Privacy Policy

2.1 Personal Information You Provide (CCPA Categories: A, B, C, H)

We collect information that you voluntarily provide to us when you:

• Register for early access or create an account
• Request a penetration test or vulnerability assessment
• Subscribe to our newsletter or communications
• Contact us through our support channels
• Participate in surveys or promotions
• Upload documents or files to our platform
• Make a payment for our services
• Exercise your privacy rights

This information may include:

• Full name (GDPR: Identity Data)
• Email address (GDPR: Contact Data)
• Company name, role, and business information (GDPR: Professional Data)
• Phone number (GDPR: Contact Data)
• Business address (GDPR: Contact Data)
• Industry, company size, and organizational data (GDPR: Professional Data)
• IP addresses and network information for security assessments (GDPR: Technical Data)
• Payment information - processed by Stripe (GDPR: Financial Data, CCPA Category D)
• Government-issued identification for identity verification via Stripe Identity (GDPR: Identity Data, CCPA Category G)
• Security clearance information if voluntarily provided (GDPR: Special Category Data)
• Communication preferences and marketing consents (GDPR: Marketing Data)
• Any other information you choose to provide

2.2 Automatically Collected Information (CCPA Categories: F, G, K)

When you access our Services, we automatically collect certain information through cookies and similar technologies:

• Device information: device type, operating system, browser type and version (GDPR: Technical Data)
• IP address and approximate geolocation data (GDPR: Technical Data)
• Log data: access times, pages viewed, referring URLs, clickstream data (GDPR: Usage Data)
• Cookies and similar tracking technologies (see Section 7)
• Usage data and analytics: features used, time spent, interaction patterns (GDPR: Usage Data)
• Performance and diagnostic data: errors, crashes, load times (GDPR: Technical Data)
• Network activity: bandwidth usage, connection quality (GDPR: Technical Data)
• Inferences drawn from the above to create user profiles (CCPA Category K)

2.3 Information from Third Parties (CCPA Categories: B, C, F, G)

We may receive information about you from third-party sources, including:

• Business partners and service providers (contact and professional information)
• Social media platforms if you choose to connect your accounts (profile data)
• Publicly available databases and data brokers (business information)
• Marketing and analytics providers (demographic and behavioral data)
• Threat intelligence feeds and security databases (security-related data)
• Payment processors (transaction and verification data)
• Identity verification services (identity confirmation data)

3.1 Service Delivery (GDPR: Contract Performance, Legitimate Interests)

• Provide, operate, and maintain our Services
• Process your requests, transactions, and service orders
• Conduct penetration tests and vulnerability assessments
• Generate security reports, findings, and recommendations
• Provide customer support and technical assistance
• Authenticate users and manage access controls
• Prevent fraud, abuse, and unauthorized access
• Perform identity verification through Stripe Identity
• Process payments securely through Stripe

3.2 Communication (GDPR: Consent, Contract Performance, Legitimate Interests)

• Send you service-related notifications, updates, and confirmations
• Respond to your inquiries, requests, and support tickets
• Send marketing communications (with your consent - you can opt-out anytime)
• Provide security alerts, threat notifications, and vulnerability disclosures
• Send newsletters, educational content, and security best practices
• Notify you of changes to our Terms of Service or Privacy Policy
• Conduct customer satisfaction surveys and feedback requests

3.3 Improvement and Development (GDPR: Legitimate Interests)

• Analyze usage patterns and user behavior to improve our Services
• Develop new features, tools, and functionality
• Conduct research, analytics, and statistical analysis
• Enhance security measures and threat detection capabilities
• Troubleshoot technical issues and optimize performance
• Test and evaluate new technologies and methodologies
• Create aggregated, anonymized data for industry research

3.4 Legal and Compliance (GDPR: Legal Obligation, Vital Interests)

• Comply with legal obligations under GDPR, CCPA, and other regulations
• Enforce our Terms of Service, policies, and agreements
• Protect our rights, property, safety, and that of our users
• Respond to legal processes, court orders, and government requests
• Prevent fraud, security threats, cybercrimes, and illegal activities
• Investigate and respond to data breaches or security incidents
• Maintain records required by law or regulation
• Defend against legal claims and disputes

5.1 Service Providers (CCPA: Disclosed for Business Purposes)

We engage third-party service providers who process personal data on our behalf as data processors (GDPR) or service providers (CCPA). We share Categories A, B, C, F, G, H with:

• Cloud hosting and infrastructure providers: Vercel (hosting), Supabase (database) - Categories A, B, C, F, G, H
• Email service providers: Resend (email delivery) - Categories A, B, C
• Payment processors: Stripe (payment processing and identity verification) - Categories A, B, C, D, G, H
• Analytics and monitoring services: Google Analytics (usage analytics) - Categories F, G
• Customer support platforms: Support ticket and chat systems - Categories A, B, C
• Security and vulnerability scanning tools: Security testing platforms - Categories F, G, H
• Communication platforms: SMS and notification services - Categories A, B

These providers have access to your information only to perform specific tasks on our behalf under written contracts that obligate them to protect your information, not use it for their own purposes, and comply with applicable data protection laws. We conduct due diligence on all service providers to ensure GDPR and CCPA compliance.

