Privacy Notice for CyberCoach Website
The short and sweet summary:
We’ve designed our website to maximize your privacy. We do not know who you are, unless you engage with us by booking a meeting, sign up for a trial or give us your contact information through the chat or contact forms. We can delete this information whenever, just ask. If you don’t ask, we will delete it after 6 months. You can delete cookie data yourself by following the instructions on this page. Booking a meeting with us or chatting with us will not put you on any mailing list. No spam, we promise.
CyberCoach is the controller of your Personal Data as described in this Website Privacy Notice, unless expressly specified otherwise. Your data is processed securely in the EU in compliance with EU General Data Protection Regulation (GDPR) requirements. If you do not want your personal data to be processed by us in the EU, please do not submit your Personal Data via our submission forms.
The full truth and nothing but the truth:
Security
Security is important to us. It's also important to us to keep our site online for obvious reasons. So we use Cloudflare to protect us against nasty bots, which requires two cookies:
_cf_bm
- Cloudflare places this cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode. It's strictly necessary for these bot solutions to function properly.
- The cookie contains information related to the calculation of Cloudflare’s proprietary bot score and, when Anomaly Detection is enabled on Bot Management, a session identifier. The information in the cookie (other than time-related information) is encrypted and can only be decrypted by Cloudflare.
- A separate cookie is generated for each site that an end user visits, as Cloudflare does not track users from site to site or from session to session. The cookie does not contain any user identification information.
- This cookie expires after 30 minutes of continuous inactivity by the end user.
_cfruid
- This cookie is strictly necessary to support Cloudflare Rate Limiting products.
- It does not contain any user identification information.
Online Marketing
Receiving irrelevant cold calls is annoying, so our sales team works hard to identify companies that could benefit from CyberCoach. This process is mostly manual, but we also try to identify companies interested in us through Snitcher.
This requires a cookie to work:
_SNID
- This cookie is set by the provider Snitcher. It is used for identifying visiting company names, it does not identify you.
-
This cookie is set to expire in 2 years.
We've built our marketing to minimize the use of personal data and to keep all personal data processing in the EU. For this reason, we're only using anonymous conversion tracking from Microsoft Ads. We do not do any ad re-targeting, or track individuals on our website. We just want to attribute clicks to their sources in order to optimize our ads reaching companies that benefit from CyberCoach.
_MUID
- This is a Microsoft cookie that contains a globally unique identifier (a GUID) assigned to your browser. It gets set when you interact with a Microsoft property, including a UET beacon call or a visit to a Microsoft property through the browser.
- The cookie expires after 13 months.
- Microsoft does not use third-party cookies or sell the information it collects.
_uetsid
- This contains the session ID for a unique session on the site.
- The cookie expires after 13 months.
- Microsoft does not use third-party cookies or sell the information it collects.
_uetvid
- UET assigns this unique, anonymized visitor ID, representing a unique visitor. UET stores this data in a first-party cookie.
- The cookie expires after 13 months.
- Microsoft does not use third-party cookies or sell the information it collects.
Meeting Booking
Because we want to make it quick and easy for you to meet us and chat with us, we’ve added a meeting scheduler and a live chat. These are both powered by HubSpot and they serve cookies.
If you decline cookies, the following three (3) anonymous cookies are still required:
__hs_opt_out
- This cookie remembers to not ask you to accept cookies again.
- It contains the string "yes" or "no".
- It is deleted after 6 months.
__hs_initial_opt_in
- This cookie is used to prevent the banner from always displaying if you are browsing in strict mode.
- It contains the string "yes" or "no".
- It expires in seven days.
messagesUtk
- This cookie is used to recognize visitors who chat with us. If you have declined cookies, you will be asked if it’s ok for us to remember your chat session before closing the chat.
- If you have accepted our cookies, or if you have consented to us remembering your chat session before closing the chat:
- If you come back with the same cookied browser, the chat will load your conversation history.
- This is anonymous, it uses an opaque GUID (Globally Unique Identifier) to represent chat users instead of personal data.
- It expires after 6 months.
If you accept cookies, you get five (5) additional cookies:
__hssc
- This cookie keeps track of sessions.
- It contains our domain (cybercoach.com), viewCount (increments each pageView in a session), and session start timestamp.
- It expires in 30 minutes.
__hssrc
- If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
- It contains the value "1" when present.
- It expires at the end of the session.
__hstc
- It contains our domain (cybercoach.com), the opaque GUID, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
- It expires in 6 months.
Hubspotutk
- This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
- It contains an opaque GUID to anonymously represent you.
- It expires in 6 months.
hs-messages-is-open
- This cookie is used to determine and save whether the chat widget is open for future visits.
- It is set in your browser when you start a new chat, and resets to re-close the widget after 30 minutes of inactivity.
- If you manually close the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes.
- It contains a boolean value of True if present.
- It expires in 30 minutes.
If you would like to book a meeting with us with the help of HubSpot, you’ll need to provide us and HubSpot with your name and email. These details are automatically added to our HubSpot contacts database. Our HubSpot data is hosted in the EU/ETA. We will only use this personal information to arrange the meeting. We will not add you to any mailing list or spam you in any way. We will also delete this information after the meeting, if you request us to do so. Otherwise, we periodically delete all contacts we’ve not had contact with in 6 months.
Our live chat only collects your personal data if you type it in. Please do not share any personal data other than your business contact information in the chat.
If you want to make sure HubSpot doesn’t track you, they offer 1-click deletion for their tracker data by visiting: https://legal.hubspot.com/cookie-policy#remove-cookies. You can read their privacy policy here: https://legal.hubspot.com/cookie-policy. You can also delete your cookies from the button below. If you delete the cookies we will forget you, this means that next time you visit or if you reload the page, the cookie banner will be shown.
If you trust us but don’t trust HubSpot, you can always just email us at bookademo[at]cultsecurity.com with a couple of time slot suggestions and we can set up a call or online meeting on your choice of platform.
Data Transfers
Your data does not leave the EU and it is not shared with any other parties than those mentioned here: HubSpot, Leadfeeder and Snitcher. We will never sell your personal data.
Question or beef?
You can reach us at privacy[at]cultsecurity.com
Privacy Notice for CyberCoach Product
This is a description of how our CyberCoach and we at Cult Security as its hosts and creators handle your personal information and what we do to protect it.
CyberCoach has two “sides”: your coach and your trainer. (No, not like Jekyll and Hyde, both of them are fun and friendly.) As your coach, the CyberCoach answers your questions. This side is anonymous. As your trainer, you work through fictional training scenarios together with CyberCoach to learn about security and privacy. Your organization may need to know who has completed what training, so we may provide that information at the end of the training if you allow us to do so.
From both coach and trainer sides, we aggregate dashboard views for your organization. We encourage the admin of your organization to share these views with you for transparency, and take care that no individual can be identified from these organization and role/unit level graphs. Read on for more details on how we protect your information and only process the very minimum needed to provide you with a stellar service.
What do you know about me and why?
We want you to be able to ask anything and learn without pressure, so we work extra hard to ensure you remain anonymous. Even though you are logged into your organization’s Microsoft Teams or Slack when you chat with CyberCoach, CyberCoach does not collect or store your name or account information during your conversation.
We at Cult Security do not know who you are or what you discuss with CyberCoach, because the only identifier we store for users is your Teams or Slack User ID. This is a random string of characters, which we cannot connect to your name or other identifying personal information.
The table below summarizes the kind of data we process, why we need to process it, and for how long we maintain it.
What | Why | How Long |
---|---|---|
Session ID, duration of the conversation, information on completion/dropping out | For us to develop CyberCoach, diagnose issues, and keep the service up. Also to aggregate organization-wide usage analytics for your organization. | As long as your organization has the service in use, and the maximum of 90 days after. |
IP address | For us to diagnose issues, and keep the service up. Not combined with your training data or with what you have discussed with CyberCoach. | 90 days |
Slack or Teams ID | To record training scenario completion. CyberCoach will make it very clear if this information is required and ask you specifically if you still wish to proceed. | As long as your organization has the service in use, and the maximum of 90 days after. |
Training scores, right or wrong answers | To record training completion. | As long as your organization has the service in use, and the maximum of 90 days after. |
Name and email address (if your organization has enabled this) |
This feature is optional for admins. If you are not sure whether this feature is enabled or not, you will need to contact the admin of your organization. To record training completion (yes/no). Not combined with your other training data or with what you have discussed with CyberCoach. |
As long as this setting is enabled. The data will be deleted immediately after the setting is deactivated, or a maximum of 90 days after the end of the contract. |
Where is my data?
We store and process everything in the highly security-certified Microsoft Azure cloud, and ensure that nothing leaves the EU/ETA in compliance with the requirements of the EU General Data Protection Regulation (GDPR). If you do not want your personal data processed by us in the EU, please do not use CyberCoach and contact your organization's admin or HR.
What are my rights?
Right to be informed | We need to be transparent about what we do with your data, notify you of what your rights are and how you can exercise them. This document explains all that. |
Right to rectification | We can’t help you much here. CyberCoach and we at Cult Security only process automatically generated data (log information) and information passed down from your organization, so anything inaccurate needs to be corrected at the source by contacting your organization’s IT. |
Right to be forgotten | We are able to identify you only if your organization has elected to store emails in the training records. In that case we can delete all your data: your email address and which trainings you have completed. Contact your organization admin first. |
Right of access and data portability | The EU General Data Privacy Regulation grants you the right to receive a copy of information you provide to a service provider in a digital format. While CyberCoach receives input from you, we don't know what is your data, so we cannot provide access or copies. All information you have inputted is available to you through Microsoft Teams or Slack as long as your chat session remains open, and you will be able to copy it from there. |
Right to restriction of processing | This one is quite simple. We do not process identifiable personal information, so processing can only be further restricted by you electing not to use the service. Please do so and talk to us or a representative from your organization in case you have concerns before returning to using the service. |
Automated decision-making or profiling | CyberCoach does not judge. Or profile, or make decisions impacting you. |
Data transfers
Your data will not leave the EU and will not be shared with parties other than those mentioned here: Microsoft and Slack (if your organization uses Slack). We will never sell your personal data.
Question or beef?
You can reach us at privacy[at]cultsecurity.com
Sales and Marketing
We may approach you by message or phone if you work in an organization and in a role where CyberCoach could be of benefit to you and your organization. As a potential customer, we process your data based on our legitimate interest and our assessment that you would benefit from our service. We also need to process your information if you are interested in a demo or trial, or if you subscribe to CyberCoach for your organization. Below we describe in more detail what information we process and how you can control it.
What information do we process?
Potential customer |
We process basic information available either directly from you and/or from Lusha or public sources: name, job role, organization, email and phone number. Even if you do not respond to our contact, we will keep this minimum information for 2 years at a time so that we know not to contact you in the future. We will tell you if we have obtained your contact information through Lusha. If you wish to have your information corrected or removed from Lusha's database, you can do so here: https://www.lusha.com/privacy_topic/control-your-profile/. |
Newsletter subscriber | If you subscribe to our newsletter, we will process the contact information you provide solely for that purpose according to your consent. You can unsubscribe from our mailing list at any time. |
Sales Lead | If you submit a form on our website or contact us through mail or phone, we will process this information in addition to the minimum information listed below and other information necessary to provide you with the services you have requested (e.g. demo session, CyberCoach trial, CyberCoach subscription). This includes, for example, information about matters such a scope and timeline agreed during the meetings. In the sales process, we process information related to your organization's needs, and only the basic information necessary about you as a buyer: name, job role, organization, email and phone number. |
Customer | In a customer relationship, we process information related to your organization's needs and use of CyberCoach, and only the basic information necessary about you as a buyer: name, job role, organization, email and telephone number. |
What rights do I have?
The right to be informed | We must be transparent about what we do with your data, inform you of your rights and how you can exercise them. That's what this page is for. |
The right to rectify my data | You can contact us at any time to ask us to rectify your data. |
Right to be forgotten | If you are not interested in our services, you can ask us to delete your data at any time. We will only keep for 2 years the minimum basic information (available from public sources) that we need in order not to contact you again. We cannot delete your data during a customer relationship, as we only process basic information about you that is necessary to fulfill the contractual relationship. Two years after the customer relationship has ended, we will anonymize and delete personal data that is not strictly necessary for the preparation, presentation or defense of possible legal claims and/or for accounting purposes (e.g. names and signatures on contracts). |
Right of access to data | The EU General Data Protection Regulation gives you the right to obtain a copy of the data you provide to the service provider in digital format. You can request this from us at any time. |
Right to restriction of processing |
As the data we process is already strictly minimized, this processing cannot be further limited except in two cases:
|
Automated decision-making or profiling | We do not make automated decisions or do profiling as part of our sales or customer relationship management processes. |
Data transfers
Your data will not leave the EU and will not be shared with parties other than those mentioned here: HubSpot (customers, newsletter subscribers and potential customers), Stripe or Procountor (customers, depending on payment method), and Microsoft (customers). We will never sell your personal information.