Privacy Policy

Last updated: June 27, 2026

Introduction

Cybersecify Consulting (OPC) Private Limited ("Cybersecify", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website cybersecify.com, use our tools (including OpenEASD), or engage our services. This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian data protection laws.

Information We Collect

Contact Form

When you submit our contact form, we collect your full name, email address, phone number (optional), company name (optional), service interest, an optional self-reported channel (for example, the AI engine, search engine, social platform, or referral source through which you found us), an optional free-text note about how you heard about us, and your message. This information is used solely to respond to your inquiry, follow up on your request, and understand which channels surface our content to potential clients (so we can invest our time in the channels that actually deliver value to founders like you).

OpenEASD (Free External Attack Surface Discovery) and Brand Protection Snapshot

When you request a free OpenEASD scan or a free Brand Protection Snapshot through our website, we collect:

  • Full name and role (to identify the requester)
  • Work email (to deliver the report and verify authorization)
  • Company name and primary domain (to perform the requested scan)

For Brand Protection Snapshot requests we also collect your brand name (used for typosquat permutation checks). We may decline submissions where authorisation to scan the submitted domain is unclear (for example, submissions using free email providers without a matching corporate domain, or where the submitted domain does not match the email domain). Scan results are stored for 90 days and then permanently deleted. We do not sell or share individual scan data with third parties. Anonymized, aggregated scan data may be used for security research and to improve our tools.

Service Engagements

When you engage our penetration testing, consulting, or other services, we collect information necessary to deliver those services, including your name, email, phone number, company details, and information about your security requirements.

Other Communications

We also collect information you provide when you communicate with us via email, WhatsApp, or phone, or subscribe to our communications.

Automatically Collected Information

When you visit our website, we may automatically collect certain information including your IP address, browser type, operating system, referring URLs, pages visited, and interaction data. We use this information to analyze website traffic and improve our services.

Information from Services

During penetration testing and security consulting engagements, we may access, process, and temporarily store technical information about your systems, applications, and infrastructure as defined in the engagement scope. This information is treated as strictly confidential and handled in accordance with the engagement agreement.

How We Use Your Information

We use the information we collect to:

  • Respond to your inquiries and provide requested services
  • Perform OpenEASD scans and deliver the resulting report to the email address provided
  • Deliver security assessments, reports, and recommendations under service engagements
  • Operate and improve our website, tools, and service offerings
  • Produce anonymized, aggregated research from OpenEASD scan data (individual results are never shared)
  • Communicate about our services and security insights
  • Comply with legal obligations and regulatory requirements
  • Protect against fraudulent or unauthorized activity

Use of AI and Automated Processing

We may use artificial intelligence and automated tools as part of our service delivery, website operations, and internal processes. This includes AI-assisted security testing, content creation, and data analysis. Automated processing of personal data is limited to what is necessary for the stated purposes and is subject to human oversight.

We do not use automated decision-making that produces legal effects or similarly significant effects on individuals without human review.

Legal Basis for Processing

We process your personal data based on one or more of the following grounds:

  • Consent: When you voluntarily provide your information through our forms, tools, or communications
  • Contractual necessity: When processing is necessary to perform our services under an engagement agreement
  • Legitimate interest: When processing is necessary for our legitimate business interests, such as improving our services and website
  • Legal obligation: When processing is required to comply with applicable laws

Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information with:

  • Trusted service providers who assist us in operating our website, delivering services, and conducting our business, provided they agree to keep your information confidential. These include:
    • Cloudflare (website hosting, CDN, and security). Cloudflare may process IP addresses, request headers, and other connection data as part of serving our website.
    • Resend (email delivery). Form submissions from our contact form, OpenEASD tool, and Brand Protection Snapshot form are processed through Resend's API to deliver emails. Resend temporarily processes the submitter's name and email address for delivery purposes.
    • No third-party font CDN. We self-host the Inter font family from our own domain (via Cloudflare). Your browser does not contact Google Fonts or any other third-party font service when loading our website. This is a deliberate privacy choice to minimize external data dependencies.
  • Legal authorities when required by law, court order, or government regulation
  • Professional advisors such as lawyers and accountants, as necessary for our business operations

We do not transfer personal data outside India except where necessary for service delivery (such as email delivery through service providers with servers outside India) and with appropriate safeguards in place.

Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. As a cybersecurity company, we hold ourselves to the highest standards of data protection. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements. Specifically:

  • OpenEASD scan data: scan results and associated personal information are stored for 90 days from the date of the scan, then permanently deleted
  • Contact form submissions: retained for the duration of the business relationship or up to 24 months, whichever is longer, or until you request deletion
  • Pentest engagement data: retained as per the terms of the engagement contract; our copies of penetration test findings are securely deleted within 90 days of engagement completion unless otherwise agreed in writing
  • Consulting and other engagement data: retained for the duration of the engagement plus 36 months for legal and compliance purposes
  • Website analytics: aggregated and anonymized data may be retained indefinitely

Your Rights

Under the DPDP Act and applicable data protection laws, you have the following rights:

  • Right to access: Request a copy of the personal data we hold about you
  • Right to correction: Request correction of inaccurate or incomplete personal data
  • Right to erasure: Request deletion of your personal data, subject to legal retention requirements
  • Right to withdraw consent: Withdraw your consent for data processing at any time
  • Right to grievance redressal: File a complaint about our data processing practices
  • Right to nominate: Nominate another person to exercise your rights in case of your death or incapacity

To exercise any of these rights, please contact us at privacy@cybersecify.com. We will respond to your request within 30 calendar days.

Cookies

Our website does not use cookies. For aggregate traffic understanding we deliberately picked Cloudflare's cookieless, server-side Web Analytics over Google Analytics, Mixpanel, or other behavioral-tracking platforms. Cloudflare Analytics does not set cookies, does not load any client-side tracking script, does not fingerprint visitors, and does not build profiles of individuals. We see aggregate totals (page-view counts, top countries) and nothing tied back to a specific person. As a security firm we hold ourselves to the minimal-data-collection standard we recommend to clients.

Click-Event Tracking (server-side, no cookies, no third parties)

When you click certain calls-to-action on cybersecify.com (the WhatsApp widget, the sample-report request button, the booking button, and similar high-intent buttons), our website sends an event log to our own server at /api/track. Each log entry records: the event name (for example, sample_report_pdf_request), the page URL you were on, the timestamp, your browser's User-Agent string, the referring page, and your country code derived by Cloudflare from your IP. The IP address itself is NOT stored in these logs. We use this strictly to understand which CTAs visitors find useful so we can improve the website experience. No third-party SaaS receives this data. We honor the Do Not Track and Global Privacy Control browser signals: if either is enabled by your browser, no click events are sent at all. Logs are retained for the period set by our infrastructure provider (Cloudflare Workers Logs, currently 7 days) and are not exported or combined with form submissions to build a profile of an individual.

First-Touch Attribution (sessionStorage, no cookies)

When you first land on cybersecify.com, our website records in your browser's sessionStorage the page you landed on, the referring website (if any), and any UTM parameters in the URL. This data is included when you submit a form (contact, booking) so we can understand which content brought you to us. The data is stored ONLY in your browser's sessionStorage (NOT a cookie), is automatically cleared when you close the browser tab, never leaves your browser until you submit a form, never shared with third parties. We use no cookies, no third-party analytics, no behavioral tracking, no cross-site identifiers, no fingerprinting. We honor the Do Not Track and Global Privacy Control browser signals: if either is enabled, we capture nothing.

Pre-Submit Beacon (added June 27, 2026)

When you start filling a form on cybersecify.com, we record low-PII metadata (the form name, page URL, and timestamp) so we can understand which forms attract intent. When you click the form's Submit button, we additionally record the values you have entered at that moment (typically your name, email, phone number, company, role, domain, brand, service interest, and your message) even if the submission is subsequently rejected by our bot-detection system (Cloudflare Turnstile). This is a recovery mechanism: if our bot check incorrectly flags a legitimate inquiry, we still receive the information needed to follow up manually. The captured data is sent server-side only to our team via email (through Resend), is never written to a cookie or client-side persistent storage, is not shared with any third party beyond Resend (our existing email delivery provider), is retained for 90 days and then permanently deleted. We rate-limit this capture to prevent abuse. We honor the Do Not Track and Global Privacy Control browser signals: if either is enabled by your browser, this beacon is skipped entirely and nothing is captured. You may also email help@cybersecify.com to request immediate deletion of any pre-submit data we hold about you.

Children's Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information.

Third-Party Links

Our website may contain links to third-party websites and tools. We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies before providing any personal information.

Grievance Officer

In accordance with the DPDP Act, our Grievance Officer for data protection matters is:

Name: Ashok S Kamat
Email: privacy@cybersecify.com
Address: Bengaluru, Karnataka, India

You may contact the Grievance Officer for any complaints or concerns regarding our processing of your personal data. We will acknowledge your complaint within 48 hours and resolve it within 30 calendar days.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page with an updated "Last updated" date. We encourage you to review this page periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@cybersecify.com
Address: Bengaluru, Karnataka, India