Privacy Policy

Who we are and what this covers

Trail of Bits, Inc. (“Trail of Bits,” “we,” “us,” or “our”) is a security research and engineering firm headquartered in New York, NY. This Privacy Policy explains how we collect, use, share, and protect personal information when you visit trailofbits.com, contact us, or otherwise interact with us online.

It does not cover the practices of third parties we do not control, including sites we link to and services operated by our clients. By using this site, you agree to the collection and use of information as described here.

Information we collect

Information you provide

When you fill out a form — to contact us, book office hours, or apply for a role or program — you may give us your name, email address, company, and the contents of your message or application. We collect only what you choose to share.

Information collected automatically

When you browse the site, we and our service providers automatically collect standard technical and usage data, including:

• Device and browser information, such as IP address, browser type, and operating system.
• Usage data, such as the pages you view, links you click, and referring URLs.
• Campaign attribution data (UTM parameters) from marketing links, stored in your browser for the duration of your visit so we can understand how you found us.

How we use information

We use the information we collect to:

• Respond to your inquiries and provide the information or services you request.
• Operate, maintain, secure, and improve the site and our offerings.
• Understand how visitors use the site, in aggregate, so we can make it more useful.
• Send you communications about our work or events where you have asked to hear from us.
• Evaluate job applications and manage recruiting.
• Review and administer applications to our programs.
• Comply with legal obligations, enforce our terms, and protect our rights, users, and systems.

If we send you marketing or program emails, you can unsubscribe at any time using the link included in every such email.

Cookies and similar technologies

We use cookies and similar technologies to run the site, remember your preferences, measure traffic, and support our marketing. These fall into a few categories:

• Strictly necessary cookies, which are required for the site to function and cannot be switched off.
• Analytics cookies, which help us understand how the site is used so we can improve it.
• Marketing cookies, which help us measure and attribute campaigns.

Where required, we ask for your consent before setting non-essential cookies. You can review and change your choices at any time using the “Cookie Settings” link in the footer, or through your browser settings.

Service providers and third parties

We rely on a small set of trusted service providers to operate the site and our marketing. They process personal information only on our behalf and under contract. The main providers active on this site are:

• HubSpot — form submissions, scheduling (such as booking office hours), CRM, marketing analytics and tracking pixels, and the cookie-consent banner (privacy policy).
• Vercel — website hosting and privacy-friendly, cookieless traffic analytics (privacy policy).
• Google Fonts — serves the site's web fonts and receives your IP address when fonts load (privacy policy).
• Google reCAPTCHA — protects our forms from spam and abuse; its use is subject to Google's privacy policy and terms of service.
• YouTube — we embed videos (such as talks and program content) in privacy-enhanced mode (youtube-nocookie.com); YouTube may receive data and set cookies when you play a video (privacy policy).

How we share information

We share personal information only in the following circumstances:

• With the service providers described above, to the extent needed to perform services for us.
• With program partners, when you apply to or take part in a co-sponsored program: we share the information you submit with the partner for that program, so we can jointly review applications and coordinate it.
• When required to comply with law, regulation, legal process, or an enforceable governmental request.
• To protect the rights, property, safety, and security of Trail of Bits, our users, and the public.
• In connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
• With your consent or at your direction.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Data retention

We keep personal information only for as long as necessary to fulfill the purposes described in this policy, including to satisfy any legal, accounting, or reporting requirements. Retention periods vary by the type of data and the context in which we collected it. When information is no longer needed, we delete or anonymize it.

How we protect information

As a security company, we take data protection seriously and maintain technical and organizational measures designed to protect personal information against loss, misuse, and unauthorized access. No method of transmission or storage is completely secure, however, so we cannot guarantee absolute security.

International data transfers

Trail of Bits is based in the United States, and our service providers may process data in the United States and other countries. If you access the site from outside the United States, your information may be transferred to, stored in, and processed in a country whose data-protection laws differ from those in your jurisdiction. Where required, we rely on appropriate safeguards, such as Standard Contractual Clauses, for these transfers.

Your privacy rights

Depending on where you live, you may have rights over your personal information. We honor these rights regardless of where you are located, to the extent applicable law allows.

EEA and UK residents

If you are in the European Economic Area or the United Kingdom, you may have the right to access, correct, delete, restrict, or object to our processing of your personal information, to data portability, and to withdraw consent. We process personal information on the legal bases of consent, performance of a contract, our legitimate interests, and compliance with legal obligations. You also have the right to lodge a complaint with your local supervisory authority.

California residents

If you are a California resident, you may have the right to know what personal information we collect and how we use it, to request access to and deletion or correction of that information, and to be free from discrimination for exercising your rights. We do not sell or share your personal information as those terms are defined under California law.

To exercise any of these rights, contact us using the details below. We will verify and respond to your request as required by applicable law.

Children's privacy

The site is intended for a professional audience and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

Third-party links

Our site links to third-party sites and resources, including our blog, GitHub repositories, and publications. We are not responsible for the privacy practices of those services, and this policy does not apply to them. We encourage you to review their privacy policies.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “last updated” date above, and, where appropriate, provide additional notice. Your continued use of the site after an update means you accept the revised policy.

Contact us

If you have questions about this policy or how we handle your personal information, or if you would like to exercise your privacy rights, reach out to us: