Privacy Policy

AICyberNav ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the AICyberNav platform and related services (collectively, the "Service"). This policy is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Email address used for magic link authentication, name, and company or organization name.
• Assessment Inputs: Information you provide during security assessments, including details about your technology stack, infrastructure, business operations, and security practices.
• Conversation Data: Content of your interactions with our AI-powered assessment tools, including questions asked, responses received, and follow-up conversations.
• Payment Information: When you purchase paid services, payment details are processed by our payment processor, Stripe. We do not store your full credit card number on our servers.
• Communications: Any information you provide when contacting us for support, feedback, or inquiries.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on pages, click patterns, and assessment completion rates.
• Device Information: Browser type, operating system, device type, screen resolution, and language preferences.
• Network Information: IP address, approximate geographic location (city/region level), and referring URL.
• Cookies and Tracking Technologies: Session identifiers, visitor identifiers, and analytics data as described in our Cookie & Tracking Notice.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and Operate the Service: To deliver security assessments, generate reports, and provide personalized recommendations based on your inputs.
• AI Processing: To process your assessment inputs through AI models to generate security analyses, threat models, and remediation plans.
• Improve the Service: To analyze usage patterns, identify areas for improvement, and develop new features and capabilities.
• Analytics: To understand how users interact with the Service, measure conversion and engagement, and optimize the user experience.
• Communication: To send you assessment results, service updates, and respond to your inquiries. We will not send unsolicited marketing emails without your explicit consent.
• Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. AI Processing Disclosure

4. Data Sharing and Disclosure

We do not sell your personal information. We share your data only in the following circumstances:

• AI Model Providers: Assessment inputs are transmitted to OpenAI for AI processing. This data is transmitted via secure proxy and is subject to data processing agreements that prohibit use for model training.
• Payment Processors: Stripe processes payment transactions. See Stripe's Privacy Policy.
• Insurance Referrals: If you opt to receive a cyber insurance quote through our Corgi referral, your company name and assessment summary may be shared with Corgi to facilitate the quote. This only occurs with your explicit action. Referral activity is tracked for analytics purposes.
• Analytics Providers: We use Polsia Analytics to collect anonymized usage data. Visitor identifiers are pseudonymous and not linked to personally identifiable information without additional data.
• Legal Requirements: We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Your Rights

5.1 General Rights (All Users)

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal data.
• Deletion: Request that we delete your personal data, subject to legitimate retention needs.
• Opt-Out: Opt out of non-essential data collection by disabling cookies or contacting us.

5.2 GDPR Rights (European Economic Area Residents)

If you reside in the EEA, you additionally have the right to:

• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Restriction of Processing: Request that we restrict processing of your personal data under certain circumstances.
• Object to Processing: Object to the processing of your personal data for direct marketing or other purposes based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.
• Lodge a Complaint: File a complaint with your local data protection authority.

Our legal bases for processing include: performance of a contract (providing the Service), legitimate interests (improving the Service, analytics, security), consent (where specifically obtained), and legal obligations.

5.3 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of personal information we have collected from you.
• Opt-Out of Sale: We do not sell personal information. No opt-out is required, but you may still submit a request for confirmation.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at privacy@aicybernav.ai. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

6. Cookies and Tracking

We use cookies and similar tracking technologies to operate and improve the Service. For a detailed description of the cookies we use and how to manage them, please refer to our Cookie & Tracking Notice.

In summary, we use:

• Essential Cookies: Required for session management, authentication, and basic functionality.
• Analytics Cookies: Used to understand usage patterns and improve the Service.
• Preference Cookies: Used to remember your settings and preferences.

7. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for all sensitive data.
• Secure, authenticated API connections to third-party processors.
• Regular security assessments and vulnerability scanning of our own infrastructure.
• Access controls and audit logging for internal access to user data.
• Pseudonymization and data minimization practices where feasible.

While we strive to use commercially acceptable means to protect your personal data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Data Retention

• Account Data: Retained as long as your account is active, and for 30 days after account deletion.
• Assessment Input Data: Retained for 90 days after report generation, then automatically deleted.
• Generated Reports: Retained for the lifetime of your account, or until you request deletion.
• Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely. Individual visitor session data is retained for 12 months.
• Payment Records: Retained as required by tax and financial regulations (typically 7 years).

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will take steps to delete such information.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction. When we transfer data internationally, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data is protected.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For significant changes, we will provide additional notice via email to the address associated with your account. We encourage you to review this Privacy Policy periodically.

12. Contact Information