Legal
Privacy notice
Updated 1 June 2026
We inspect API traffic for a living, so we are asked about this more than most. Here is exactly what we hold, why, and for how long — in plain sentences.
Scope
This notice covers goldeagle.io, the GoldEagle console, and the Radar, Sentinel, Talon and Vault products. It explains how GoldEagle Security Inc. acts both as a controller (for our own business data, such as your demo request) and as a processor (for the API traffic we inspect on a customer's instruction).
What we collect
When you contact us
- Your name, work email, company and stated API traffic volume.
- Anything you choose to write in the message field.
When you use the console
- Account identifiers, role, and authentication events.
- Actions you take — policies changed, keys rotated, strikes reviewed — held as an audit trail.
When you visit the site
- Page views, referrer, coarse region and device class, aggregated. No advertising trackers, no cross-site profiling, no data sold to anyone, ever.
Your API traffic
This is the part that matters. When we inspect traffic on your behalf, that traffic is yours, not ours.
- Redaction happens first. Fields you classify as sensitive are masked at the inspection point, before anything is written to storage.
- Metadata by default, bodies by exception. We retain method, path, timing, verdict and reason. Full request bodies are retained only for requests we struck, and only if you switch that on.
- Your region stays your region. Traffic inspected in the EU is processed and stored in the EU. The same applies to our US, UK and India regions.
- We do not train on it. Customer traffic is never used to build models sold to other customers.
How we use it
- To deliver the product: find your endpoints, enforce your policy, score and block abuse.
- To answer you when you ask us something.
- To keep the service safe and available, and to investigate incidents.
- To meet legal and audit obligations.
Our lawful bases are contract performance, our legitimate interest in operating a secure service, and consent where consent is the right basis. Nothing on this list includes advertising.
How long we keep it
- Demo requests: 24 months, then deleted.
- Traffic metadata: the retention window in your plan — 7 days, 90 days, or a period you set.
- Retained request bodies: 30 days by default; configurable down to zero.
- Audit logs: 7 years, because your auditor will ask for them.
- Backups: rolling 35 days, after which deletions become permanent.
Who else sees it
A short list, kept short on purpose. We use sub-processors for cloud hosting, error monitoring, email delivery and payments. Each is bound by a data-processing agreement, each is listed with its region in the console under Trust → Sub-processors, and you get 30 days' notice before we add one.
We disclose data to authorities only where we are legally compelled. When we are permitted to tell you, we tell you.
Your rights
Depending on where you live, you can ask us to give you a copy of your data, correct it, delete it, restrict how we use it, or hand it to someone else in a portable format. Write to privacy@goldeagle.io and we will answer within 30 days.
If the data in question is API traffic we process for one of our customers, we will pass your request to that customer, who is the controller of it.
Cookies
The marketing site sets one session cookie, used to protect forms against cross-site request forgery. The console sets a session cookie for authentication and a preference cookie for your theme. That is the whole list. There is nothing to opt out of because there is nothing tracking you.
How we protect it
- Encrypted in transit (TLS 1.3) and at rest (AES-256).
- Least-privilege access, reviewed quarterly. Production access is logged and time-boxed.
- SOC 2 Type II audited annually; penetration tested twice a year by an independent firm.
- A public bug-bounty programme, and a 24-hour acknowledgement promise for anything sent to security@goldeagle.io.
Changes
If we change something material, we will email account owners at least 30 days before it takes effect, and post the revision date at the top of this page. Older versions stay available in the console.
Contact
Data protection officer: privacy@goldeagle.io
GoldEagle Security Inc., 1 Aerie Way, San Francisco, CA 94105, USA.
EU representative details are available on request. If you are unhappy with our answer, you may complain to your local supervisory authority.