Privacy Policy

How Koopic LLC collects, uses, and protects your information when you use our asset management platform.

Last Updated: February 21, 2026 Effective: February 21, 2026

Introduction

Koopic LLC ("Koopic," "we," "us," or "our") is a Virginia limited liability company that operates a business-to-business ("B2B") software-as-a-service asset management platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you access or use the Service, visit our website at koopic.com, or otherwise interact with us.

This Privacy Policy applies to authorized users of the Service who access it through their employer or organization (each, a "Customer"). The Service is designed exclusively for business and enterprise use. We do not offer consumer-facing products or services, and we do not knowingly collect information from individuals who are not authorized users of a Customer account.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you are authorized to accept this Privacy Policy on that organization's behalf. If you do not agree to this Privacy Policy, you must discontinue use of the Service immediately.

This Privacy Policy applies equally to all users of the Service, regardless of whether your organization is on a free or paid Subscription plan. We do not differentiate our privacy protections or data handling practices based on plan type.

This Privacy Policy should be read in conjunction with our Terms of Service, Data Processing Agreement, and Cookie Policy, which together govern your use of the Service.

Information We Collect

We collect and process several categories of information in connection with the Service. The specific information collected depends on how you and your organization use the Service and which features are enabled.

2.1 Account and Identity Information

When your organization provisions your account, the following information is collected, typically synchronized from your organization's identity provider (e.g., Google Workspace, Microsoft Entra ID, Okta, or another OIDC/SAML provider) via Keycloak, our self-hosted identity and access management system:

  • First name and last name
  • Email address
  • Authentication identifiers: user ID from your OAuth/SSO identity provider, the identity provider used, and login timestamps
  • Email verification status
  • Account active/inactive status
  • Last login time and last identity provider synchronization timestamp
  • Organization membership and role assignment (viewer, member, admin, or owner)

2.2 User Preferences

We store certain preferences you configure within the Service, including:

  • Column display and layout settings for asset views
  • Theme preference (dark, light, or system)

2.3 Customer Data (Asset and Business Information)

The core purpose of the Service is to help your organization manage its IT asset inventory. Your organization, through its authorized users and configured integrations, submits and processes the following types of data ("Customer Data"):

  • Device and inventory information: device names, hostnames, operating systems, IP addresses, MAC addresses, serial numbers, and hardware identifiers
  • Security posture data: antivirus status, endpoint detection and response (EDR) health, patch compliance status, external IP addresses, and domain information
  • Asset metadata: asset status, completeness scores, lifecycle status, age calculations, and source system identifiers
  • Custom and enriched fields: organization-defined custom fields and calculated fields derived from enrichment rules configured by your organization
  • Compliance data: compliance rule evaluation results, per-asset compliance scores, and rule configuration

Customer Data is owned by and belongs to your organization. We process Customer Data solely on your organization's behalf and in accordance with our Data Processing Agreement.

2.4 Operational and Audit Data

To maintain the security and integrity of the Service, we automatically collect:

  • Audit logs: records of user actions (create, update, delete, and other mutations), including the user who performed the action, timestamp, IP address, affected resource, and outcome (success or failure)
  • Integration execution logs: records of data synchronization operations, including number of records processed, success or failure status, and execution timing
  • Issue reports: when you submit a bug report or issue through the Service, we collect the report contents, optionally attached screenshots, browser console errors, and browser diagnostics (browser type, version, viewport size)

2.5 Integration Credentials

When your organization configures integrations with third-party services (e.g., Google Cloud Platform, Microsoft Azure, Microsoft Defender for Endpoint, or on-premises agents), the Service stores the credentials necessary to authenticate with those services. These may include:

  • GCP service account keys
  • Azure storage account keys and shared access signature (SAS) URLs
  • OAuth client credentials (client ID, client secret, tenant ID)
  • API keys and agent authentication tokens

All integration credentials are encrypted at rest using industry-standard symmetric encryption with message authentication, and are decrypted only during integration execution. Credentials are provided by your organization and remain under your organization's control.

2.6 Website Analytics

We use Google Analytics (provided by Google LLC) on our marketing website at koopic.com to understand how visitors interact with our website, including which pages are visited, how long visitors stay, and how they navigate between pages. Google Analytics collects this information using cookies and similar technologies.

Google Analytics is loaded only after you provide consent through our cookie consent banner. If you decline analytics cookies, no Google Analytics scripts are loaded and no tracking occurs.

When analytics cookies are enabled, Google Analytics may collect:

  • Pages visited and time spent on each page
  • Referring website or search terms that led you to our site
  • Browser type, operating system, and screen resolution
  • Approximate geographic location (city-level, derived from IP address)
  • A randomly generated identifier stored in a cookie to distinguish unique visitors (this is not linked to any personally identifiable information)

We have configured Google Analytics with IP anonymization enabled. We do not use Google Analytics for cross-site tracking, remarketing, or advertising purposes. We do not share Google Analytics data with any third parties beyond Google. For details on how Google processes this data, see Google's Privacy Policy.

Important: Google Analytics is used only on the marketing website (koopic.com). The Koopic application at app.koopic.com does not use Google Analytics or any other third-party analytics service.

2.7 Information We Do Not Collect

Transparency is a core value. We want to be explicit about what we do not do:

  • We do not use analytics on the application at app.koopic.com (analytics are limited to the marketing website, koopic.com, and only with your consent)
  • We do not track user behavior within the application for product analytics or profiling
  • We do not use advertising cookies, tracking pixels, or retargeting technologies
  • We do not sell, rent, or trade any user or Customer Data to third parties
  • We do not engage in cross-site tracking or behavioral advertising

How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision and Operations

  • Authenticating your identity and managing access to the Service based on your organization's role assignments
  • Processing, storing, and displaying Customer Data as directed by your organization through the Service's features
  • Executing data integrations with third-party services configured by your organization
  • Running compliance evaluations, enrichment rules, and asset lifecycle calculations against Customer Data
  • Merging asset records from multiple sources into unified golden records as configured by your organization
  • Displaying dashboards, reports, and asset views to authorized users

3.2 Security and Integrity

  • Maintaining audit logs of all data mutations for security, accountability, and compliance purposes
  • Enforcing multi-tenant isolation through row-level security policies to ensure your organization's data is accessible only to its authorized users
  • Enforcing role-based access control (RBAC) to restrict actions based on user roles
  • Detecting, preventing, and responding to security incidents, fraud, abuse, and unauthorized access
  • Rate limiting and account lockout to prevent brute-force attacks

3.3 Communication

  • Sending transactional emails related to your account (e.g., invitation emails, organization invitations, and SSO configuration notifications)
  • Providing support and responding to inquiries submitted through the Service or via email
  • Notifying you of material changes to this Privacy Policy or the Terms of Service

3.4 Service Improvement

  • Analyzing aggregated, de-identified usage patterns to improve Service performance, reliability, and user experience
  • Diagnosing and resolving bugs and issues reported through the Service's issue reporting feature

3.5 Legal Compliance

  • Complying with applicable laws, regulations, and legal obligations
  • Responding to lawful requests from governmental authorities
  • Establishing, exercising, or defending legal claims

We process information on the following legal bases, depending on the nature of the processing activity and the applicable jurisdiction:

4.1 Contractual Necessity

The majority of our processing is necessary to perform our obligations under the contract between Koopic and your organization (i.e., our Terms of Service and any applicable subscription agreement). This includes authenticating users, processing Customer Data, executing integrations, and providing the core features of the Service.

4.2 Legitimate Interests

We process certain information based on our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Because the Service is a B2B platform, and all users are authorized representatives of their employer organizations, our legitimate interests include:

  • Maintaining the security and integrity of the Service, including audit logging and threat detection
  • Improving the reliability and performance of the Service
  • Preventing fraud, abuse, and unauthorized access
  • Administering and managing Customer accounts

4.3 Legal Obligations

We process information when necessary to comply with applicable laws and regulations, including responding to valid legal process, tax reporting obligations, and record-keeping requirements.

4.4 Consent

In limited circumstances, we may process information based on your explicit consent. Where consent is the legal basis, you have the right to withdraw your consent at any time by contacting us at [email protected]. Withdrawal of consent does not affect the lawfulness of processing conducted prior to the withdrawal.

Information We Share

We do not sell, rent, or trade your personal information or Customer Data. We share information only in the following limited circumstances:

5.1 Sub-Processors

We use a limited number of third-party sub-processors to operate the Service. Each sub-processor is bound by contractual obligations to protect the data they process on our behalf. Our current sub-processors are:

  • DigitalOcean, LLC — Cloud infrastructure hosting (Kubernetes compute) and managed PostgreSQL database service. Data is hosted in the NYC1 (New York City) region within the United States.
  • Stripe, Inc. — Payment processing for paid Subscription plans. Stripe receives billing-related information (name, email, payment method details) directly from your browser. Koopic does not store, process, or have access to your credit card numbers or payment card data. Stripe is certified PCI DSS Level 1 and processes data in the United States. See Stripe's Privacy Policy for details.
  • Google LLC — Website analytics on koopic.com only (Google Analytics). Loaded only with user consent. Collects anonymized browsing data including pages visited, referral source, and approximate geographic location. No personally identifiable information is shared. Data is processed in the United States. See Google's Privacy Policy.

In addition to the sub-processors listed above, the Service relies on the following self-hosted infrastructure components that run entirely on our own DigitalOcean infrastructure. No data is transmitted to any third party through these components:

  • Keycloak (self-hosted) — Identity and access management, including authentication, SSO federation, and user provisioning. Keycloak is an open-source solution that we self-host and operate directly.
  • Redis (self-hosted) — In-memory caching and task queue management. Redis is self-hosted and operated directly by Koopic.

We will provide at least thirty (30) days' notice before engaging any new third-party sub-processor that processes Customer Data, either by updating this Privacy Policy or by direct notification to your organization's designated contact.

5.2 Legal Requirements

We may disclose information if we believe in good faith that disclosure is necessary to:

  • Comply with a court order, subpoena, search warrant, or other valid legal process
  • Comply with applicable law, regulation, or governmental request
  • Protect the rights, property, or safety of Koopic, our Customers, their users, or the public
  • Enforce our Terms of Service or other agreements
  • Detect, prevent, or address fraud, security, or technical issues

Where permitted by law, we will make reasonable efforts to notify your organization before disclosing Customer Data in response to legal process.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction, information collected under this Privacy Policy may be transferred to the successor entity. We will provide notice of any such transfer and any changes to this Privacy Policy that result from the transaction. The successor entity will be bound by the terms of this Privacy Policy with respect to information collected prior to the transfer.

5.4 With Your Organization's Consent

We may share information with third parties when your organization has directed us to do so through the Service's integration features (e.g., syncing issue reports with a configured GitHub repository). Such sharing is initiated and controlled by your organization.

Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. The specific retention periods for each category of data are as follows:

6.1 Account Information

Account information is retained for the duration of your organization's active subscription. When a user is removed from an organization or an organization's account is terminated, account information is deleted as part of the cascading deletion process described below.

6.2 Customer Data (Asset and Business Information)

Customer Data is retained until it is explicitly deleted by an authorized user within your organization or until your organization's account is terminated. Your organization retains full control over the lifecycle of its Customer Data through the Service's management features.

6.3 Audit Logs

Audit logs are retained for a default period of ninety (90) days. This retention period is configurable per organization. An automated daily cleanup process permanently deletes audit log entries that exceed the configured retention period.

6.4 Integration Credentials

Encrypted integration credentials are retained until they are manually removed by an authorized user or until the associated integration is deleted. Credentials are encrypted at rest at all times and are decrypted only during integration execution.

6.5 Organization Deletion

When an organization account is deleted, all data associated with that organization is permanently removed through a cascading deletion process. This includes all Customer Data, user accounts and memberships, integration configurations and credentials, audit logs, compliance rules and results, enrichment rules, and all other organization-specific data. This deletion is irreversible.

6.6 Backups

Database backups may retain deleted data for a limited period consistent with our backup retention schedule. Backups are encrypted and access-restricted. Data in backups is not actively processed and is overwritten as backups rotate.

Data Security

We implement comprehensive technical and organizational measures to protect the confidentiality, integrity, and availability of information processed through the Service. While no system can guarantee absolute security, we employ defense-in-depth strategies that reflect industry best practices.

7.1 Encryption

  • Encryption in transit: All data transmitted between your browser and the Service, between Service components, and between the Service and third-party integrations is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Integration credentials are encrypted using industry-standard symmetric encryption with message authentication. The managed PostgreSQL database employs encryption at rest provided by the infrastructure provider.
  • End-to-end encryption for on-premises agents: Data collected by on-premises agents is encrypted using X25519 ECDH key exchange with AES-256-GCM before transmission to the cloud gateway, ensuring that data is protected even in transit through intermediate network infrastructure. Agent-side credential storage uses Argon2id key derivation with AES-256-GCM encryption.

7.2 Multi-Tenant Isolation

  • Row-Level Security (RLS): PostgreSQL Row-Level Security policies are enforced across all tenant-scoped database tables (23 tables), ensuring that each organization's data is logically isolated at the database level. Queries are automatically filtered to the authenticated user's organization context.
  • Role-Based Access Control (RBAC): A four-tier role system (viewer, member, admin, owner) restricts actions based on the authenticated user's role within their organization. Access control is enforced at both the API and database levels.

7.3 Monitoring and Audit

  • Comprehensive audit logging: All data mutations are logged with the acting user, action type, affected resource, IP address, timestamp, and outcome. Audit logs provide a tamper-evident record of all changes.
  • Rate limiting and abuse prevention: API endpoints are rate-limited to prevent abuse. Account lockout mechanisms protect against brute-force authentication attacks.
  • SSRF prevention: Server-side request forgery protections prevent the Service from being used to access internal network resources.

7.4 Secure Development Practices

  • Sandboxed code execution: Customer-defined enrichment rules execute in a restricted Python sandbox with resource limits and timeout enforcement to prevent code execution attacks.
  • Input validation: All user-supplied inputs, including regular expressions used in compliance rules, are validated and subject to execution timeouts and length limits to prevent denial-of-service attacks.
  • Dependency management: Dependencies are regularly reviewed and updated to address known vulnerabilities.

7.5 Organizational Measures

  • Access to production infrastructure is restricted to authorized personnel on a need-to-know basis
  • Infrastructure access requires multi-factor authentication
  • Security practices are periodically reviewed and updated

7.6 Incident Response

In the event of a security incident that affects the confidentiality, integrity, or availability of your information, we will:

  • Promptly investigate and take steps to contain and remediate the incident
  • Notify affected organizations without undue delay and, where required by applicable law, within the timeframes mandated by the Virginia Consumer Data Protection Act or other applicable breach notification statutes
  • Provide sufficient detail about the incident to enable affected organizations to meet their own notification obligations
  • Cooperate with affected organizations and applicable regulatory authorities as required

Your Rights Under the Virginia Consumer Data Protection Act

If you are a Virginia resident, the Virginia Consumer Data Protection Act ("VCDPA") grants you certain rights with respect to your personal data. Although the Service is a B2B platform and our primary relationship is with your employer organization, we respect and facilitate the exercise of individual privacy rights where applicable.

8.1 Right to Know and Access

You have the right to confirm whether we are processing your personal data and to access the personal data we have collected about you.

8.2 Right to Correct

You have the right to request correction of inaccurate personal data, taking into account the nature of the data and the purposes of processing. Because much of your account information is synchronized from your organization's identity provider, corrections to that data may need to be made at the identity provider level by your organization's administrator.

8.3 Right to Delete

You have the right to request deletion of personal data that we have collected about you. Please note that deletion of certain data may be subject to limitations where we are required to retain data to comply with legal obligations or to establish, exercise, or defend legal claims.

8.4 Right to Data Portability

You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance.

8.5 Right to Opt Out of Targeted Advertising

The VCDPA grants the right to opt out of the processing of personal data for purposes of targeted advertising. This right is not applicable to our Service because we do not process personal data for targeted advertising purposes. We do not serve advertisements, use advertising cookies, or share personal data with advertising networks.

8.6 Right to Opt Out of Sale of Personal Data

The VCDPA grants the right to opt out of the sale of personal data. This right is not applicable to our Service because we do not sell personal data to third parties.

8.7 Right to Opt Out of Profiling

The VCDPA grants the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. This right is not applicable to our Service because we do not engage in profiling that produces legal or similarly significant effects on individuals. The compliance scoring and enrichment features of the Service operate on asset data (device and inventory records), not on personal data about individuals.

8.8 How to Exercise Your Rights

To exercise any of the rights described above, you may submit a request by:

  • Emailing us at [email protected] with the subject line "VCDPA Rights Request"
  • Contacting your organization's administrator, who may submit requests on your behalf through the Service's administrative features

We will respond to verified requests within forty-five (45) days of receipt. If we require additional time due to the complexity of the request or the volume of requests, we will notify you of the extension within the initial 45-day period. We may extend the response period by up to an additional forty-five (45) days where reasonably necessary.

8.9 Verification

To protect your privacy and security, we will take reasonable steps to verify your identity before fulfilling your request. Verification may include confirming your email address, your association with a Customer organization, and other identifying information. If we cannot verify your identity, we may decline to fulfill the request and will notify you of the reason.

8.10 Right to Appeal

If we decline to take action on your request, you have the right to appeal our decision. To appeal, send an email to [email protected] with the subject line "VCDPA Appeal." We will respond to your appeal within sixty (60) days. If the appeal is denied, we will provide you with instructions on how to submit a complaint to the Virginia Attorney General.

8.11 Non-Discrimination

We will not discriminate against you for exercising any of your rights under the VCDPA. We will not deny you access to the Service, charge you different prices, or provide a different level of quality based on your exercise of these rights.

