top of page

WEBSITE PRIVACY POLICY

Last updated: August 20, 2025

Mettlehawk Defense USA, Inc. ("Mettlehawk Defense," "Mettlehawk," "we," "us," or "our") respects your privacy and is committed to protecting personal information entrusted to us. This Privacy Policy describes how we collect, use, disclose, secure, and retain information when you visit our websites that link to this Policy (the "Sites"), contact us, subscribe to updates, apply for roles, or otherwise interact with us online.

Defense-grade transparency. Because we operate in the defense sector, we apply heightened standards of security and compliance. This Policy includes terms specific to export controls (ITAR/EAR), Controlled Unclassified Information (CUI), and Department of Defense (DoD) requirements where applicable.

Scope & Applicability

This Policy applies to: (i) visitors to our Sites; (ii) business contacts, including U.S. and allied government representatives, industry partners, and suppliers who communicate with us via the Sites; and (iii) job applicants who submit information through our online processes. This Policy does not apply to offline activities unrelated to the Sites, to separate portals that provide different notices, or to information processed strictly under contract as a service provider to a government customer (in which case the contract and applicable law govern).

Important: Our public web forms are not authorized channels for classified information, Controlled Unclassified Information (CUI), or export-controlled technical data. Do not transmit such information via the Sites. If you need a secure channel, contact us for instructions.

Information We Collect

We collect the following categories of information, which may be considered personal information or personal data under applicable law:

A. Information you provide directly

  • Business contact information: name, rank/title, organization, work email, phone number, country/region.

  • Correspondence and submissions: inquiry details, attachments you choose to upload (e.g., capability statements, RFPs/RFIs), and preferences (e.g., newsletter optin).

  • Recruiting/applicant data: resume/CV, employment and education history, certifications, security clearances (if voluntarily disclosed), immigration/work authorization, and other information provided during recruitment.
     

B. Information collected automatically

  • Device and usage data: IP address, browser type/version, device identifiers, pages viewed, referring/exit pages, and timestamps. We collect this via cookies, logs, and similar technologies.

  • Cookie data: strictly necessary cookies and, if enabled by you, analytics and performance cookies. You can manage preferences via our cookie banner and your browser settings.
     

C. Information from third parties

  • Vendors and partners who help operate the Sites, process applications, perform analytics, or host our content.

  • Public and government sources to confirm identity, affiliation, or eligibility for certain engagements.
     

We do not intentionally seek sensitive personal information (e.g., precise geolocation, biometric identifiers, health information) via the Sites. If you choose to submit such information (for example, as part of an application), we will protect and process it consistent with this Policy and applicable law.

How We Use Information (Purposes & Legal Bases)

We use information for the following business purposes:

  1. Respond and communicate: to handle inquiries, proposals, requests for information, and to manage subscriptions.

  2. Operate and secure the Sites: including troubleshooting, analytics, preventing fraud, detecting intrusions, and maintaining the integrity and availability of our systems.

  3. Recruitment: to evaluate candidacies, schedule interviews, verify qualifications, and comply with employment laws.

  4. Compliance: to comply with U.S. and international laws, including export controls (ITAR/EAR), sanctions, and defense procurement/security requirements (e.g., DFARS, NIST SP 800171 for CUI in nonfederal systems, where applicable).

  5. Business planning: to improve our services, develop content and training offerings, and maintain relationships with partners and customers.
     

Legal bases (EEA/UK). Where the GDPR/UK GDPR applies, our processing is based on one or more of: (a) legitimate interests (e.g., responding to your inquiry, securing our systems); (b) contract (e.g., processing an application you submit); (c) legal obligation (e.g., compliance and recordkeeping); and (d) consent (e.g., for optional cookies or marketing communications).

We do not use personal information for profiling for decisions that produce legal or similarly significant effects about you via the Sites.

Export Control, National Security & Sensitive Information Restrictions

  • Do not submit classified information, CUI, or exportcontrolled technical data via public forms, email addresses published on the Sites, or unapproved channels.

  • Submitting such content could constitute an export, including a deemed export (e.g., disclosure to a nonU.S. person). We will reject, delete, or quarantine such submissions and may notify appropriate authorities as required by law.

  • If your engagement requires the exchange of controlled information, we will provide a secure, authorized mechanism and, where required, arrange appropriate agreements and licenses.

How We Share Information

We share information in limited circumstances:

  • Service providers: hosting, security monitoring, analytics, applicant tracking, communications, and professional advisers (subject to confidentiality and security commitments).

  • Affiliates: within our corporate structure for the purposes described in this Policy.

  • Partners and subcontractors: when needed for a joint engagement and only under appropriate agreements (e.g., confidentiality, data protection, export control).

  • Legal and compliance: to comply with law, regulation, export controls, sanctions, lawful requests, or to protect rights, safety, and security.

  • Business transfers: in connection with a corporate transaction (e.g., merger, investment, acquisition), subject to continued protections.

    We do not sell or share personal information for crosscontext behavioral advertising. If this changes, we will update this Policy and provide required optout mechanisms.

Cookies & Similar Technologies

We use:

  • Strictly necessary cookies to deliver core site functions.

  • Analytics/performance cookies (optional) to understand how the Sites are used, improve content, and detect anomalies.


