CyfroSec

Legal

Privacy Policy

Last updated: February 2026

1. Who We Are

CyfroSec operates an AI-powered Vulnerability Assessment as a Service (VaaS) platform. This policy explains how we collect, use, share, and protect personal data when you use our services, visit our website, or communicate with our team.

Data controller: CyfroSec Ltd
Contact: privacy@cyfrosec.com

2. Data We Collect

Account and identity data

  • Name, email address, job title, company name
  • Authentication credentials (managed via Keycloak; passwords are never stored in plaintext)
  • Organisation and account group membership

Usage and product data

  • Platform activity logs and feature usage metrics
  • Scan configurations, vulnerability findings, and remediation records
  • AI Assistant conversation history (retained per retention policy)

Technical data

  • IP addresses, browser user-agent strings, and session tokens
  • API request logs for security and audit purposes

Marketing and contact data

  • Data you submit via contact or sales enquiry forms
  • Email communication history

3. Legal Basis for Processing

We process personal data on the following legal bases under GDPR Article 6:

  • Contract: To provide the platform services you have signed up for
  • Legitimate interests: Security monitoring, fraud prevention, and product improvement
  • Consent: For marketing communications (you can withdraw at any time)
  • Legal obligation: Where required by applicable law or regulation

4. How We Use Your Data

  • Delivering and operating the CyfroSec platform
  • Providing customer support and onboarding assistance
  • Sending service-related notifications and security alerts
  • Improving product features using aggregated, anonymised analytics
  • Complying with legal and regulatory obligations
  • Marketing communications (only with your explicit consent)

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Sub-processors: Cloud infrastructure providers, authentication providers, and analytics tools — all bound by data processing agreements
  • Legal authorities: When required by law, court order, or to protect the rights and safety of CyfroSec or others
  • Business transfers: In the event of a merger or acquisition, subject to confidentiality obligations

6. Data Retention

We retain personal data for as long as your account is active or as required to provide services. Scan results and vulnerability data are retained according to your organisation's configured retention policy. Activity logs are retained for a minimum of 90 days for security and audit purposes.

Upon account deletion, personal data is anonymised or deleted within 30 days, except where retention is required by law.

7. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Ask us to correct inaccurate data
  • Erasure: Request deletion of your personal data (right to be forgotten)
  • Restriction: Ask us to limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: For any processing based on consent

To exercise any of these rights, contact us at privacy@cyfrosec.com. We will respond within 30 days.

8. International Transfers

CyfroSec is based in the EU. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

9. Security

We implement industry-standard technical and organisational security measures including encryption at rest and in transit, access controls, and regular security assessments. No transmission method is 100% secure; however, we strive to protect your personal data using commercially reasonable measures.

10. Cookies

We use cookies and similar technologies to operate the platform and improve your experience. See our Cookie Policy for details.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. Continued use of CyfroSec after such notice constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or to exercise your rights, contact us at privacy@cyfrosec.com or via our contact form.