5.3 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, reorganization, or other business transaction, your information may be transferred as part of that transaction. In such cases, the acquiring entity will be bound by this Privacy Policy. We will notify you via email and/or prominent notice on our website of any change in ownership, uses of your personal information, and any choices you may have regarding your information.

5.4 Legal Requirements and Protection

We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with subpoenas, court orders, legal processes, or lawful requests from government authorities
• Enforce our Terms of Service, policies, or other agreements
• Protect the rights, property, or safety of CoreCyber, our users, or the public
• Investigate, prevent, or take action regarding suspected fraud, security issues, illegal activities, or violations of our policies
• Respond to data subject access requests or other privacy rights requests as required by law
• Protect against legal liability or defend legal claims

5.5 With Your Consent

We may share your information with third parties when you have given us explicit, informed consent to do so. Examples include: sharing testimonials or case studies (with your permission), participating in third-party integrations you authorize, or any other purpose you specifically approve.

5.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, industry benchmarking, marketing, or other purposes. This data is not considered personal information under GDPR or CCPA and is not subject to the restrictions in this Privacy Policy.

6.1 GDPR Transfer Mechanisms

When we transfer personal data from the EEA, UK, or Switzerland to countries outside these regions, we implement appropriate safeguards as required by GDPR:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (also known as Model Clauses) for transfers to countries without adequacy decisions.
• Data Processing Agreements (DPAs): We enter into comprehensive DPAs with all service providers that process personal data on our behalf.
• Adequacy Decisions: We rely on adequacy decisions by the European Commission where available (e.g., transfers to countries deemed to provide adequate protection).
• Supplementary Measures: We implement additional technical and organizational measures to ensure data protection equivalent to GDPR standards, including encryption, access controls, and contractual commitments.
• Transfer Impact Assessments (TIAs): We conduct TIAs to assess the laws and practices of destination countries and implement appropriate safeguards.

6.2 U.S. Data Protection Framework

For transfers to the United States, we comply with applicable U.S. privacy laws, including CCPA, and implement robust security measures. We monitor developments in EU-U.S. data transfer frameworks and will comply with any applicable certification mechanisms.

6.3 Consent to International Transfers

By using our Services, you acknowledge and consent to the transfer of your information to the United States and other countries where we or our service providers operate. If you do not consent to such transfers, please do not use our Services.

7.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit our website. We use cookies and similar tracking technologies (pixels, beacons, local storage) to enhance your experience, analyze usage, provide personalized content, and deliver relevant advertising.

7.2 Types of Cookies We Use

We use the following categories of cookies:

• Strictly Necessary Cookies (GDPR: Legitimate Interest): Essential for the website to function properly. These cookies enable core functionality such as authentication, security features, and access to secure areas. Without these cookies, services you have requested cannot be provided. These cookies do not require consent under GDPR.
• Performance/Analytics Cookies (GDPR: Consent Required): Help us understand how visitors use our website by collecting information about pages visited, time spent, errors encountered, and other usage metrics. We use Google Analytics and similar tools. These cookies are anonymized where possible and require your consent.
• Functional Cookies (GDPR: Consent Required): Remember your preferences and settings, such as language selection, region, font size, and other customization options. These cookies enhance your user experience but are not strictly necessary. They require your consent.
• Marketing/Targeting Cookies (GDPR: Consent Required): Used to deliver relevant advertisements, track campaign effectiveness, and limit the number of times you see an ad. These cookies may be set by us or third-party advertising partners. They require your explicit consent and you can opt-out at any time.

7.4 Your Cookie Choices and Consent Management

You have the right to accept or reject cookies. You can manage your cookie preferences through:

• Our Cookie Consent Banner: When you first visit our website, a banner appears allowing you to accept or customize cookie settings. You can change these preferences at any time by clicking the cookie settings link in our footer.
• Browser Settings: Most browsers allow you to view, delete, and block cookies. Access your browser's help section for instructions. Common browsers: Chrome (chrome://settings/cookies), Firefox (about:preferences#privacy), Safari (Preferences > Privacy), Edge (edge://settings/privacy).
• Third-Party Opt-Outs: For third-party advertising cookies, visit the Digital Advertising Alliance (DAA) opt-out page: www.aboutads.info/choices or the Network Advertising Initiative (NAI) opt-out page: www.networkadvertising.org/choices.
• Google Analytics Opt-Out: Install the Google Analytics Opt-Out Browser Add-on: tools.google.com/dlpage/gaoptout

Note: Blocking or deleting certain cookies may limit your ability to use specific features of our Services. Strictly necessary cookies cannot be disabled as they are essential for the website to function.

