Last updated: March 1st, 2023.

Thank you for your interest in Koodous ("Koodous", "we", and "MI21 Malware Intelligent, S.L.") and our website(s), products, services, and applications (the "Services"). This Privacy Policy is designed to help you understand what information we collect, why we collect it, how we use it, and how you can update, manage, export, and/or delete your information. This policy further outlines how we use this information to support a stronger global cybersecurity that includes protecting members of the public, partners, and security-conscious organizations that contribute to the Services (collectively, the "Community").

When you clicked "accept" or "agree" in connection with registering an account, we made this Privacy Policy available to you. We may use anonymized aggregated data that we derive from your personal information before it is deleted, but not in a way that incorporates your personal information or personally identifies you.

Koodous and Koodous.com are owned by MI21 Malware Intelligent, S.L., a Spanish company with registration number B93718088.

Please read this policy carefully. By accessing or using the Services, your personal information may be used as described below. If you do not want your personal information to be used as described herein, do not access the Site or use the Services. If you have any questions about this Privacy Policy, please contact us .

We collect information, including personal information, from visitors to the Site as well as our registered users, customers, and partners. We also collect certain information when someone uses the Site. We collect information about the use of the Site and interaction with the Services and information extracted from any information, text, graphics, URLs, files, audio, video, photos, and any other material uploaded, downloaded, made available, or sent through the Services ("Samples").

Specifically we may collect information:

• When you register for an account by providing us with your name, email address, and a unique username to participate in the Community or use the Services, including the ability to post comments, vote, or interact with Samples and other Community members.
• When you contact us with a question, request information from us, or send us information, including personal information you may send via email or provide through web forms on the Site.
• When you pay us, to the extent that you purchase any premium services offered by Koodous, we may receive credit card data and other payment-related information about you.
• When you submit Samples to the Services, if you submit Samples to the Services, we will collect all information in the Sample itself and information about the act of sending it. We will also generate a non-personal identifier that we will associate with the Sample. We share this non-personal identifier with the Community in encrypted form. Sender encryption allows the Community to better detect patterns in how malware is sent and distributed through the Services and makes it difficult for threat actors to use our Services to enhance or hide their malware from detection. To the extent that you choose to contribute Samples to the Community, our terms of service require that you are the original owner of the Sample or have all necessary rights and permissions for any information in the Sample, including any personal information contained in a Word or PDF document, for example. Other Samples, such as executables and other packaged software, may contain metadata that includes personal information that could relate to someone other than you.
• From your devices. We may collect specific device information (such as hardware model, operating system version, unique device identifiers, and mobile network information) by using Google Analytics. Similarly, for each Sample sent and requested, the Services will record the user agent (browser and browser version used, as well as the operating system) and the sender's IP address. These data points are used to provide analytics that allows us to optimize the Services based on actual usage patterns and help us detect abuses (such as DDoS and other attacks). User-Agent data is analyzed and used at an aggregate level for statistical purposes and is not linked to unique users or individuals.
• Automatically When you use the Services and ingest information available through the Services, we may automatically collect and store certain information about your interaction with the Services in server logs. This may include: (a) details of how you used our Services; Internet Protocol address and (b) device event information such as crashes, system activity, hardware settings, browser type, standard HTTP request headers, including, among others, user agents, referrer URL, language preference, date and time, and cookies that may uniquely identify your browser or your Koodous account. We may also collect and store information through other mechanisms, such as browser web storage (including HTML5) and application data caches.
• When you use our Android application. if you access the Services through the Koodous application for Android, we will collect device information such as the model, manufacturer, and an identifier during registration. Additionally, during the scanning process, we will need to send the installed applications to check for malware, so both the information of which apps are installed and even the apk file will be sent.
• When we have provided (or you have chosen) a password that allows you to access certain parts of our website, you are responsible for keeping this password confidential. We ask that you do not share a password with anyone.