Cookies and Tracking Technologies

We use strictly necessary cookies required for the Service to function, and optional analytics cookies on our marketing website with your consent. Specifically:

  • Authentication session cookies: Managed by Keycloak (our self-hosted identity provider) to maintain your authenticated session. These cookies are essential for you to log in and use the Service and cannot be disabled without losing access to the Service.
  • Analytics cookies (consent required): Google Analytics cookies (_ga, _ga_*) are set on koopic.com only after you provide consent through our cookie banner. These cookies help us understand website traffic and usage patterns. You can withdraw consent at any time through the "Cookie Preferences" link in our website footer.

We do not use:

  • Advertising or marketing cookies
  • Third-party tracking cookies (beyond Google Analytics with consent)
  • Social media tracking pixels
  • Fingerprinting or similar tracking technologies

For complete details about the cookies used by the Service, please refer to our Cookie Policy.

International Data Transfers

The Service is hosted in the United States. All data processed by the Service, including Customer Data and account information, is stored and processed at DigitalOcean's NYC1 (New York City) data center region within the United States.

If you or your organization are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. The data protection laws of the United States may differ from the laws of your jurisdiction.

For Customers located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we will implement appropriate safeguards for international data transfers as required by applicable law, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
  • Any successor transfer mechanisms recognized under applicable data protection law

If you require a Data Processing Agreement with Standard Contractual Clauses for your organization, please contact us at [email protected].

For Customers using the on-premises agent, asset data collected by the agent within your network is encrypted end-to-end (X25519 ECDH + AES-256-GCM) before being transmitted to the cloud gateway. This ensures that data in transit is protected even when crossing network boundaries.

Children's Privacy

The Service is a B2B platform designed for use by authorized representatives of business organizations. The Service is intended for users who are at least eighteen (18) years of age. We do not knowingly collect, use, or disclose personal information from children under the age of eighteen (18).

If we become aware that we have inadvertently collected personal information from an individual under 18, we will take prompt steps to delete that information. If you believe that a child under 18 has provided personal information to us, please contact us immediately at [email protected].

12.1 Third-Party Links

The Service may contain links to third-party websites, services, or resources that are not owned or controlled by Koopic. This Privacy Policy does not apply to third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services that you visit. We are not responsible for the privacy practices, content, or security of any third-party websites or services.

12.2 Customer-Configured Integrations

The Service allows your organization to configure integrations with third-party services, including but not limited to Google Cloud Platform, Microsoft Azure, Microsoft Defender for Endpoint, and on-premises data collection agents. These integrations are configured and controlled by your organization using your organization's own credentials and API keys.

When an integration is executed, the Service connects to the configured third-party service using your organization's credentials to retrieve or transmit data as directed by your organization. The collection and processing of data by those third-party services is governed by their respective privacy policies and your organization's agreements with them. Koopic acts as a data processor with respect to data retrieved through Customer-configured integrations.

12.3 GitHub Issue Synchronization

If your organization enables GitHub issue synchronization, issue reports created within the Service may be synchronized to a GitHub repository designated by your organization. Data transmitted to GitHub through this feature is subject to GitHub's Privacy Statement. Your organization controls whether this feature is enabled and which repository receives the data.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will:

  • Update the "Last Updated" and "Effective Date" at the top of this Privacy Policy
  • Post the revised Privacy Policy on our website
  • For material changes, provide at least thirty (30) days' prior notice through one or more of the following methods:
    • A prominent notice on the Service
    • An email to the primary contact for your organization's account
    • A notification within the Service's user interface

Material changes include, but are not limited to: changes to the categories of personal data collected, changes to the purposes of processing, changes to sub-processors, changes to data retention periods, and changes that materially affect your rights under this Privacy Policy.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms. If you do not agree to the revised Privacy Policy, you must discontinue use of the Service before the effective date of the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Prior versions of this Privacy Policy are available upon request.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the following information:

General Privacy Inquiries

Koopic LLC
Virginia, United States
Email: [email protected]

Data Protection Officer

For matters specifically related to data protection, VCDPA rights requests, or data processing inquiries, you may contact our Data Protection Officer at:

Email: [email protected]

VCDPA Rights Requests

To exercise your rights under the Virginia Consumer Data Protection Act, please email [email protected] with the subject line "VCDPA Rights Request." Please include your full name, email address associated with the Service, and a description of the right you wish to exercise.

Customer Organization Requests

If you are a Customer administrator and need to submit a data-related request on behalf of your organization (e.g., data export, account deletion, or a Data Processing Agreement), please contact us at [email protected] or reach out to your designated account contact.

We aim to respond to all privacy-related inquiries within five (5) business days and to all formal rights requests within the timeframes required by applicable law.

Other Legal Documents

Terms of ServiceCookie PolicyAcceptable UseData Processing Agreement