Skip to Main Content
Pistachio
Last update 03.03.2026

Privacy Notice

Revision 1.4

Introduction

Pistachio ("we", "us", or "our") respects the privacy of its users ("user", "you", "your") and is committed to protecting it through our compliance with this Privacy Notice. It describes the types of information we may collect from you or that you may provide when you use our services and our practices for collecting, using, maintaining, protecting, and disclosing that information.

Roles and Responsibilities

Our compliance with information security and data protection lies with our COO, which is a former corporate and compliance lawyer. Together with our Information Security Management System (ISMS) committee, the COO has the overall responsibility for ensuring this Privacy Notice is complied with.

Pistachio as Processor of Data

When a customer or partner uses Pistachio’s products, Pistachio processes personal data on its behalf. We only process personal data as a processor acting on behalf of the customer or partner as controller.

We collect and process personal data solely for the purpose of delivering our products, including the Pistachio Platform, collecting information on billing, statistics, security and legal obligations towards customers and partners.

As a data processor with customers and partners worldwide, we are subject to the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) as retained under the UK Data Protection Act 2018, as well as local privacy laws in other countries where customers and their users are located.

From our perspective as service provider, collection of certain personal data is required to fulfill our obligations towards our customers as set out in our Terms of Service, as collection of certain data is necessary for the Pistachio Platform to operate effectively.

From each customer’s perspective, our data processing is based on the principle of legitimate interest; balancing the customer's interest in mitigating cyber threat against how invasive the processing is for the employee data subject (generally not very invasive as its work-related data and behavior, contrary to e.g. sensitive personal information and health data). This is in line with other cyber security products on the market, typically built on monitoring personal data only with different goals across product (data loss prevention, threat detection, antivirus, etc).

Data Protection Principles

Protecting data and securing information are fundamental to our business. Customers can trust us to operate at a high standard when it comes to security and data protection.

We are ISO/IEC 27001 certified, meaning we meet internationally recognized standards for protecting data. We take proper technical and organizational measures to protect against unauthorized or unlawful processing of any personal data provided by a customer, or any accidental loss, destruction or damage of data.

As an ISO/IEC 27001certified company, our entire business is managed and operated along the following three principles:

  • Protecting confidentiality, integrity, and availability of information
  • Identifying and assessing risks, and implementing appropriate controls
  • Enabling continual monitoring and improvement

To ensure information is classified and given an appropriate protection level, retained and securely disposed of, we have a Data Management Policy classifying data and information systems in accordance with legal requirements, sensitivity, and business criticality.

We have established three classes of data; confidential, restricted and public. Our customer data is classified as confidential, meaning we treat it as highly sensitive with the highest levels of protection. Among other measures, access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner or a company executive.

We process personal data in accordance with the data protection principles set forth in Article 5 of the GDPR and the equivalent provisions of UK GDPR, including the following:

  • Data minimization: We do not collect personal data we do not need. We limit collection and use of personal data to what is necessary in relation to its purpose.
  • Data accuracy: Personal data is accurate, complete and up to date, and we do not store data if we believe it is outdated.
  • Data deletion: Personal data is never retained for longer than necessary given the relevant purpose. We have established retention periods for various data and delete data in line with such.
  • Data security: Personal data is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. As an ISO/IEC 27001 certified company, we have adopted high technical and organisational data security measures, also towards third party suppliers, to ensure a proper level of data security.

Information We Collect

Product Information. In order for the Pistachio Platform to operate effectively, we collect several types of personal data about each licensed user. This data includes the user’s department, name, job title, email address, phone number, country, language, photo, status (enabled/disabled) and the name of each Entra ID group the user is a member of. This data is all taken from Microsoft Entra ID.

For Practice, our security awareness product, we collect data about how each user interacts with the Pistachio Platform, such as the scenarios and simulations each user received, whether the user failed a given simulation or answered the scenario, and other interaction data of that type.

For Presence, our insider threat detection product, we collect data about each user's activity inside of your Microsoft environment, such as file and emails actions, as well as actions taken in services you have connected to Pistachio (such as Github and Hubspot). Presence uses audit logs to detect insider threat and upon receipt of audit logs via a customer’s Microsoft tenant, the following data is made available to us: File activity data, including the name and path of the file and the action the user took (access, modify, delete, download, and upload). Email activity data, such as emails sent, including the subject line, size of the email, and the name of any attachments. Login events, including whether the login was successful and the device used. Other events, such as Copilot interaction data. A full list of the types of data Microsoft makes available can be found here.

In order to function, Pistachio requires certain permissions to be granted over your Microsoft Entra tenant. You can read about those permissions here.

Website Information. When you visit our website, whether to view our marketing and support materials or to navigate the product, we collect information about the pages you visit. This data is associated with a pseudonymous cookie identifier. If you are logged in, this data is also associated with your logged in account (and therefore your identity).

Billing Information. When you pay for a Pistachio product, we ask for your billing information. This information is passed directly to our payment processor and we do not ever receive or store this data on our servers. We store a record of the transaction for the purpose of providing you with your account history, invoicing, and billing support.

How We Use Your Information

We use your personal data for specific purposes, which include but are not limited to customizing and personalizing your user experience, showing admins in Pistachio relevant information, determining which attacks and training programs to send to you, identifying threats inside of your environment, improving our platform and the services we provide, enhancing our data security measures, and complying with any applicable laws and regulations. Please see below for a more detailed break-down for each of our products.