When you use the Services, we send one or more cookies (small text files containing an alphanumeric string) to your computer. For example, we use cookies to ensure proper navigation between pages of the Services. Koodous may use both session cookies and persistent cookies. A session cookie disappears after you close your browser, while a persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Services.

Persistent cookies can be removed. Please refer to your web browser's "Help" file to learn the correct way to modify cookie settings. If you delete, or choose not to accept, cookies from the Services, you may not be able to use all of the features of the Services to their fullest potential.

We may also implement third-party content on the Services, such as advertising or analytical services, which use "transparent gifs", "web beacons", or other similar techniques that allow the third-party content provider to read and write cookies in your browser or implement similar tracking mechanisms. This information is collected directly by the third party, and Koodous does not participate in that data transmission. Information collected by third parties in this manner is subject to that third party's own data collection, use, and disclosure policies. We currently implement services provided by Google Analytics.

You can choose to control the information collected by Koodous depending on whether you are logged into a Koodous account, including configuring your browser to indicate when Koodous has set a cookie on your browser. You can also configure your browser to block all cookies from a specific domain or all domains. But remember, our Services rely on cookies to function properly.

We use the information we collect to manage registered user, client, and partner accounts, respond to support requests or inquiries about our Services or affiliates, enable participation in the Community, and fulfill applicable contracts with clients and partners. We also use the information we collect to provide, maintain, protect, and improve the Services, to develop new features of the Services, and to protect the Community and our mission of fighting malware. This includes the use of Samples and other information collected for any of the following activities:

• Sharing Samples with antivirus, scanning tools, sandbox, and other security partners to generate malware verdicts requested for the user who uploaded the Samples.
• Making Samples available to verified security professionals, companies, and security researchers, many of whom are Koodous clients or partners, for threat detection and investigation.
• Analysis and scanning of Samples submitted by the Community to generate useful information and corresponding security reports, and publishing and updating such reports to the Community, and making such material available through the Services, including Comments, mentions, and trust ratings.
• Adding Samples to our database of known or potential malware to continue advancing the security industry's understanding of online threats.
• Developing new features to enhance or refine the Services.
• Developing and providing information to the Community.
• Communicating with our users and third party contacts.
• Creating and managing your user, trial, client, or partner account(s).
• Understanding and improving how our users use and interact with the Services, including conducting analytics.
• Protecting and securing the Site, including networks and systems through which we provide the Services.
• Processing payments for premium services offered by Koodous.
• Complying with applicable laws and regulations and other business-related purposes, including negotiating, entering into, and performing contracts, managing accounts and records, supporting our corporate social responsibility activities, and conducting legal, regulatory, and internal investigations.

When you communicate with Koodous or MI21 Malware Intelligent, S.L. about the Services, we may keep a record of your communication to help us resolve issues and protect you, the Community, and the Services against fraud and abuse. We may also send you administrative messages related to your account or use of the Services. You cannot opt-out of receiving administrative messages. Koodous may use your email address to inform you about the Services if you have inquired about aspects of the Services, requested that we contact you, or otherwise agreed to hear from us. MI21 Malware Intelligent, S.L. may also communicate with you with marketing materials, promotional materials, or other personalized information that may be of interest to you with your permission or otherwise upon your request. You can unsubscribe from these messages directly or by contacting us at any time.

We share the underlying raw data of the Samples uploaded to the Services, as well as information related to the sender (encrypted ID, city, and country) of the Sample, as follows:

• With our security partners. When you upload a sample to Koodous to receive a report on its potential maliciousness, we store it in the database and share it with our partners in the security and anti-malware industry. Partners who participate in Koodous are contractually obligated to use Samples only for internal security purposes in accordance with our terms and conditions to detect malicious code and improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner's antivirus engine. This information exchange helps to correct potential vulnerabilities throughout the security industry.
• With our customers. Our customers may be security researchers, academic institutions dedicated to threat intelligence, government agencies, or corporate entities with advanced security functions. Samples submitted or shared within the Services may also be included in premium services offered to a select group of security actors, all of whom have been verified as participants in active threat detection and prevention activities and are collectively committed to contributing to a safer online environment overall and better protection of all end users and their data. Participants may include a wide range of cybersecurity professionals focused on product, service, and system security and security products and services, all of whom are contractually obligated to use the Services and any of their contents only for internal security purposes in accordance with our terms and conditions of service.

