tracking

5. HOW WE SHARE INFORMATION

5.1 Subprocessors and Service Providers

Black Kite shares some personal data with subprocessors. Subprocessors with access to customer data are listed at: https://trust.blackkite.com/subprocessors

This list is maintained on a live basis. All subprocessors operate under data processing agreements and are contractually required to maintain appropriate safeguards.

5.2 Business Transfers

In the event of a merger, acquisition, financing, restructuring, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to or acquired by a third party. We will provide notice before personal data becomes subject to a materially different privacy policy.

5.3 Corporate Group

Black Kite may share personal data with parent companies, subsidiaries, and affiliates for purposes consistent with this Notice and subject to equivalent data protection obligations.

5.4 Legal Compliance and Protection

Black Kite may disclose personal information where required by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Black Kite, our personnel, customers, or others. Black Kite will not voluntarily disclose personal data to law enforcement without the consent of the relevant data controller or data subject, except where legally compelled.

5.5 Event Sponsors

When you register for an event or webinar co-sponsored by a third party, we will ask for your consent before sharing your contact details with that sponsor. You may opt out at registration or at any time by contacting [email protected].

5.6 Advertising Partners

We work with third-party advertising partners who may set cookies and collect data to deliver interest-based advertising. Some of this sharing may constitute a "sale" or "sharing" of personal data under California law. You have the right to opt out. See Section 10 for California-specific rights and Section 8 for cookie controls.

6. INTERNATIONAL DATA TRANSFERS

Black Kite is headquartered in the United States. All production customer data is stored and processed exclusively in U.S. -based Google Cloud Platform regions. No production customer data is accessible from or processed outside the United States.

Black Kite also maintains engineering and operations functions in Istanbul, Turkey. Personnel at this location do not have access to production customer data.

For data subjects in the EEA, UK, Switzerland, and other jurisdictions with data transfer restrictions, Black Kite implements appropriate safeguards for cross-border transfers of personal data, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission and/or the UK Information Commissioner's Office, as applicable
  • Adequacy decisions where the receiving country has been deemed to provide adequate protection

Copies of applicable transfer mechanisms are available upon request at [email protected].

7. DATA RETENTION

Black Kite retains personal information for as long as necessary to fulfill the purposes for which it was collected, satisfy applicable legal, regulatory, contractual, or audit obligations, or as otherwise required by law.

Key retention principles:

  • Platform customer data: retained for the duration of the customer relationship and for a defined period thereafter to meet legal and contractual obligations, then securely deleted or de-identified
  • Marketing and website contact data: retained until opt-out or upon request, subject to applicable legal retention requirements
  • Employment data: retained in accordance with applicable employment laws; unsuccessful applicant data deleted or anonymized within a reasonable period unless otherwise required
  • System and security logs: minimum one year
  • PII processed in connection with a legal or regulatory obligation: retained for the period required by that obligation

When personal data is no longer required, Black Kite securely deletes or de-identifies it. Paper records containing personal data are shredded. Electronic media is securely wiped prior to disposal or reuse.

8. COOKIES AND TRACKING TECHNOLOGIES

Black Kite uses cookies and similar technologies on our Websites to support site functionality, analyze usage, and deliver relevant advertising. We use a consent management platform to collect and manage your cookie preferences in compliance with applicable law.

8.1 Cookie Categories

  • Strictly Necessary: Required for the Website to function. Cannot be disabled.
  • Performance / Analytics: Help us understand how visitors use our Websites. Enabled only with consent where required.
  • Functional: Remember your preferences and settings. Enabled only with consent where required.
  • Targeting / Advertising: Used to deliver interest-based advertising. Enabled only with consent where required.

8.2 Managing Your Preferences

You can manage your cookie preferences at any time through the cookie preference center available on our Websites. You may also configure your browser to block or delete cookies; however, disabling certain cookies may affect Website functionality.

To opt out of interest-based advertising, visit the Digital Advertising Alliance at www.aboutads.info or the Network Advertising Initiative at www.networkadvertising.org.

