Privacy Policy

Last Updated: April 6th, 2021

Welcome to Tall Poppy (“Tall Poppy“, “we“, “us“, or “our“). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this Privacy Policy (“Policy“), or our practices with regards to your personal information, please contact us at privacy [at] This Policy in combination with our Cookie Policy, Terms of Use (the “Terms“) and/or any other agreement with us to which you may be subject forms a legal agreement between you (“you,” or “your“, refers to you or any party or entity that you represent) and Tall Poppy (including its corporate affiliates, subsidiaries, and divisions, as may change from time to time) with respect to your use of our Services (as defined below). Capitalized terms used, but not otherwise defined herein have the meanings ascribed to them in the Terms.


In this day and age, online threats and the harm that results are far too prevalent and wide-reaching. Company employees and service providers are often the target of some third party’s malicious acts, which can cause a great deal of damage with relatively minimal effort. Tall Poppy helps to minimize such threats and malicious acts by providing security awareness training delivered in person and/or via the Tall Poppy Site (“Trainings“) that helps employees and service providers stay ahead of the online threats that could harm them (“Threats“), while also providing security incident response services (“Response Services“) to those already harmed by such Threats, in an effort to mitigate the negative effects of security incidents (“Incidents“). We refer to the Trainings and Response Services jointly in this Policy as the “Services“.

Often, we are engaged by companies to provide our Services to company employees and service providers. As such, we collect, manage, and use a wide range of information, both personal and non-personal, as further described herein. We take your privacy very seriously—in fact, your privacy is our business. In this Policy, we describe how we collect, manage, and use your information. In this Policy, we also provide you with information concerning the rights you have over the information that we collect, manage and use. We hope that you take some time to read through this Policy carefully, as it is important. If there are any terms in this Policy that you do not agree with, please discontinue use of our Site and Services.

Please read this Policy carefully as it will help you make informed decisions about sharing your personal information with us.  

Information That You Provide To Us And That We Discover About You

 We collect personal information that you provide to us, and that any authorized third parties or other sources (such as your employer or the subscriber providing you access to our Site and Services) provide to us. The personal information that we collect from you depends on the context of your interactions with and use of the Site and Services. The personal information we collect may include the following:

  • Name and Contact Data. We collect your first and last name, email address, postal address, phone number, and other similar contact data.
  • Threat and Incident Data. Given the nature of the Services we provide, often we must collect information concerning the Incidents or Threats affecting you. Sometimes this information will be data that you share with us in order to help us investigate, and sometimes it will be data that we find online in investigating Incidents or Threats. Each Incident and Threat may involve a wide array of your personal information, such as name, email address, postal address, phone number, similar contact data, account usernames, account passwords, device information, payment information, and otherwise. The reality is that we cannot possibly predict all the types of personal information we may uncover when dealing with an Incident or Threat affecting you.
  • Credentials. We collect usernames, passwords, password hints, and similar security information used for authentication and account access to the Tall Poppy Site.
  • Payment Information. If you provide us with a method of payment that is personally linked to you (such as a company credit card in your name), we collect data necessary to process your payment (e.g., account number, security code, expiration date, etc., cumulatively, the “Payment Info“). Payment Info may be stored in our intracompany records, and it also may be stored by third payment processors with which we work, if any. If we utilize any third payment processors, you should review their privacy policy to ensure you understand and agree to their use of your information.

Information Automatically Collected

We automatically collect certain information when you visit, use or navigate our Site. This information does not reveal your specific identity (like your name or contact information), but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Site and other technical information.  This information is primarily needed to maintain the security and operation of our Site, to provide the Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Policy.


We use personal information that we collect for a variety of purposes described below. We process your personal information for business purposes in reliance on our legitimate business interests (“Business Purposes“), in order to enter into or perform a contract with you (“Contractual“), with your consent (“Consent“), and/or for compliance with our legal obligations (“Legal Reasons“). We indicate the specific processing grounds we rely on next to each purpose listed below. We use the information we collect or receive:

  • To Facilitate Account Creation And Login [Business Purposes and/or Contractual]. We use personal information that you provide or that is provided to us by third parties (such as the person, business, or organization arranging for you to access the Site or use the Services (e.g., your employer or our subscriber)) in order to create a Site account for your use, provide technical and customer support and training, verify your identity, and send important information concerning your account.
  • To Send Administrative Information To You [Business Purposes, Legal Reasons and/or Contractual]. We may use your personal information to send you information concerning the Service and Site, such as new feature information and/or information about changes to our Terms, Policy, and Cookie Policy.
  • To Provide You Services [Business Purposes and/or Contractual]. We may use your information to facilitate our provision of the Services to you, especially when responding to Threats and Incidents. We also may use your personal information to facilitate the Services and to send you updates concerning Incidents, Threats and other ongoing matters.
  • Request Feedback [Business Purposes]. We may use your information to request feedback and to contact you about your use and experience with the Site and Services.
  • To Protect Our Site and Services [Business Purposes and/or Legal Reasons].  We may use your information as part of our efforts to keep our Site safe and secure (Ex: for fraud monitoring and prevention).
  • To Enforce Our Terms and Policies [Business Purposes, Legal Reasons and/or Contractual]. We may use your personal information to contact you if we suspect that our Terms or any other agreements are being violated.
  • To Respond To Legal Requests and Prevent Harm [Legal Reasons]. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.
  • For Other Business Purposes. We may use your information for other Business Purposes, such as data and experience analysis, identifying usage trends, determining the effectiveness of our Site and Services, and to evaluate and improve our Site and Services.
  • To Send You Marketing And Promotional Communications [Business Purposes and/or Consent]. We and/or our third party marketing partners may use the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt-out of our marketing emails at any time (see the “Your Privacy Rights” below).


We only share and disclose your information in the following situations:

  • To Help Resolve or Mitigate the Effects of Incidents and Threats. In working to respond to Threats and Incidents, we engage a number of third parties who are skilled at helping to combat the negative effects of Threats and Incidents. As such, we may need to disclose your information to such third parties in furtherance of the Services.
  • Upon Employer or Subscriber Request. For the purposes of this paragraph, a “Provisioned User” means any person granted access to the Site and Service by his or her employer or any similar third party (such as the person, business, or organization arranging for you to access the Site or use the Services). Please be aware that if you are a Provisioned User, we may disclose to the party that granted you access to the Site and Service aggregate information about Provisioned User behavior such as number of Provisioned User accounts registered with Tall Poppy, number of security actions taken by Provisioned Users, and other metadata about such Provisioned Users. We will not routinely disclose identifying information you share with us in the provision of our services (such as social media account names) back to the party that granted you access to the Site and Service.
  • Compliance with Laws. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
  • Vital Interests and Legal Rights. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our Terms and policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.
  • Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • Affiliates. We may share your information with our affiliates, if any, in which case we will require those affiliates to honor this Policy. Affiliates include our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
  • Business Partners. We may share your information with our business partners to offer you certain products, services or promotions, or to facilitate the Services and the Site. The business partners we use to facilitate the Site and the Services include, Google (Google Analytics and G Suite), Slack, Squarespace, MailChimp and others.
  • With your Consent. We may disclose your personal information for any other purpose with your consent.


Our servers are located in the United States. If you are accessing our Site or utilizing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information. Your information may be shared in many different countries. If you are a resident in the European Economic Area, then some countries to which your data is transferred may not have data protection or other laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this Policy and applicable law.


The Site may contain advertisements from third parties or links to third party content that are not affiliated with us and which may link to other websites, online services or mobile applications. We cannot guarantee the safety and privacy of data you provide to any third parties. Any data collected by third parties is not covered by this Policy. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Site. You should review the policies of such third parties and contact them directly to respond to your questions.


Given the nature of the Services we provide, we may keep your personal information for up to 2 years past the termination of your account or your use of the Services; we may keep your personal information longer if required by law (such as tax, accounting or other legal requirements).  When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.


We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Site is at your own risk. You should only access the Site within a secure environment.


We do not knowingly solicit data from or market to children under 18 years of age.  By using the Site, you represent that you are at least 18.  If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.  If you become aware of any data we have collected from children under the age of 18, please contact us at privacy [at]


In some regions (like the European Economic Area), you have certain rights under applicable data protection laws.  These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here.

Account Information

You may at any time review or change the information in your account or terminate your account by contacting us using the contact information provided below. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, some information may be retained in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms and/or comply with legal requirements.

Cookies And Similar Technologies

You can find out more about how we use cookies and similar tracking technologies in our Cookie Policy.

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Site. To opt-out of interest-based advertising by advertisers on our Site visit

Opting Out Of Email Marketing

In the event that we decide to utilize email to market the Site and Services, you can unsubscribe from our email marketing list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the email marketing list. However, we will still need to send you Site and Service-related emails that are necessary for the administration and use of your account.


We may update this Policy from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your information.


If you have questions or comments about this Policy, email privacy [at]

or by postal mail to:

Tall Poppy Security, Inc.
Leigh Honeywell
2261 Market Street #4283
San Francisco CA 94114
United States