We may also share your information in the following circumstances:

• With the Community. if you register for an account and participate in the Community, your user profile, including your name, nickname, and any information you choose to add to your profile, such as your profile picture, will be publicly available to the Community. Your activity within the community, including comments on samples uploaded to Koodous, users who mention you in posts, and users who "trusted" or "were trusted by" you, will also be included as part of your public profile.
• With your employer or premium account administrator. If you register for a Koodous premium account based on your employer's access, your employer may receive details such as your access to the Services and how many people in the organization have access to the Services.
• With our affiliates. If you requested information about our Services or the products and services offered by MI21 Malware Intelligent, S.L. or its affiliates, or agreed to receive promotional material from MI21 Malware Intelligent, S.L. or its affiliates, we will share your personal information with such affiliates for that purpose.
• With third party processors. We may provide personal information to MI21 Malware Intelligent, S.L. and other affiliates or other trusted companies or individuals to process it on our behalf, in accordance with our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security terms.
• For legal reasons. We will share personal information with affiliates and companies, organizations, or individuals outside of Koodous if we believe that access, use, preservation, or disclosure of the information is reasonably necessary to:
  • To comply with any applicable law, regulation, legal process, or government request.
  • To enforce the terms of service , including investigating potential violations.
  • To detect, prevent, or address fraud, security, or technical issues, or protect against harm to the rights, property, or safety of Koodous, our affiliates, users, or the public as required or permitted by law.

In the event of a merger, acquisition, or sale of assets. We may disclose your personal information to the prospective seller or buyer of such business or assets.

We may share aggregated and anonymous information publicly and with our clients and partners described above. For example, we may publicly share aggregated information to display statistical trends about the general usage of our services. Our site may contain links to and from the websites of our affiliates, partners, and Community members. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these third-party websites, policies, or any content provided by such third parties. Please review these policies before submitting any personal information to these websites.

We take measures to ensure that Koodous retains the personal information you provide only for as long as necessary for the purpose for which it was collected. Sometimes business and legal requirements require us to retain certain information for specific purposes for an extended period of time. Reasons why we may retain some data for longer periods of time include:

• Prevention of security, fraud, and abuse.
• Maintenance of financial records.
• Compliance with legal or regulatory requirements.
• Ensuring the continuity of our services.

For Community users, please note that you can delete your account or any part of your account, including comments made in the Community, at any time using the tools available through the Services. If you delete your account, comments about Samples or other materials in the Services will no longer be attributed to you, but may be retained to protect the security and integrity of the Community as a whole.

You can choose to export or download your profile information and comments made through a request by contacting us at info@koodous.com.

We use appropriate technical, organizational, and security measures to protect the personal information we collect and process about you.

The legal bases on which we may process your personal information include the following:

• With your consent, for example, if you contact us and request more information about the Services, request a trial, or indicate that you wish to receive marketing updates about the Services, MI21 Malware Intelligent, S.L. or MI21 Malware Intelligent, S.L. affiliates.
• To perform or take steps to enter into a contract, for example, to evaluate a potential customer for premium services.
• To comply with applicable legal obligations to us, MI21 Malware Intelligent, S.L. or MI21 Malware Intelligent, S.L. affiliates, or based on our legitimate interests, or the legitimate interests of our third parties, as described below.