Black Kite uses Google Analytics for website analytics. Google offers an opt-out browser add-on at https://tools.google.com/dlpage/gaoptout/.

8.3 Do Not Track

California and Delaware law require disclosure of our Do Not Track practices. Black Kite does not currently respond to browser Do Not Track signals. Your cookie preferences managed through our consent platform are the primary mechanism for controlling tracking on our Websites.

9.  AUTOMATED DECISION-MAKING AND AI

The Black Kite platform uses artificial intelligence and automated processing to generate cyber risk assessments, ratings, and intelligence outputs about companies and their third-party ecosystems. These outputs are used by our customers as inputs to their own risk management decisions.

Black Kite's automated processing assesses company-level cyber posture based on external, observable technical signals. Where this processing produces outputs that may have a significant effect on individuals associated with those companies, affected individuals have the rights described in Section 11.

Black Kite does not use automated decision-making to make decisions solely about individual consumers that produce legal or similarly significant effects on those individuals without human review, except where permitted or required by applicable law.

For customers who are subject to GDPR Article 22, Black Kite provides documentation of the logic involved in automated risk scoring upon request. Contact [email protected].

10. YOUR PRIVACY RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your personal data. Black Kite honors these rights for all individuals, regardless of jurisdiction, to the extent technically and operationally feasible.

Right 

Description

Access 

Request a copy of the personal data Black Kite holds about you.

Rectification 

Request correction of inaccurate or incomplete personal data.

Erasure (Right to Be

Forgotten)

Request deletion of your personal data where there is no overriding legal basis for retention. Black Kite will notify relevant downstream processors of verified erasure requests.

Restriction 

Request that Black Kite restrict processing of your personal data in specific circumstances.

Portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller, where technically feasible.

Objection 

Object to processing based on legitimate interests or for direct marketing purposes.

Withdraw Consent 

Withdraw consent for any processing based on consent, without affecting prior lawful processing.

Opt Out of Sale / Sharing 

Opt out of the sale or sharing of personal data for cross-context behavioral advertising (California and other applicable states).

Non-Discrimination 

Black Kite will not discriminate against you for exercising your privacy rights.

Automated Decision Review

Request human review of automated decisions that produce significant effects, where applicable under GDPR Article 22 or equivalent law.

10.1 How to Submit a Request

Submit a Data Subject Access Request (DSAR) or any privacy rights request through the Black Kite DSAR Form. Black Kite will acknowledge your request within 10 business days. We will respond within 30 days. Where permitted by law, we may extend this period by up to an additional 15 days (45 days total for California residents) with notice.

We may need to verify your identity before fulfilling your request. Government-issued identification may be required. Authorized agents may submit requests on your behalf with a valid power of attorney and appropriate identification for both the agent and the data subject.

Records of all requests are retained for a minimum of 24 months.

10.2 No Fee

Black Kite does not charge a fee to process privacy rights requests, unless a request is manifestly unfounded, repetitive, or excessive, in which case a reasonable fee may apply or the request may be declined with explanation.

10.3 Right to Complain

If you are dissatisfied with our response, you have the right to lodge a complaint with your applicable data protection supervisory authority. Contact details for EEA, UK, Swiss, U.S., and Canadian data protection authorities are available at https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

11. JURISDICTION-SPECIFIC DISCLOSURES

11.1 EEA, UK, and Switzerland (GDPR and UK GDPR)

Black Kite's processing of personal data for EEA, UK, and Swiss residents is governed by the General Data Protection Regulation (GDPR) and applicable national implementations, including the UK GDPR. The rights in Section 10 apply in full. Legal bases for processing are described in Section 4.4. International transfer safeguards are described in Section 6.

11.2 California (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected, the sources, the business or commercial purposes, and the third parties with whom it is shared.
  • Right to Delete: Request deletion of personal information subject to legal exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt Out of Sale / Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising. Submit requests to [email protected] or use the opt-out mechanism on our Websites.
  • Right to Limit Sensitive Personal Information: Limit the use of sensitive personal information to purposes necessary to provide the Services.
  • Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment.

Shine the Light: California Civil Code Section 1798.83 provides California residents the right to request information about personal information shared with third parties for their direct marketing purposes. Submit requests to [email protected] with the subject line "Request for California STL Information."

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. Black Kite requires a valid power of attorney and government-issued identification for both the agent and the data subject.

CCPA Contact: Bob Maley, Chief Security Officer, [email protected], 800 Boylston St, Suite 2905, Boston, MA 02199.

11.3 Colorado, Connecticut, Virginia, and Utah

Residents of Colorado, Connecticut, Virginia, and Utah have privacy rights under their respective state laws, including rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise these rights, submit a request to [email protected]. Black Kite will respond within the timeframes required by applicable state law. You may appeal a denial by contacting [email protected] with the subject line "Privacy Rights Appeal." If your appeal is denied, you may contact your state attorney general.

11.4 Canada (PIPEDA)

Black Kite processes personal information of Canadian residents in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Canadian residents have the right to access personal information held about them and to challenge its accuracy. To exercise these rights, contact [email protected]. Black Kite's designated privacy officer is Michael Sillanpaa, Director, GRC.

12. DATA SECURITY

Black Kite implements administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Key controls include:

  • Multi-factor authentication on all systems where technically supported
  • Role-based access control and least-privilege principles
  • Continuous security monitoring and logging
  • Annual third-party penetration testing (results available at https://trust.blackkite.com)
  • SOC 2 Type 2 certification (available at https://trust.blackkite.com)

No transmission of data over the internet can be guaranteed completely secure. While Black Kite applies industry-standard safeguards, you transmit data to us at your own risk. If you have questions about our security practices, contact [email protected].

13. BREACH NOTIFICATION

In the event of a personal data breach, Black Kite will notify affected data subjects, data controllers, and applicable regulators in accordance with legal requirements and within required timeframes. Black Kite will not voluntarily disclose information about a security incident to law enforcement without the consent of the relevant data controller or data subject, except where legally required.

Black Kite has not experienced a security incident resulting in the unauthorized disclosure of customer data.

14. CHILDREN'S PRIVACY

Black Kite's Websites and Services are not directed to children. Black Kite does not knowingly collect personal information from:

  • Children under 13 years of age (United States)
  • Children under 16 years of age (EEA, UK, and most EU member states)

If Black Kite becomes aware that it has collected personal information from a child below the applicable age threshold without verified parental consent, it will delete that information promptly. If you believe a child has provided personal data to Black Kite, contact [email protected].

15. LINKED WEBSITES

Our Websites may contain links to third-party websites. Black Kite is not responsible for the privacy practices of those sites. This Notice does not apply to any third-party website. We encourage you to review the privacy notice of any third-party site you visit.

16. EMPLOYMENT AND JOB APPLICANTS

Black Kite processes personal data of job applicants and employees for the purposes of recruitment, hiring, onboarding, employment administration, and compliance with applicable employment laws. This includes contact and identification data, work history, compensation information, performance records, and right-to-work documentation.

Employee and applicant personal data is handled in accordance with this Notice and Black Kite's internal HR data handling procedures. Applicants who are not hired will have their data retained only for the period required by applicable law and then securely deleted.

Questions about employee or applicant data may be directed to [email protected].

17. CHANGES TO THIS NOTICE

Black Kite reviews this Privacy Notice at least annually and updates it to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated by posting a notice on our Websites and, where required by law, by direct notification to affected individuals.

The effective date at the top of this Notice indicates when it was last updated. Continued use of our Websites or Services after a material update constitutes acceptance of the revised Notice.

18. CONTACT

Privacy team: [email protected]

CSO: Bob Maley

GRC Director: Michael Sillanpaa — [email protected]

Mailing: 800 Boylston St, Suite 2905, Boston, MA 02199

Trust center: https://trust.blackkite.com

Subprocessors: https://trust.blackkite.com/subprocessors