Privacy Policy

1. Information We Collect

We collect information you provide directly to us, including:

• Account information (name, email address)
• Payment information (processed securely through Stripe)
• Bank account information for ACH transfers (processed securely through Plaid)
• Usage data and preferences
• Communications with our support team
• Device and browser information for security purposes

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process your transactions and send related information
• Send you technical notices and support messages
• Respond to your comments and questions
• Analyze usage patterns to improve user experience
• Ensure platform security and prevent fraud
• Comply with legal and regulatory requirements

3. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With service providers who assist in our operations (e.g., payment processing, banking services)
• To comply with legal obligations
• To protect our rights and prevent fraud
• In connection with a business transfer or merger

4. Data Security & Information Security Program

Panwell Labs, Inc. (dba Dark Horse) maintains a comprehensive Information Security Program aligned with SOC 2 Trust Services Criteria to protect your personal information.

4.1 Security Measures

• Encryption: AES-256 encryption at rest and TLS 1.3 encryption in transit
• Access Control: Multi-factor authentication (MFA) and role-based access control (RBAC)
• Database Security: Row-Level Security (RLS) policies on all database tables
• API Security: Rate limiting and input validation to prevent abuse
• Infrastructure: SOC 2 Type II certified hosting via Vercel and Supabase

4.2 Security Governance

Our Information Security Officer (ISO), David Powell, CEO, oversees all security operations including:

• Annual risk assessments and vulnerability management
• Quarterly access reviews and security audits
• Incident response coordination
• Vendor security assessments
• Security awareness training for all personnel

4.3 Vulnerability Patch Management

We maintain a formal Vulnerability Patch Management Program with defined Service Level Agreements (SLAs):

Continuous automated scanning detects vulnerabilities. All findings are tracked in our vulnerability register with assigned owners and SLA deadlines.

4.4 Vulnerability Scanning Program

We perform comprehensive vulnerability scanning across all organizational assets:

• Endpoint Devices: Monthly scans of employee and contractor laptops/workstations
• Production Assets: Weekly infrastructure scans, daily cloud security posture monitoring
• Application Code: Static analysis (SAST) on every commit, dynamic testing (DAST) monthly
• Dependencies: Automated weekly Software Composition Analysis (SCA)
• Container Images: Vulnerability scanning on every build
• Penetration Testing: Annual third-party comprehensive security assessment

4.5 End-of-Life (EOL) Software Management

We actively monitor software dependencies for end-of-life status and maintain a formal EOL management program:

• Automated weekly dependency vulnerability scanning
• 30-day upgrade timeline for EOL software announcements
• 14-day emergency upgrade requirement for long-term EOL software
• Comprehensive security audit reports maintained quarterly

4.6 Centralized Identity & Access Management (IAM)

We implement a centralized Identity and Access Management (IAM) solution using Supabase Auth as our primary identity provider. This unified platform manages authentication, authorization, and access control across all systems.

• Centralized Authentication: Single Sign-On (SSO) across all Dark Horse applications with unified credential management
• Role-Based Access Control (RBAC): Hierarchical role system (super_admin, admin, handicapper, user, guest) with principle of least privilege
• Row-Level Security (RLS): Database-level access control ensuring users only access authorized data
• Multi-Factor Authentication (MFA): Required for all administrative and super-admin accounts using TOTP
• Session Management: Secure session handling with 24-hour timeout, concurrent session limits, and automatic refresh
• Access Logging: Centralized audit logging of all authentication and authorization events

4.7 Zero Trust Architecture

We implement a Zero Trust security architecture based on the principle of "Never Trust, Always Verify." This approach ensures no user, device, or network location is trusted by default.

• Continuous Verification: Real-time risk scoring and contextual access decisions based on user behavior, device health, and location
• Device Trust: Device compliance verification before granting access, including OS updates, encryption, and security software status
• Micro-Segmentation: Application and data segmentation with isolated security boundaries; production/staging/development environments completely isolated
• Least Privilege: Just-In-Time (JIT) access for elevated privileges with time-bound permissions and approval workflows
• Continuous Monitoring: Real-time security monitoring with User and Entity Behavior Analytics (UEBA) and automated anomaly detection
• Adaptive Access: Step-up authentication for sensitive operations and automatic access termination on suspicious activity

All access requires verification at multiple layers: identity, device, network, application, and data.

4.8 Automated Access De-Provisioning

We maintain automated processes for immediate revocation of access when employees or contractors leave the organization or change roles.

• Immediate Suspension: Account access suspended within 1 hour of termination notification (15 minutes for high-risk terminations)
• Complete Revocation: All system access revoked within 4-24 hours including databases, third-party integrations, and admin panels
• Session Termination: All active user sessions immediately terminated upon de-provisioning trigger
• Role Transfers: 7-day transition period for role changes with automatic revocation of old permissions
• Dormant Accounts: Automatic flagging of inactive accounts (90+ days) with manager notification and suspension after 120 days
• Access Reviews: Quarterly reviews of all privileged accounts with manager confirmation of continued need

All de-provisioning activities are logged with timestamps, verification steps, and audit trails maintained for compliance.

5. Third-Party Service Providers

We engage with carefully vetted third-party service providers to deliver our services. All providers maintain industry-recognized security certifications:

All third-party providers undergo annual security assessments and maintain Data Processing Agreements (DPAs) with our organization.

6. Data Retention & Disposal

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained while account is active, deleted within 30 days of account closure
• Transaction records: Retained for 7 years per financial regulations
• Activity logs: Retained for 1 year for security and fraud prevention
• Secure disposal: All deleted data is permanently removed using cryptographic erasure methods

7. Incident Response & Breach Notification

We maintain a comprehensive incident response program to detect, respond to, and recover from security incidents:

• Detection: Real-time security monitoring and automated alerting
• Response: 24-hour response time for security incidents
• Notification: In the event of a data breach affecting your personal information, we will notify you within 72 hours
• Reporting: Security incidents can be reported to security@darkhorsewin.com

8. Your Rights

You have the right to:

• Access and update your personal information
• Request deletion of your account and data
• Opt-out of marketing communications
• Export your data in a portable format
• Request restriction of processing
• Object to processing based on legitimate interests

To exercise these rights, please contact us at support@darkhorsewin.com.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to track activity on our service and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. We use cookies for:

• Authentication and session management
• Security and fraud prevention
• Preferences and settings
• Analytics and performance monitoring

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in the United States. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy, including encryption and contractual protections with our service providers.

12. Changes to This Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will provide additional notice via email or platform notification.

13. Contact Us

If you have any questions about this Privacy Policy or our security practices, please contact us: