Privacy Policy

1. Information We Collect

When you use CyberSec Review, we collect the following types of information:

• Account Information: Name, email address, organization name, and role provided during registration.
• Security Event Data: Log data, alerts, and incident metadata ingested from your connected security tools. This data is processed to generate notifications and reports.
• Employee Directory Data: Names, email addresses, department, and role information synced from your identity provider for notification routing.
• Usage Data: Feature usage, notification delivery status, login timestamps, and IP addresses for service improvement and security monitoring.
• Payment Information: Billing details are processed by our payment provider (Stripe) and are not stored on our servers.

2. How We Use Your Information

• Processing and correlating security events to generate incident notifications
• Delivering alerts and security briefs to employees via configured channels
• Generating compliance and analytics reports for security teams
• Improving detection accuracy and reducing false positives
• Providing customer support and product communications
• Complying with legal obligations

3. Data Security

We implement industry-standard security measures including:

• AES-256 encryption for all data at rest
• TLS 1.3 for all data in transit
• Tenant isolation — your security data is never mixed with other customers' data
• Regular third-party security audits and penetration testing
• SOC 2 Type II certified infrastructure
• Geographic data residency options (EU, US, APAC)

4. Data Sharing

We do not sell your data. We may share information with:

• Service Providers: Cloud infrastructure and payment processing partners, bound by data processing agreements.
• Legal Requirements: When required by law, regulation, or valid legal process.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice.

5. Data Retention

Account data is retained while your subscription is active. Security event data is retained for the period configured in your plan (default: 90 days). Upon account deletion, all data is permanently removed within 30 days.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal data
• Export your data in a portable format
• Object to processing or request restriction
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

7. Contact

For privacy-related inquiries, contact our Data Protection Officer at privacy@cybersec.review.