7.5 Do Not Track (DNT) Signals

Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting not to be tracked. Currently, there is no industry-wide standard for recognizing and implementing DNT signals. Our Services do not respond to browser DNT signals at this time. However, you can use the cookie management options described above to control tracking. We will update this policy if an industry standard for DNT signals is established.

8.1 Technical Security Measures

• HTTPS enforcement with Strict-Transport-Security (HSTS) and standard security headers (X-Content-Type-Options, Referrer-Policy, Permissions-Policy) configured at the edge.
• A Content Security Policy (CSP) that restricts script, style, font, image, connect, frame, worker, media, and manifest sources to trusted origins.
• API rate limiting with durable Redis (Upstash) support and in-memory fallback, including X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset response headers.
• Abuse prevention on public forms (contact, privacy requests, pentest requests) using hCaptcha with server-side token verification.
• Request validation and server-side input checks using Zod schemas and additional runtime validation where applicable.
• Stripe webhook signature verification using raw-body construction and the official Stripe library; events without a valid signature are rejected.
• Authentication via Supabase Auth with optional Time-based One-Time Password (TOTP) multi-factor authentication support and AAL helpers.
• Role/region-scoped admin APIs protected by bearer tokens and profile roles; access is denied when the admin panel feature flag is disabled.
• Private storage for agreement PDFs in a non-public Supabase Storage bucket with typed uploads and explicit content types.
• Structured application logging and internal notifications for key events (e.g., payment lifecycle, identity verification, failures).

8.2 Organizational and Operational Measures

• Feature flags to gate sensitive capabilities (admin panel, outbound email, publishing) and reduce attack surface by default.
• Principle of least privilege enforced in server-side checks for administrative actions (role and region scoping).
• Data minimization and purpose limitation in forms and APIs—collecting only the data necessary to provide the requested service.
• Environment-based configuration and secrets management; credentials are supplied via environment variables and never hard-coded in application code.

8.3 Data Breach Notification (GDPR Article 33-34, CCPA)

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (for GDPR breaches) within 72 hours of becoming aware of the breach, where feasible.
• Notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms.
• Provide information about the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed to address the breach.
• Document all breaches, including facts, effects, and remedial actions taken, in our internal breach register.
• For California residents, notify affected individuals in accordance with California Civil Code Section 1798.82.

8.4 Security Limitations

While we implement the measures above, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for safeguarding your account credentials, using strong passwords, enabling multi-factor authentication where available, and promptly notifying us of any suspected unauthorized access or security concerns.

9.1 Retention Criteria

• The nature and sensitivity of the personal data
• The purposes for which we collected and process the data
• Whether we have an ongoing relationship with you (active account)
• Legal, regulatory, tax, accounting, or reporting requirements
• Whether we need the data for legal claims, compliance, or auditing purposes
• Guidance from relevant data protection authorities
• Your requests to delete your data (subject to legal obligations)

9.2 Specific Retention Periods

We apply the following retention periods to different categories of data:

• Account Data: Retained for the duration of your active account plus 90 days after account closure (to allow for account reactivation). After this period, data is anonymized or deleted.
• Assessment Reports: Retained for 7 years after service delivery to comply with professional liability and legal requirements. Reports may be retained longer with your consent for longitudinal security analysis.
• Financial Records: Retained for 7 years to comply with tax, accounting, and audit requirements.
• Marketing Communications: Retained until you opt-out or withdraw consent, then deleted within 30 days.
• Support Tickets: Retained for 3 years for quality assurance and training purposes.
• Analytics and Log Data: Retained for 26 months (Google Analytics default) or anonymized sooner.
• Security Incident Records: Retained for 7 years for legal and compliance purposes.
• Backup Copies: Retained for up to 90 days in encrypted backups, then permanently deleted.

9.3 Secure Deletion

When we no longer need your information, we securely delete or anonymize it in accordance with industry best practices. Deletion methods include secure overwriting, cryptographic erasure, and physical destruction of media. We maintain records of deletion activities for audit purposes. Please note that deletion from backups may take up to 90 days due to our backup retention schedule.