Our Legitimate Interests: as a provider of threat detection services and operator of a platform designed to share knowledge about malware and other security vulnerabilities to better protect the internet and our collective data assets from exploitation and compromise, we cannot evaluate or monitor what kind of information is contained in the Samples uploaded by the Community. By establishing rules for uploads to prevent the uploading of Samples that may contain personal information, either in the metadata of the resulting analysis or in the upload itself (e.g. files within the Samples), we would fail to detect, analyze, and prevent threats, and the Services would cease to operate effectively. We prohibit the contribution of Samples that may contain personal information in our Terms of Use, but we also understand that malware can take any form and personal information can be included in certain Samples submitted to the Services. Consequently, we must process all information, including any personal information that may be received in Samples submitted to the database. We must also share Samples with our security partners to receive verdicts on the potential maliciousness of the contributed Samples and with clients to enable them to understand malware in their particular threat environments. The processing and sharing of certain unmoderated information, which may accidentally contain personal information, is essential for the Services to function. By accepting and unequivocally distributing all Samples, we take steps to ensure that malware is detected more widely and quickly around the world through the efforts of those participating in the Community. The larger our collection of unmoderated Samples and the more security partners and contributing members of the Community we have, the greater the collective threat detection capability of the Services and the more potential it has to continue making the internet and the connected tools that run through it (such as your bank, email, and social platforms you participate in) safer.

Measures to offset any potential harm to individuals who may be negatively affected by our accidental processing of personal information: We have implemented the following measures and created several internal tools and processes to protect individuals along with the way the Services may process personal information:

• Our terms of service require users to certify that they are the original owners or have all necessary rights and permissions over the information (including any personal information) contained in any Sample uploaded to the Services and clarify that the user's purpose for submitting the Sample is to share it with the Community.
• Users must verify Samples before submitting them to ensure they are intended for and appropriate to upload and comply with the terms of service.
• We adhere to policies to investigate any Sample identified to us as containing personal information and take action to remedy cases where it has been confirmed that Samples contain personal or other information where the risk to the Community is not outweighed by the potential harm to an individual or entity.
• We technically and operationally secure our database using appropriate techniques and tools.
• We take steps to partially or fully anonymize any personal information contained in publicly available metadata.
• We do not allow the public to search for personal information or download or access Samples within the database (users can only search by a hash that corresponds to a specific Sample).

Our partners and clients may have access to the raw data contained in Samples uploaded to the Services. This access is necessary to allow them, in the case of our partners who are antivirus companies and security companies, to provide corresponding malware verdicts for Samples uploaded requested by the user, and for all of them to promote the legitimate interest of conducting advanced security analysis on all Samples, including those that may contain personal information, to promote the security threats industry and protect the Community as a whole.

Koodous processes personal information on servers located in many countries around the world. We may process, transfer, and/or store your personal information on a server located outside the country where you live. For example, we may transfer your personal information to our affiliates in the United States and other jurisdictions where the servers we use are located. We will periodically review our compliance with this Privacy Policy.

Please note that privacy protections in the United States and other jurisdictions may not be equivalent to those of your local law, and the rights of government and law enforcement authorities to access your personal information may also differ. When we transfer your information overseas, Koodous will take all measures required by applicable law to ensure that your personal information is adequately protected by appropriate safeguards, such as standard contractual clauses.

When we receive formal written complaints, we will communicate with the person who submitted the complaint to follow up. If you reside in the EEA, Switzerland, or the UK, if you have any concerns about our processing of your personal information that we cannot resolve, you have the right to lodge a complaint with your local data protection authority.

We reserve the right to modify this Privacy Policy at any time. However, we will not reduce your rights under this Privacy Policy without your explicit consent. We always indicate the date of the last changes and, if the changes are significant, we will provide a more prominent notice (including, for certain services, notification by email of changes to the Privacy Policy).

Our modified Privacy Policy will take effect going forward, as set forth in the Terms, except that (i) unless you agree otherwise, we will use your personal information in the manner described in the Privacy Policy in effect when we received that information; and (ii) if you do not agree with any changes to the Privacy Policy, you must cancel your Koodous account and stop using the Services. Your continued use of the Services after a revised Privacy Policy has become effective indicates that you have read, understood, and agreed to the current version of the Privacy Policy.

Please contact Koodous with any questions or comments about this Privacy Policy, your personal information, our use and disclosure practices, or your choices here or via legal@koodous.com.