Last update 31.08.2023

Privacy Policy

Revision 1.0


Pistachio ("we", "us", or "our") respects the privacy of its users ("user", "you", "your") and is committed to protecting it through our compliance with this privacy policy. This policy describes the types of information we may collect from you or that you may provide when you use our services and our practices for collecting, using, maintaining, protecting, and disclosing that information.

Information We Collect

Product Information. In order for the Pistachio Platform to operate effectively, we collect several types of personal data about each licensed user. This data includes the user’s department, name, job title, phone number, country, language, and the name of each active directory group the user is a member of. This data is all taken from Microsoft Active Directory. In addition, we collect data about how each user interacts with the Pistachio platform, such as the attacks and training each user received, whether the user failed a given attack or confirmed the training, and other interaction data of that type.

In order to function, Pistachio requires certain permissions to be granted over your Microsoft Active Directory tenant. You can read about those permissions here.

Website Information. When you visit our website, whether to view our marketing and support materials or to navigate the product, we collect information about the pages you visit. This data is associated with a pseudonymous cookie identifier. If you are logged in, this data is also associated with your logged in account (and therefore your identity).

Billing Information. When you pay for a Pistachio product, we ask for your billing information. This information is passed directly to our payment processor and we do not ever receive or store this data on our servers. We store a record of the transaction for the purpose of providing you with your account history, invoicing, and billing support.

How We Use Your Information

We use your personal data for specific purposes, which include but are not limited to customizing and personalizing your user experience, determining which attacks and training programs to send to you, improving our platform and the services we provide, enhancing our data security measures, and complying with any applicable laws and regulations.

Data Sharing and Transfer

We store all personal data in Google Cloud servers located in Europe. We uphold strict data privacy and security protocols to ensure that your data is kept confidential and secure. We do not transfer personal data to countries outside the European Economic Area (EEA) or share your data with any third parties unless such action is necessary to provide our services or comply with the law.

Data Security

We prioritize your data's security. All personal data stored in Google Cloud is encrypted at rest, and access to our internal systems is strictly limited to a small group of authorized individuals. We regularly update and test our security technology to ensure the ongoing integrity and confidentiality of your data.

Data Retention

We retain your personal data for as long as your company uses our product and for an additional period of 12 months thereafter. After this time, we will securely erase your personal data.

Your Rights Under GDPR

As a data subject, you have several rights under the General Data Protection Regulation (GDPR), which includes the right to access, correct, or delete your personal data. If you want to exercise any of your rights under the GDPR, please contact us at


We want everyone to have a great time on our website, and we're also interested in learning how we can make things even better. To do that, we use two types of cookies:

Ted-id. Whenever you do something on our website, like visiting a page or clicking a button, we keep a note of it. We don't use your real name, just a special code that's stored in the ted-id cookie. This helps us figure out things like how many different people visited us yesterday or how many folks checked out more than one page.

Cybr-session. If you log in to Pistachio using Microsoft, we create an identifier for you and put it in the cybr-session cookie. This identifier helps us know it's really you when you do things on our site. For example, if you want to use a certain feature, we check if you're allowed by looking at it. We also use this identifier when we keep track of what people do on the site. So, if you're logged in and do something, we know it's you.

If you remove these cookies, the ted-id one will come back with a different value, and we have no way of connecting the two values to know they are the same user. But if you delete the cybr-session cookie and log in again, you'll get the same identifier. That's because it's linked to your real account. If you want to get rid of cookies or stop Pistachio from using them, you can change your browser settings.

The data we collect is just for Pistachio – we don't share it with others.


If you have any questions about our privacy practices or if you need to exercise your privacy rights, please contact us at

Changes to Our Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. You can see the last updated date at the top of this page. We encourage you to review this policy often to stay informed about how we use and protect your information.