Privacy Policy

This Privacy Policy describes how Anytool Inc., doing business as Parameter ("Parameter," "we," "us," or "our"), collects, uses, and shares information when you visit parameter.ai, contact us, or use our products and services (collectively, the "Services"). Parameter operates as a business-to-business security testing platform and contracts with customers under a written Order Form.

This Policy applies to information about:

• Visitors to our website and marketing channels
• Prospective and current customer business contacts
• Authorized users of the Parameter platform

For information we process on behalf of our customers as part of the Services ("Customer Data"), our customer is the controller and Parameter acts as a processor or service provider. Our handling of Customer Data is governed by the customer's Order Form, our Data Processing Addendum (DPA), and, where applicable, a Business Associate Agreement (BAA).

1. Information We Collect

1.1 Information You Provide

• Contact and account information: name, business email, company, job title, phone number, and similar details you submit through forms, sales conversations, or account creation.
• Communications: content of emails, support tickets, sales calls, and meeting notes.
• Customer agreements: signing party details, billing contact, and authorized users specified on Order Forms.
• Payment information: billing address and tax details. Card payments, where accepted, are processed by a third-party payment processor; we do not store full card numbers.

1.2 Information We Collect Automatically

When you visit parameter.ai or interact with our hosted Services, we automatically collect:

• Device and connection data: IP address, browser type, operating system, device identifiers, and referring URLs.
• Usage data: pages viewed, links clicked, timestamps, and similar telemetry.
• Cookies and similar technologies: see Section 9.

1.3 Customer Data

In the course of providing the Services, the Parameter platform processes data submitted by customers, including target asset information, source code, request and response data captured during testing, credentials provided for authenticated testing, and findings produced by the Services. We process this data on behalf of customers under the terms of the applicable Order Form, DPA, and any BAA.

1.4 Information from Third Parties

We may receive information from public sources, business databases, marketing partners, mutual customers, and integration providers (such as identity providers and code hosting platforms that customers connect to the Services).

2. How We Use Information

We use the information we collect to:

• Provide, operate, secure, and improve the Services
• Communicate with you about your account, our products, and security disclosures
• Conduct sales, marketing, and business development with prospects and customers
• Process payments and manage billing
• Comply with legal obligations and enforce our agreements
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Conduct internal research, analytics, and reporting

We do not use Customer Data to train foundation models or for any purpose other than providing the Services and meeting our contractual obligations.

3. Legal Bases for Processing (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing personal data are:

• Contract: to provide the Services and respond to your requests
• Legitimate interests: to operate, secure, and improve our business, conduct B2B marketing, and prevent fraud
• Consent: where required by law, such as for certain cookies or marketing communications
• Legal obligation: to comply with applicable law

4. How We Share Information

We share information only as described below:

4.1 Subprocessors and Service Providers

We use third parties to operate the Services, including cloud infrastructure, foundation model providers, data storage, communications, analytics, payment processing, and compliance tooling. These providers are contractually bound to use the information only to deliver services to us. A current list of subprocessors is available on request.

4.2 Foundation Model Providers

Our Services rely on third-party foundation model APIs, including providers such as Anthropic and OpenAI, to power AI agents that perform security testing. Customer Data submitted to these providers is handled under data retention and confidentiality terms negotiated by Parameter, including zero data retention configurations where required for compliance with HIPAA or customer commitments.

4.3 Customers

If you are an authorized user of a customer's Parameter account, we share information about your activity with the customer that owns the account.

4.4 Legal and Safety

We may disclose information when we reasonably believe it is necessary to comply with applicable law, lawful requests from public authorities, valid legal process, or to protect the rights, property, or safety of Parameter, our customers, or others.

4.5 Business Transfers

If Parameter is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality obligations.

4.6 With Your Direction

We share information with other parties when you direct us to do so.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as defined under California law.

5. Data Retention

We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of data:

• Account and contact data: retained while the customer relationship is active and for a reasonable period afterward
• Billing records: retained for the period required by tax and accounting laws (typically 7 years)
• Website telemetry: retained for up to 24 months
• Customer Data: retained per the applicable Order Form and DPA; deleted or returned on customer request following termination

6. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, role-based access controls, logging, vendor security review, and employee training. Parameter is pursuing SOC 2 Type II certification. No system is perfectly secure; we encourage you to use strong passwords and to notify us promptly of any suspected unauthorized access.

7. Your Rights

Depending on where you live, you may have rights to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete personal information
• Restrict or object to certain processing
• Receive your information in a portable format
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

7.1 California Residents (CCPA/CPRA)

California residents have rights to know, delete, correct, and limit the use of sensitive personal information, and to opt out of sale or sharing. We do not sell personal information or share it for cross-context behavioral advertising. We do not knowingly collect sensitive personal information beyond what is necessary to provide the Services.

7.2 EEA, UK, and Swiss Residents

In addition to the rights above, you may contact your local data protection authority. Parameter relies on Standard Contractual Clauses or equivalent transfer mechanisms to lawfully transfer personal data from the EEA, UK, and Switzerland.

7.3 Exercising Your Rights

To exercise any rights, contact us at privacy@parameter.ai. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling a request. Where you are an authorized user of a customer's account, please direct your request to that customer; we will assist them as required.

8. International Data Transfers

We are based in the United States, and the information we collect is processed in the United States and other countries where we or our subprocessors operate. When personal data is transferred internationally, we use appropriate safeguards as required by law, including Standard Contractual Clauses.

9. Cookies and Similar Technologies

We use cookies and similar technologies on parameter.ai to operate the site, remember preferences, measure performance, and support marketing. You can control cookies through your browser settings. Where required by law, we present a cookie banner that allows you to accept or reject non-essential cookies.

We currently use the following categories of cookies:

• Strictly necessary: required for the site to function
• Analytics: help us understand how the site is used
• Marketing: support advertising and remarketing on third-party platforms

10. Children's Privacy

The Services are intended for businesses and are not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided information to us, contact privacy@parameter.ai and we will take appropriate steps to delete it.

11. Protected Health Information (HIPAA)

For customers who are HIPAA covered entities or business associates, Parameter will execute a Business Associate Agreement on request. Where a BAA is in place, our handling of Protected Health Information is governed by the BAA, the HIPAA Security and Privacy Rules, and any additional restrictions agreed with the customer. Customers should not transmit PHI to the Services without a BAA in place.

12. Do Not Track

Our website does not currently respond to "Do Not Track" browser signals.

13. Third-Party Links

The Services and our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites; review their privacy policies before sharing information with them.

14. Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent version. For material changes, we will provide notice through the Services, by email, or by another reasonable method.

15. Contact Us

For privacy questions, requests, or complaints, contact:

• Anytool Inc. dba Parameter
• San Francisco, California
• privacy@parameter.ai
• parameter.ai

Version 1.0 · May 4, 2026 · Initial publication