Privacy Policy

1. Who We Are

CyberSek Private Limited is a cybersecurity company providing security awareness training software and vulnerability assessment and penetration testing (VAPT) services to organisations across India and internationally. Our registered office is located in Whitefield, Bangalore, Karnataka, India.

For the purposes of applicable data protection law — including India’s Digital Personal Data Protection Act 2023 (DPDPA) and, where applicable, the EU General Data Protection Regulation (GDPR) — CyberSek acts as the Data Fiduciary / Data Controller with respect to personal data collected through the platform.

You can contact our data protection point of contact at: director@cybersek.in or by phone at +91 73470 08775.

2. Information We Collect

2.1 Information You Provide Directly

• Account Registration: When an organisation (Administrator) creates a CyberSek account, we collect the organisation name, Administrator name, work email address, phone number, and billing information.
• Learner Profiles: When Administrators invite employees (Learners), we collect the Learner’s name, work email address, and department assignment.
• Contact Forms: When you submit a sales or support enquiry, we collect your name, company, email, phone number, and the content of your message.
• Payment Information: Billing transactions are processed by Razorpay. CyberSek does not store full payment card numbers. We receive confirmation data including transaction ID, amount, and status from Razorpay after a successful payment.
• Policy Documents: Administrators may upload company policy documents to our platform. These are stored securely and used solely for the employee policy acknowledgement workflow.

2.2 Information We Collect Automatically

• Training Activity: We record which courses a Learner has accessed, progress through each course, quiz scores, completion timestamps, and certificates earned.
• Policy Acknowledgements: When a Learner acknowledges a company policy, we record the timestamp, Learner identity, and the IP address from which the acknowledgement was submitted. This data is specifically generated for compliance and audit purposes.
• Usage Data: We collect standard server logs including IP addresses, browser type, device type, pages visited, and session duration. This is used for platform security, performance monitoring, and debugging.
• Cookies and Local Storage: We use session cookies and local storage tokens for authentication and platform functionality. We do not use advertising or tracking cookies.

2.3 Information from Third Parties

• Razorpay: Payment confirmation data as described above.
• Supabase: Our infrastructure provider. Authentication tokens, database storage, and file storage are managed via Supabase on our behalf.
• Cloudflare: We use Cloudflare for content delivery and DDoS protection. Cloudflare may process IP addresses and request metadata in accordance with their privacy policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To create and manage your account, assign and track training courses, generate completion certificates, manage policy acknowledgements, and provide all platform features you have subscribed to.
• Compliance Evidence Generation: The explicit purpose of collecting training completion data and policy acknowledgement records is to generate audit-ready compliance evidence on behalf of your organisation. This is the core function of the platform and the primary reason organisations use CyberSek.
• Billing and Payments: To process subscription payments, issue receipts, and manage your subscription lifecycle through Razorpay.
• Communication: To send transactional emails (account creation, course assignment, certificate issuance, payment receipts), training reminders, and responses to your support or sales enquiries. We use Resend to deliver transactional email.
• Platform Improvement: To analyse usage patterns in aggregate to improve the platform, add features, and fix issues. We do not use individual user data for product analytics without aggregation and anonymisation.
• Security and Fraud Prevention: To detect and prevent unauthorised access, abuse, or fraudulent activity on the platform.
• Legal Compliance: To comply with applicable laws, regulations, court orders, and lawful requests from governmental or regulatory authorities.

4. Legal Basis for Processing

Under India’s DPDPA 2023, we process personal data under the following grounds:

• Consent: Where you have given clear consent for a specific purpose, such as receiving marketing communications from us.
• Contract Performance: Processing necessary to provide the services described in our Terms of Service, including account management, training delivery, and billing.
• Legitimate Purpose: Processing for fraud prevention, platform security, and aggregate analytics where this does not override individual rights.
• Legal Obligation: Where we are required by law to process or retain certain information.

For users in the European Economic Area (EEA), processing is conducted under Article 6 of the GDPR, primarily on the bases of contract performance (Article 6(1)(b)), legitimate interests (Article 6(1)(f)), and legal obligation (Article 6(1)(c)).

