Privacy Policy

2.1 Personal Information You Provide (CCPA Categories: A, B, C, H)

We collect information that you voluntarily provide to us when you:

• Register for early access or create an account
• Request a penetration test or vulnerability assessment
• Subscribe to our newsletter or communications
• Contact us through our support channels
• Participate in surveys or promotions
• Upload documents or files to our platform
• Make a payment for our services
• Exercise your privacy rights

This information may include:

• Full name (GDPR: Identity Data)
• Email address (GDPR: Contact Data)
• Company name, role, and business information (GDPR: Professional Data)
• Phone number (GDPR: Contact Data)
• Business address (GDPR: Contact Data)
• Industry, company size, and organizational data (GDPR: Professional Data)
• IP addresses and network information for security assessments (GDPR: Technical Data)
• Payment information - processed by Stripe (GDPR: Financial Data, CCPA Category D)
• Government-issued identification for identity verification via Stripe Identity (GDPR: Identity Data, CCPA Category G)
• Security clearance information if voluntarily provided (GDPR: Special Category Data)
• Communication preferences and marketing consents (GDPR: Marketing Data)
• Any other information you choose to provide

2.2 Automatically Collected Information (CCPA Categories: F, G, K)

When you access our Services, we automatically collect certain information through cookies and similar technologies:

• Device information: device type, operating system, browser type and version (GDPR: Technical Data)
• IP address and approximate geolocation data (GDPR: Technical Data)
• Log data: access times, pages viewed, referring URLs, clickstream data (GDPR: Usage Data)
• Cookies and similar tracking technologies (see Section 7)
• Usage data and analytics: features used, time spent, interaction patterns (GDPR: Usage Data)
• Performance and diagnostic data: errors, crashes, load times (GDPR: Technical Data)
• Network activity: bandwidth usage, connection quality (GDPR: Technical Data)
• Inferences drawn from the above to create user profiles (CCPA Category K)

2.3 Information from Third Parties (CCPA Categories: B, C, F, G)

We may receive information about you from third-party sources, including:

• Business partners and service providers (contact and professional information)
• Social media platforms if you choose to connect your accounts (profile data)
• Publicly available databases and data brokers (business information)
• Marketing and analytics providers (demographic and behavioral data)
• Threat intelligence feeds and security databases (security-related data)
• Payment processors (transaction and verification data)
• Identity verification services (identity confirmation data)

3.1 Service Delivery (GDPR: Contract Performance, Legitimate Interests)

• Provide, operate, and maintain our Services
• Process your requests, transactions, and service orders
• Conduct penetration tests and vulnerability assessments
• Generate security reports, findings, and recommendations
• Provide customer support and technical assistance
• Authenticate users and manage access controls
• Prevent fraud, abuse, and unauthorized access
• Perform identity verification through Stripe Identity
• Process payments securely through Stripe

3.2 Communication (GDPR: Consent, Contract Performance, Legitimate Interests)

• Send you service-related notifications, updates, and confirmations
• Respond to your inquiries, requests, and support tickets
• Send marketing communications (with your consent - you can opt-out anytime)
• Provide security alerts, threat notifications, and vulnerability disclosures
• Send newsletters, educational content, and security best practices
• Notify you of changes to our Terms of Service or Privacy Policy
• Conduct customer satisfaction surveys and feedback requests

3.3 Improvement and Development (GDPR: Legitimate Interests)

• Analyze usage patterns and user behavior to improve our Services
• Develop new features, tools, and functionality
• Conduct research, analytics, and statistical analysis
• Enhance security measures and threat detection capabilities
• Troubleshoot technical issues and optimize performance
• Test and evaluate new technologies and methodologies
• Create aggregated, anonymized data for industry research

3.4 Legal and Compliance (GDPR: Legal Obligation, Vital Interests)

• Comply with legal obligations under GDPR, CCPA, and other regulations
• Enforce our Terms of Service, policies, and agreements
• Protect our rights, property, safety, and that of our users
• Respond to legal processes, court orders, and government requests
• Prevent fraud, security threats, cybercrimes, and illegal activities
• Investigate and respond to data breaches or security incidents
• Maintain records required by law or regulation
• Defend against legal claims and disputes

5.1 Service Providers (CCPA: Disclosed for Business Purposes)

We engage third-party service providers who process personal data on our behalf as data processors (GDPR) or service providers (CCPA). We share Categories A, B, C, F, G, H with:

• Cloud hosting and infrastructure providers: Vercel (hosting), Supabase (database) - Categories A, B, C, F, G, H
• Email service providers: Resend (email delivery) - Categories A, B, C
• Payment processors: Stripe (payment processing and identity verification) - Categories A, B, C, D, G, H
• Analytics and monitoring services: Google Analytics (usage analytics) - Categories F, G
• Customer support platforms: Support ticket and chat systems - Categories A, B, C
• Security and vulnerability scanning tools: Security testing platforms - Categories F, G, H
• Communication platforms: SMS and notification services - Categories A, B

These providers have access to your information only to perform specific tasks on our behalf under written contracts that obligate them to protect your information, not use it for their own purposes, and comply with applicable data protection laws. We conduct due diligence on all service providers to ensure GDPR and CCPA compliance.

5.3 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, reorganization, or other business transaction, your information may be transferred as part of that transaction. In such cases, the acquiring entity will be bound by this Privacy Policy. We will notify you via email and/or prominent notice on our website of any change in ownership, uses of your personal information, and any choices you may have regarding your information.