Manage your preferences in our cookie banner or via your browser settings. Some browsers offer Global Privacy Control (GPC) signals; where legally required, we treat GPC as an optout preference for applicable activities.


Do Not Track (DNT). Industry standards for DNT signals are not uniform. We currently do not respond to DNT signals.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal information. Where we handle CUI in the performance of contracts, our controls are aligned to NIST SP 800171 and DFARS 252.2047012 requirements, as applicable to that contract. While no method of transmission or storage is perfectly secure, we strive for defensegrade protections, including encryption in transit, network segmentation, access controls, and continuous monitoring.

If the law or a contract requires it, we will notify customers and, when applicable, the DoD and relevant authorities of certain cyber incidents and cooperate as required.

Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Policy or as required by law, contracts, or recordkeeping obligations. Typical examples include:

  • Inquiries and business communications: retained while we have an active relationship and for a reasonable period afterward.

  • Recruiting records: kept for the duration of the recruiting process and, if not hired, for a period consistent with legal requirements and our retention schedule.

  • Compliance records: retained per applicable statutes, regulations, and contract clauses.
     

When information is no longer needed, we securely delete or deidentify it.

International Transfers

We operate in the United States and may transfer information to other countries where we or our service providers operate. When transferring personal data from the EEA/UK to countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) or other lawful mechanisms, supplemented by appropriate safeguards and transfer impact assessments where required. Exportcontrolled data will only be transferred through authorized and secure channels consistent with export laws.

Your Privacy Rights & Choices

Your rights vary by jurisdiction. Subject to legal limits, you may have the right to:

  • Access and obtain a copy of your personal information;

  • Correct inaccurate information;

  • Delete personal information;

  • Port certain information;

  • Opt out of certain processing (e.g., targeted advertising, sale/share of personal information—activities we do not undertake via the Sites);

  • Limit the use/disclosure of sensitive personal information (not routinely collected via the Sites);

  • Withdraw consent where processing is based on consent; and

  • Appeal a denial of your request, where available.
     

How to exercise your rights

Submit a request to info@mettlehawkdefense.com or mail us at the address in Section 14. We may need to verify your identity and request details to protect your information. You may authorize an agent to act on your behalf where allowed by law, subject to verification.
 

We will not discriminate against you for exercising your rights. Certain information may be exempt from deletion or access where retention is required by law, contract, national security, or export control obligations.

Children’s Privacy

Our Sites are not directed to children and we do not knowingly collect personal information from anyone under 16 years of age. If you believe a child has provided personal information via the Sites, contact us so we can take appropriate action.

ThirdParty Links & Services

The Sites may link to thirdparty websites or services that we do not control. Their privacy practices are governed by their own policies. We encourage you to review those policies before providing information.

Changes to This Policy

We may update this Policy to reflect changes in our practices, technologies, or legal requirements. Material changes will be posted on this page with an updated "Last updated" date. Where required by law, we will provide additional notice or obtain consent.

How to Contact Us

Mettlehawk Defense USA, Inc.
PO Box 598
Wardensville, West Virginia 26851, USA


Email: info@mettlehawkdefense.com (preferred for privacy requests)

If you are in the EEA/UK and wish to inquire about crossborder transfers or SCCs, please include "EEA/UK request" in your subject line.

Additional Notices

A. California & other U.S. state privacy laws

If you are a resident of a U.S. state with a comprehensive privacy law (e.g., California, Colorado, Connecticut, Utah, Virginia, and others as they come into force), you may have additional rights described in Section 10. We provide consistent mechanisms to submit requests (email or mail). We do not sell or share personal information for crosscontext behavioral advertising. We may use limited analytics cookies with your consent.

B. Applicants & Recruiting

If you apply for a role with Mettlehawk Defense, we process your applicant data to evaluate your qualifications, manage interviews, perform due diligence, comply with legal obligations, and, where appropriate, extend offers and onboard new hires. Applicant records may be retained to consider you for future roles, consistent with your preferences and applicable law. A supplemental applicant privacy notice may be presented during the application process.

C. Government & Defense Contracting

For engagements involving government contracts, we may process information in accordance with contract clauses (e.g., safeguarding, incident reporting) and agency guidance. Where contract terms conflict with this Policy, the contract controls.

D. ExportControlled Submissions

If you believe you must share information that may be ITAR/EARcontrolled or CUI, contact us first. We will establish an authorized and secure channel and, if required, obtain appropriate export licenses or agreements before any transfer. Unauthorized submissions may be deleted or quarantined without response.

Definitions (Simplified)

  • Personal information / personal data: information that identifies, relates to, or can reasonably be linked with a particular individual.

  • CUI: Controlled Unclassified Information handled under U.S. government contracts and related regulations.

  • Technical data: certain information related to defense articles or services that is controlled under export laws.

  • Sale / Share (U.S. state laws): as defined by applicable state privacy laws; we do not engage in these activities for personal information collected via the Sites.
     

Practical Guidance for Secure Engagements

  • Use our public forms only for noncontrolled business inquiries.

  • Do not upload blueprints, schematics, source code, or sensitive operational details.

  • Ask us for a secure workspace if your matter may involve controlled data.

 

This Policy is intended to provide clear, defensegrade transparency while remaining readable. It does not create contractual or thirdparty beneficiary rights. Where a contract with a customer or agency applies, its terms govern the processing of information in connection with that engagement.

bottom of page