Practice. As for our product Practice, we collect data about how each user interacts with the Pistachio Platform, such as attacks and training each user received, whether the user failed a given attack or confirmed the training, and other interaction data of that type, to allow us to determine which attacks and training programs to send. In this context, data on how users interact includes future features that we release introducing new ways for users to interact with training and attacks.

Presence. As for our product Presence, audit log processing is required for the product to function, as processing of personal data forms basis for detecting insider threats. Logs monitored are the same audit logs typically monitored manually by a customer’s IT admin. Thus, the processing and monitoring Prescence does, is often covered by the existing data policies of the customer. No one has access to the models except Pistachio, and they are only used for the purpose of insider threat detection. Collected data is never used by Google for training their models.

From a data privacy perspective, Presence is less invasive than manual review of audit logs by IT admins, since the IT team does not see audit logs of individuals unless Presence reports suspicious behavior after assessment by the products reasoning model. In line with the principle of legitimate interest, Presence does not target individual users from the get-go. Rather, the models have been trained to generally monitor each licensed user, to identify behavior deemed suspicious based on the models’ understanding of context and intent (contrary to flagging users based on simple rules). The product only sends an alert if the validation models confirm a user is a potential insider threat.

Presence does not make automated decisions with legal consequences, as there is a human involved on the customer side confirming and deciding how to proceed if the product reports a potential threat.

Data Sharing and Transfer

Pistachio stores all personal data in Google Cloud servers located in Europe. We uphold strict data privacy and security protocols to ensure the data is kept confidential and secure. We do not transfer personal data to countries outside the European Economic Area (EEA) or share data with any third parties unless such action is necessary to provide our services or comply with the law.

For customers based in the UK: transfers of personal data from the UK to our servers in the Netherlands (an EEA country) are lawful on the basis of the UK’s adequacy regulations recognizing the EU as providing an adequate level of data protection. No additional transfer mechanism is therefore required for such transfers.

As for Presence in particular, the AI models used run inside of Google Cloud’s Vertex AI, and the data never leaves the Google’s data center in Europe, located at Eindhoven in the Netherlands.

All personal data stored in Google Cloud is encrypted at rest, and access to our internal systems is strictly limited to a small group of authorized individuals. We regularly update and test our security technology to ensure the ongoing integrity and confidentiality of your data.

Data Security

We prioritize your data security in line with ISO/IEC 27001. All personal data stored in Google Cloud is encrypted at rest, and access to our internal systems is strictly limited to a small group of authorized individuals. We regularly update and test our security technology to ensure the ongoing integrity and confidentiality of your data.

Data Retention

Pistachio retains data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived.

For Practice, this means we retain data for as long as the customer uses our product and for an additional period of 12 months thereafter. After this time, we securely erase personal data from our product. The additional 12-month period is simply to allow for the customer to download security training insights at the end of the fiscal year prior to the data being disposed of (e.g. for audit and compliance reporting purposes).

Personally identifiable information (PII) is deleted or de-identified as soon as it no longer has a business use.

For Presence, we only store data for as long as we need it to detect the threats, which is 60 days. However, if an alert is generated about an employee, the data is then stored and made available to the customer as a CSV file for as long as the customer is using our service. This allows the customer to go back and review past cases. This is in line with other cybersecurity products on the market.

Pistachio documents our retention period in the Data Retention Matrix included in our Data Management Policy, which has been reviewed as a part of our ISO 27001 certification process.

Cookies

We want everyone to have a great time on our website, and we're also interested in learning how we can make things even better. To do that, we use two types of cookies:

Ted-id. Whenever you do something on our website, like visiting a page or clicking a button, we keep a note of it. We don't use your real name, just a special code that's stored in the ted-id cookie. This helps us figure out things like how many different people visited us yesterday or how many folks checked out more than one page.

Cybr-session. If you log in to Pistachio using Microsoft, we create an identifier for you and put it in the cybr-session cookie. This identifier helps us know it's really you when you do things on our site. For example, if you want to use a certain feature, we check if you're allowed by looking at it. We also use this identifier when we keep track of what people do on the site. So, if you're logged in and do something, we know it's you.

If you remove these cookies, the ted-id one will come back with a different value, and we have no way of connecting the two values to know they are the same user. But if you delete the cybr-session cookie and log in again, you'll get the same identifier. That's because it's linked to your real account. If you want to get rid of cookies or stop Pistachio from using them, you can change your browser settings.

The data we collect is just for Pistachio – we don't share it with others.

Security Audits

Our data and information security procedures are consistently improved, and our procedures are subject to both internal and external audits and tests several times per year. As an ISO/IEC 27001 certified company, our compliance is subject to external review annually by an independent auditor.

Your rights - Contact & Supervisory Authorities

As a data subject, you have several rights under applicable data protection law, including the right to access, correct, or delete your personal data, the right to restrict or object to processing, and the right to data portability. If you want to exercise any of your rights, please contact us at privacy@pistachioapp.com. You also have the right to lodge a complaint with the relevant supervisory authority in your country. If you are based in the EU, the relevant supervisory authority is the data protection authority in your EU member state. If you are based in the UK, Pistachio is registered with the UK Information Commissioner’s Office (ICO) in connection with its processing of personal data relating to UK data subjects and ICO can be contacted at www.ico.org.uk.

Changes to Our Privacy Notice

Our Privacy Notice is subject to review an updated at least annually to reflect changes in our practices or for other operational, legal, or regulatory reasons. You can see the last updated date at the top of this page. We encourage you to review this Privacy Notice often to stay informed about how we use and protect your information.


Revisions