5.4 Legal Requirements and Protection

We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with subpoenas, court orders, legal processes, or lawful requests from government authorities
• Enforce our Terms of Service, policies, or other agreements
• Protect the rights, property, or safety of CoreCyber, our users, or the public
• Investigate, prevent, or take action regarding suspected fraud, security issues, illegal activities, or violations of our policies
• Respond to data subject access requests or other privacy rights requests as required by law
• Protect against legal liability or defend legal claims

5.5 With Your Consent

We may share your information with third parties when you have given us explicit, informed consent to do so. Examples include: sharing testimonials or case studies (with your permission), participating in third-party integrations you authorize, or any other purpose you specifically approve.

5.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, industry benchmarking, marketing, or other purposes. This data is not considered personal information under GDPR or CCPA and is not subject to the restrictions in this Privacy Policy.

6.1 GDPR Transfer Mechanisms

When we transfer personal data from the EEA, UK, or Switzerland to countries outside these regions, we implement appropriate safeguards as required by GDPR:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (also known as Model Clauses) for transfers to countries without adequacy decisions.
• Data Processing Agreements (DPAs): We enter into comprehensive DPAs with all service providers that process personal data on our behalf.
• Adequacy Decisions: We rely on adequacy decisions by the European Commission where available (e.g., transfers to countries deemed to provide adequate protection).
• Supplementary Measures: We implement additional technical and organizational measures to ensure data protection equivalent to GDPR standards, including encryption, access controls, and contractual commitments.
• Transfer Impact Assessments (TIAs): We conduct TIAs to assess the laws and practices of destination countries and implement appropriate safeguards.

6.2 U.S. Data Protection Framework

For transfers to the United States, we comply with applicable U.S. privacy laws, including CCPA, and implement robust security measures. We monitor developments in EU-U.S. data transfer frameworks and will comply with any applicable certification mechanisms.

6.3 Consent to International Transfers

By using our Services, you acknowledge and consent to the transfer of your information to the United States and other countries where we or our service providers operate. If you do not consent to such transfers, please do not use our Services.

7.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit our website. We use cookies and similar tracking technologies (pixels, beacons, local storage) to enhance your experience, analyze usage, provide personalized content, and deliver relevant advertising.

7.2 Types of Cookies We Use

We use the following categories of cookies:

• Strictly Necessary Cookies (GDPR: Legitimate Interest): Essential for the website to function properly. These cookies enable core functionality such as authentication, security features, and access to secure areas. Without these cookies, services you have requested cannot be provided. These cookies do not require consent under GDPR.
• Performance/Analytics Cookies (GDPR: Consent Required): Help us understand how visitors use our website by collecting information about pages visited, time spent, errors encountered, and other usage metrics. We use Google Analytics and similar tools. These cookies are anonymized where possible and require your consent.
• Functional Cookies (GDPR: Consent Required): Remember your preferences and settings, such as language selection, region, font size, and other customization options. These cookies enhance your user experience but are not strictly necessary. They require your consent.
• Marketing/Targeting Cookies (GDPR: Consent Required): Used to deliver relevant advertisements, track campaign effectiveness, and limit the number of times you see an ad. These cookies may be set by us or third-party advertising partners. They require your explicit consent and you can opt-out at any time.

7.4 Your Cookie Choices and Consent Management

You have the right to accept or reject cookies. You can manage your cookie preferences through:

• Our Cookie Consent Banner: When you first visit our website, a banner appears allowing you to accept or customize cookie settings. You can change these preferences at any time by clicking the cookie settings link in our footer.
• Browser Settings: Most browsers allow you to view, delete, and block cookies. Access your browser's help section for instructions. Common browsers: Chrome (chrome://settings/cookies), Firefox (about:preferences#privacy), Safari (Preferences > Privacy), Edge (edge://settings/privacy).
• Third-Party Opt-Outs: For third-party advertising cookies, visit the Digital Advertising Alliance (DAA) opt-out page: www.aboutads.info/choices or the Network Advertising Initiative (NAI) opt-out page: www.networkadvertising.org/choices.
• Google Analytics Opt-Out: Install the Google Analytics Opt-Out Browser Add-on: tools.google.com/dlpage/gaoptout

Note: Blocking or deleting certain cookies may limit your ability to use specific features of our Services. Strictly necessary cookies cannot be disabled as they are essential for the website to function.

7.5 Do Not Track (DNT) Signals

Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting not to be tracked. Currently, there is no industry-wide standard for recognizing and implementing DNT signals. Our Services do not respond to browser DNT signals at this time. However, you can use the cookie management options described above to control tracking. We will update this policy if an industry standard for DNT signals is established.

15.1 Arbitration Rules

Arbitration shall be conducted in accordance with the Consumer Arbitration Rules of the American Arbitration Association (AAA) in effect at the time of the dispute. The arbitration shall take place in Sheridan, Wyoming, or remotely via video conference if mutually agreed. Each party shall bear its own costs and attorneys' fees unless the arbitrator awards them to the prevailing party. The arbitrator's decision shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

15.2 Exceptions to Arbitration

Either party may bring claims in small claims court if the claim qualifies for small claims court jurisdiction. Additionally, either party may seek injunctive or equitable relief in court to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights or to protect confidential information.

15.3 Class Action Waiver

YOU AND THE COMPANY AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN AN INDIVIDUAL CAPACITY AND NOT AS A CLASS MEMBER OR REPRESENTATIVE IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING, INCLUDING CLASS ARBITRATIONS. Unless both parties agree otherwise in writing, the arbitrator may not consolidate more than one person's claims and may not otherwise preside over any form of representative or class proceeding. This class action waiver does not apply to residents of jurisdictions where such waivers are prohibited by law.