seclum

Privacy Policy

Last updated: 2026-07-14

Seclum is operated by Angstroma, Inc. (“Seclum,” “we,” “us”). We built Seclum because the consumer-security market has a credibility problem. This page is the literal accountability for the promises on our home page.

1. The short version

2. Who we are

Data controller: Angstroma, Inc., a Delaware C-corporation operating the Seclum brand. Mailing address: c/o Stripe Atlas registered agent, Wilmington, Delaware, USA. Reach us at privacy@seclum.com.

3. What we collect

Account data

Check data

The reasoning summary may quote signal-bearing fragments of your input— for example, “the URL contains ‘paypa1’ instead of ‘paypal’.” That is the product. The full original input is never stored.

Password breach check

Email breach check & monitoring

Billing data (if you buy credits or subscribe)

Operational telemetry

4. What we never collect or store

5. Why we process what we do (lawful basis under GDPR)

5b. If your employer uses Seclum Team (phishing-awareness training)

You may be reading this because you clicked a link in an email that turned out to be a simulated phishing test run by your own employer. Here is exactly where you stand.

Your employer is the data controller, and Seclum is only their processor. They chose to run the simulation, they decided who to include, and they hold your data. We act on their instructions and nothing else. If you want to know why you were included, or you want your data erased, ask your employer — they direct us, and we will help them act on it.

What we hold about you, on their behalf:

What we do not hold:

The email was written by an AI model, and the model never saw your address — it is given a scenario, not a person. Under our terms, your employer may not use simulation results for hiring, firing, discipline, promotion, or performance evaluation. A click is a teachable moment, not a mark on your record. If you believe results are being used against you, tell us at legal@seclum.com.

6. How long we keep what we keep

7. Who else processes your data (sub-processors)

We use the following service providers. Each has a Data Processing Agreement on file with us.

Google is deliberately not on this list. When a Seclum Team customer connects their Google Workspace mailbox to send phishing-awareness training, that mailbox is their system, not our sub-processor — the mail leaves their tenant, under their own mail policy, using a grant they can revoke at any time. See Terms §6b.

8. Your rights

If you are in the EU, UK, EEA, Switzerland, California, or any jurisdiction with similar law:

9. Children

Seclum is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email privacy@seclum.com and we will delete it.

10. International transfers

Our infrastructure runs primarily in US-East. If you are outside the US, your data is transferred to and processed in the US under Standard Contractual Clauses (SCCs) with each sub-processor named above.

11. Security

All traffic is TLS-encrypted. Secrets at rest are stored in Vercel's encrypted environment variables. The audit log is immutable at the database layer (a Postgres trigger blocks updates and deletes outside of the retention rotation cron). We describe our threat model and mitigations in our internal Data Protection Impact Assessment, available on request to enterprise customers under NDA.

12. Breach notification

If we suffer a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours of discovery, per GDPR Article 33.

13. Changes to this policy

If we make material changes, we will email you at the address on your account and post a notice at the top of this page for at least 30 days. The “Last updated” date at the top reflects the most recent revision.

14. Contact

Privacy questions, GDPR / CCPA requests, or anything you want clarified: privacy@seclum.com.