5. How We Share Your Information

We do not sell, rent, or trade your personal data to any third party. We share information only in the following limited circumstances:

• Within Your Organisation: Administrators of your organisation can view training completion data, policy acknowledgements, and reports for Learners within their account. Learners can only access their own training records.
• Infrastructure Sub-processors: We use Supabase (database and authentication), Cloudflare R2 (file storage), Resend (transactional email), Razorpay (payment processing), and Vercel (application hosting). Each processes data solely on our instructions and is bound by data processing agreements.
• Legal Requirements: We may disclose information when required to comply with a legal obligation, court order, or lawful request from an Indian or foreign governmental authority, in accordance with applicable law.
• Business Transfer: In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity. We will provide notice of such a transfer and any choices you may have.
• With Your Consent: We may share information for any other purpose with your explicit prior consent.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account Data: Retained for the duration of the account and for 3 years following account termination, to comply with financial and legal record-keeping obligations.
• Training Records and Certificates: Retained indefinitely by default, as these records serve as compliance evidence for your organisation’s regulatory obligations. You may request deletion subject to applicable legal requirements.
• Policy Acknowledgement Records: Retained for a minimum of 5 years given their use as legal and regulatory evidence. Extended retention may apply depending on the compliance framework.
• Billing Records: Retained for 7 years as required under the Companies Act 2013 and GST regulations in India.
• Server Logs: Retained for 90 days and then deleted, unless retained for ongoing security investigations.
• Contact Enquiries: Retained for 2 years from the date of the enquiry.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction:

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest in our database is encrypted using AES-256 encryption.
• Access to production systems is restricted to authorised personnel only, with multi-factor authentication enforced.
• Row-level security policies are enforced at the database layer to ensure strict data isolation between organisations.
• Policy documents and training materials uploaded to our platform are stored in isolated, access-controlled cloud storage (Cloudflare R2) and accessed only through time-limited, signed URLs.
• We conduct regular internal security reviews and vulnerability assessments.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. In the event of a data breach that is likely to affect your rights, we will notify you and the relevant Data Protection Authority as required by applicable law.

8. International Data Transfers

CyberSek is based in India. Our infrastructure sub-processors (Supabase, Vercel, Cloudflare, Resend) may store or process data in data centres located in countries other than India. Where data is transferred outside India, we ensure that appropriate safeguards are in place in accordance with DPDPA Section 16 and, where applicable, GDPR Chapter V requirements including Standard Contractual Clauses.

9. Your Rights as a Data Principal

Under India’s DPDPA 2023, and where applicable under GDPR, you have the following rights regarding your personal data:

• Right to Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records (such as billing records and compliance audit trails).
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Nominate: Under DPDPA, individual users may nominate another individual to exercise their rights on their behalf in the event of death or incapacity.
• Right to Grievance Redressal: You may raise a grievance with us regarding our handling of your personal data. We will respond within 30 days.
• Right to Lodge a Complaint: You may lodge a complaint with India’s Data Protection Board once it is established. EEA residents may lodge complaints with their local Supervisory Authority.

To exercise any of these rights, please contact us at director@cybersek.in. We will respond to all legitimate requests within 30 calendar days. We may ask you to verify your identity before processing your request.

Important note for Administrators: Training completion records, policy acknowledgement logs, and certificates are generated as compliance evidence on behalf of your organisation. Requests to delete these records by individual Learners must be evaluated against the organisation’s legal obligation to retain compliance documentation, and the Administrator’s authorisation may be required.

10. Children’s Privacy

CyberSek is a business-to-business service intended exclusively for use by organisations and their adult employees. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at director@cybersek.in and we will take steps to delete such data promptly.

11. Cookies

We use only the following types of cookies and local storage:

• Session Cookies: Required for authentication and to keep you logged in during a session. These are deleted when you close your browser.
• Authentication Tokens: Stored in local storage to maintain your login session across browser sessions. You can clear these by logging out.
• Preference Storage: We may store your UI preferences (such as dashboard settings) in local storage.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We do not display advertisements on our platform.

12. Third-Party Links

Our platform and website may contain links to third-party websites. This Privacy Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party websites you visit. We are not responsible for the privacy practices of third parties.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will notify you by email (to the address associated with your account) and by displaying a prominent notice on our platform at least 14 days before the changes take effect. The “Last Updated” date at the top of this page reflects the most recent revision.

Your continued use of our platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data handling practices, please contact us: