City of Hats - Exposure Intelligence Platform
Secure Drop
Anonymous · Encrypted · No login required
Your message is sealed and anonymous. We cannot identify you. No account or login is needed.
Your message
Max 3 files, 10 MB each
Powered by City of Hats · Get your own Secure Drop
Secure Channel
Anonymous · Bidirectional · Encrypted
Start an anonymous conversation. You'll receive a thread code to check for replies later.
Your message
Max 3 files, 10 MB each
Thread Code
Enter your thread code above to check for replies.
Powered by City of Hats · Get your own Secure Channel

Privacy Policy

City of Hats Inc. Last Modified: February 10, 2026
This Privacy Policy describes how City of Hats Inc. ("City of Hats," "we," "us," or "our") collects, uses, stores, and protects personal information when you use our platform, services, website, APIs, Secure Channels, and any associated tools or integrations (collectively, the "Services"). This policy applies to all users, including enterprise customers, Secure Channel users, LINE OA users, and website visitors. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.
This Privacy Policy is provided in English, which is the governing language for all legal purposes.

1.Data Controller

City of Hats Inc., a corporation incorporated under the laws of Ontario, Canada, is the data controller for personal data processed through the Services, unless otherwise specified. Where City of Hats processes data on behalf of a customer (e.g., Customer Data submitted for security monitoring), City of Hats acts as a data processor and the customer remains the data controller.

2.Personal Data We Collect

We collect personal data in the following circumstances: (a) when you register an account, including name, organizational email address, company name, and company domain; (b) when you use the Services, including IP address, browser type, device identifiers, timestamps, pages visited, and system configuration; (c) when you contact us for support, sales, or partnership inquiries; (d) when you subscribe to a paid plan, including billing and payment information processed by third-party payment providers; (e) when you interact with our website, including cookies, analytics data, and referral sources. We do not knowingly collect personal data beyond what is necessary for the purposes described in this policy.

3.Platform Services Data

When you use our cybersecurity monitoring, threat intelligence, API services, or integrations, the Services may generate reports, dashboards, alerts, and files containing information about your monitored assets (domains, IP addresses, email addresses, phone numbers, and other organizational identifiers). This data is stored by City of Hats for the purpose of providing the Services and is accessible through your account. You may delete this data at any time through your dashboard. Where such data includes personal data of third parties (e.g., exposed credentials discovered during monitoring), City of Hats acts as a data processor on your behalf.

4.Secure Channels Data Handling

Secure Channels (including Hats and Dead Drops) operate under a zero-knowledge architecture. City of Hats cannot access, decrypt, view, monitor, or recover the content of any Secure Channel communication. Message content is end-to-end encrypted and exists only for the duration of the active channel lifecycle. Upon expiration, burn event, retrieval limit, or manual destruction, all associated data is permanently and irreversibly deleted. Organizational email addresses used for Secure Channel verification may be temporarily retained in hashed form only for rate-limiting and abuse prevention, after which they are purged. City of Hats does not store plaintext verification email addresses, message content, recipient identities, message metadata, or communication history beyond the active session. No Secure Channel data is available for disclosure, legal request, or recovery after destruction.

5.LINE OA Integration

For users accessing the Services through LINE Official Account (LINE OA) integration, we receive limited profile information from LINE, including LINE user ID and display name, as authorized by the user during the LINE authentication process. This data is used solely to provision and maintain the user's account within the Services. We do not access LINE chat history, contacts, or other LINE application data. LINE OA users are subject to the same data protection standards as all other users of the Services.

6.How We Use Your Information

We use personal data for the following purposes: (a) to provide, operate, maintain, and improve the Services; (b) to create, manage, and authenticate user accounts; (c) to process transactions and send billing-related communications; (d) to respond to support requests and technical inquiries; (e) to send service-related notices, including security alerts, maintenance updates, and policy changes; (f) to detect, investigate, and prevent fraudulent or unauthorized activity; (g) to comply with legal obligations and enforce our Terms of Use; (h) to conduct aggregated, anonymized analytics to improve service quality. We do not sell personal data to third parties. We do not use personal data for advertising or profiling purposes.

7.Legal Basis for Processing

We process personal data under the following legal bases, as applicable: (a) contractual necessity — processing required to provide the Services you have requested; (b) legitimate interest — processing necessary for platform security, fraud prevention, and service improvement, balanced against your rights; (c) legal obligation — processing required to comply with applicable laws, regulations, or court orders; (d) consent — where required by law, we obtain your consent before processing, which you may withdraw at any time.

8.Cookies & Analytics

Our website uses cookies and similar tracking technologies to analyze traffic, remember preferences, and improve user experience. We use only essential and analytics cookies. We do not use advertising or tracking cookies. You may control cookie preferences through your browser settings. Disabling cookies may affect certain website functionality but will not affect access to the Services platform.

9.Data Sharing & Third Parties

City of Hats may share personal data with: (a) infrastructure and hosting providers that support the operation of the Services; (b) payment processors for billing and subscription management; (c) authentication providers (Auth0) for identity verification and account security; (d) analytics providers for aggregated, anonymized usage statistics. All third-party processors are bound by data processing agreements that require them to protect your data to standards no less protective than this policy. We do not share personal data with data brokers, advertisers, or any party for purposes unrelated to the Services. We may disclose personal data if required by law, regulation, or valid legal process, limited to the minimum data necessary to comply.

10.International Data Transfers

City of Hats is incorporated in Canada and may process personal data in Canada, the United States, and other jurisdictions where our infrastructure providers operate. Where personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including standard contractual clauses, adequacy decisions, or other mechanisms recognized under applicable data protection law (GDPR, PIPEDA, Thailand PDPA, or equivalent).

11.Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law. Account data is retained for the duration of your active account and for thirty (30) days following account termination to allow for data retrieval. Billing records are retained as required by applicable accounting and tax regulations. Secure Channel data is not retained — it is permanently destroyed upon channel expiration, burn event, or manual destruction, as described in Section 5.

12.Your Data Protection Rights

Under applicable data protection laws, you have the right to: (a) access your personal data and receive a copy; (b) rectify inaccurate or incomplete personal data; (c) request erasure of your personal data, subject to legal retention requirements; (d) restrict processing of your personal data in certain circumstances; (e) receive your personal data in a structured, machine-readable format (data portability); (f) object to processing based on legitimate interest, including direct marketing; (g) withdraw consent where processing is based on consent. To exercise these rights, contact privacy@cityofhats.com. We will respond within thirty (30) days or as required by applicable law. You also have the right to lodge a complaint with your applicable supervisory authority, including the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/).

13.Security Measures

City of Hats implements appropriate technical and organizational measures to protect personal data, including: encryption in transit and at rest, access controls and authentication, regular security assessments, and incident response procedures. While we take reasonable steps to protect your data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14.Changes to This Policy

City of Hats may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least thirty (30) days before taking effect. The "Last Modified" date at the top of this page reflects the most recent revision. Continued use of the Services after changes take effect constitutes acceptance of the revised policy.

Privacy Inquiries

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

privacy@cityofhats.com