10.1 General Privacy Rights (All Users)

All users, regardless of location, have the following rights:

• Right to be Informed: You have the right to clear, transparent information about how we collect, use, and share your personal information (provided in this Privacy Policy).
• Right to Access: You have the right to request access to the personal information we hold about you, including details about what data we have, how we use it, and with whom we share it.
• Right to Correction/Rectification: You have the right to request correction of inaccurate or incomplete personal information we hold about you.
• Right to Deletion/Erasure: You have the right to request deletion of your personal information, subject to certain legal exceptions (e.g., legal obligations, active legal claims).
• Right to Opt-Out of Marketing: You have the right to opt-out of receiving marketing communications from us at any time by clicking "Unsubscribe" in emails or contacting us.

10.2 GDPR Rights (EEA, UK, Switzerland Residents)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another controller without hindrance from us, where technically feasible.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests (Article 6(1)(f)), direct marketing (including profiling), and processing for scientific/historical research or statistical purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests or we need the data for legal claims.
• Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain circumstances: you contest the accuracy of the data; processing is unlawful but you oppose deletion; we no longer need the data but you need it for legal claims; you have objected to processing and await verification of legitimate grounds.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
• Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. You may request human intervention, express your point of view, and contest automated decisions.
• Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with your local supervisory authority (data protection authority) if you believe we have violated GDPR. Contact information for EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en. UK Information Commissioner's Office (ICO): https://ico.org.uk/. Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/.

10.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know (CCPA Section 1798.100): You have the right to request information about the personal information we have collected about you in the preceding 12 months, including: categories of personal information collected; categories of sources; business or commercial purposes for collection; categories of third parties with whom we share personal information; specific pieces of personal information collected.
• Right to Delete (CCPA Section 1798.105): You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, completing transactions, security purposes, internal uses, free speech, research).
• Right to Opt-Out of Sale (CCPA Section 1798.120): You have the right to opt-out of the "sale" of your personal information. We DO NOT sell personal information and have not sold personal information in the preceding 12 months. We display a "Do Not Sell My Personal Information" link in our footer for transparency.
• Right to Non-Discrimination (CCPA Section 1798.125): You have the right not to receive discriminatory treatment for exercising your CCPA rights. We will not: deny goods or services; charge different prices or rates; provide a different level of service or quality; suggest you will receive a different price or level of service. However, we may offer financial incentives for the collection or sale of personal information (we do not currently offer such incentives).
• Right to Correct (CPRA Section 1798.106): You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Limit Use of Sensitive Personal Information (CPRA Section 1798.121): If we use sensitive personal information (e.g., government-issued IDs, precise geolocation) for purposes other than those specified in CPRA Section 1798.121(a), you have the right to limit such use. We will only use sensitive information for permitted purposes or with your explicit consent.
• Shine the Light Law (California Civil Code Section 1798.83): California residents may request information about personal information disclosed to third parties for direct marketing purposes in the preceding calendar year. We do not share personal information with third parties for their direct marketing purposes without your explicit consent.

You may designate an authorized agent to submit CCPA requests on your behalf. The authorized agent must provide written authorization signed by you and we may require verification of your identity before processing the request.

10.4 How to Exercise Your Rights

To exercise any of your privacy rights, please use one of the following methods:

• Email: legal@corecyber.io with the subject line "Privacy Rights Request" or "CCPA Request" or "GDPR Request"
• Web Form: Visit our Privacy Request Form at corecyber.io/privacy-request (if available)
• Mail: Covenant Security Solutions International, Attn: Privacy Team, Sheridan, Wyoming, United States

We will respond to your request within the timeframes required by applicable law: GDPR: 1 month (extendable by 2 months for complex requests); CCPA: 45 days (extendable by 45 days with notice). We may need to verify your identity before processing your request to protect your privacy and security. We will acknowledge your request within 10 business days and provide updates on the status. There is no fee for exercising your rights, unless your request is manifestly unfounded, excessive, or repetitive.

15.1 Arbitration Rules

Arbitration shall be conducted in accordance with the Consumer Arbitration Rules of the American Arbitration Association (AAA) in effect at the time of the dispute. The arbitration shall take place in Sheridan, Wyoming, or remotely via video conference if mutually agreed. Each party shall bear its own costs and attorneys' fees unless the arbitrator awards them to the prevailing party. The arbitrator's decision shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

15.2 Exceptions to Arbitration

Either party may bring claims in small claims court if the claim qualifies for small claims court jurisdiction. Additionally, either party may seek injunctive or equitable relief in court to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights or to protect confidential information.

15.3 Class Action Waiver

YOU AND THE COMPANY AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN AN INDIVIDUAL CAPACITY AND NOT AS A CLASS MEMBER OR REPRESENTATIVE IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING, INCLUDING CLASS ARBITRATIONS. Unless both parties agree otherwise in writing, the arbitrator may not consolidate more than one person's claims and may not otherwise preside over any form of representative or class proceeding. This class action waiver does not apply to residents of jurisdictions where such waivers are prohibited by law.