Privacy Policy

Effective Date: January 20, 2025
Previous Version: January 17, 2025

1. Introduction

CyberSecFeed is a serious cybersecurity company committed to the highest standards of data protection. As security professionals, we practice what we preach: minimal data collection, maximum security.

2. Our Privacy Philosophy: Less Data = More Security

We believe that the best way to protect user data is to not collect it in the first place. Unlike many technology companies, we intentionally limit our data collection to the absolute minimum required to provide our service. This approach reduces risk for both you and us.

3. Information We Collect

3.1 The Only Information We Store

Email Address: Required for API key delivery and critical service communications
Name: Only if you provide it during checkout (optional)
API Key Hash: One-way encrypted hash - we cannot recover your actual API key

That's it. Nothing else.

3.2 Information We Explicitly Do NOT Collect

❌ No tracking cookies or analytics
❌ No IP address logging
❌ No API query parameters or search terms
❌ No usage patterns or behavioral data
❌ No marketing profiles or user segments
❌ No device information or browser fingerprinting
❌ No location data

3.3 Why We Don't Have a User Database

We've architected our system without a traditional user database. Your subscription is managed entirely through Stripe, and we only store the minimal API key metadata needed for authentication. This design choice means:

No user profiles to breach
No personal data repositories to protect
No temptation to collect "just in case" data
No risk of data misuse because the data doesn't exist

4. API Key Security

4.1 One-Way Encryption

Your API key is hashed using SHA-256 with a salt before storage
This is a one-way process - we cannot reverse it to see your original key
If you lose your API key, we cannot recover it (you'll need a new one)
This protects you even in the unlikely event of a database breach

4.2 Zero Knowledge Architecture

We operate on a zero-knowledge principle for API keys. Once your key is generated and emailed to you, we only store its hash. This means:

Our support team cannot see your API key
Our engineers cannot retrieve your API key
Even with full database access, your key remains secure

5. How We Use Your Information

The minimal information we collect is used solely for:

Email: Send your API key once and critical service updates only
Name (if provided): Personalize your welcome email
API Key Hash: Authenticate your API requests

6. Infrastructure Security

6.1 SOC 2 Level Infrastructure

We use enterprise-grade, SOC 2 compliant infrastructure:

Cloudflare Workers: SOC 2 Type II certified platform
Stripe: PCI DSS Level 1 certified payment processor
Industry Standards: We leverage infrastructure that meets or exceeds industry security standards

6.2 Security Measures

Encryption in Transit: All API communications use TLS 1.3 or higher
Encryption at Rest: Database encryption for stored data
Access Controls: Zero-trust architecture with minimal access
DDoS Protection: Enterprise-grade protection via Cloudflare
API Security: Rate limiting, quota enforcement, and anomaly detection
No Logs: We don't log API requests, responses, or query parameters
Security Monitoring: 24/7 automated monitoring for threats
Incident Response: Documented procedures for security incidents

6.3 Breach Notification

In the unlikely event of a data breach that affects your personal information:

We will notify you within 72 hours of discovery
We will provide details about what information was affected
We will outline steps we're taking to remediate the issue
We will offer guidance on protective measures you can take

6.4 Security Audits

Enterprise customers may request:

Evidence of our SOC 2 compliance
Security questionnaire completion
Discussion of our security practices (under NDA)

7.1 Third-Party Services

We share minimal data with only two services:

Stripe: Handles all payment processing (we never see your card details)
Postmark: Sends your API key email (one-time use)

7.2 What We Never Do

❌ Never sell your data
❌ Never share data for marketing
❌ Never provide data to advertisers
❌ Never use your data for AI training
❌ Never profile your usage

7.3 Legal Compliance

We will only disclose data if legally required and will:

Notify you unless prohibited by law
Challenge overly broad requests
Provide only the minimum required information

8. Data Processing Agreement (DPA)

8.1 Controller vs Processor

You are the Data Controller: You determine the purposes and means of processing personal data
We are the Data Processor: We process data only on your behalf and under your instructions
Limited Processing: We only process data to provide the API service as described in these Terms

8.2 Enterprise DPA

Enterprise customers may request a separate Data Processing Agreement that includes:

Detailed processing instructions and purposes
List of approved subprocessors
Standard Contractual Clauses for international transfers
Specific security commitments
Audit rights and certifications
Data deletion and return procedures

8.3 International Data Transfers

For customers requiring data transfer mechanisms:

We rely on Cloudflare's global infrastructure with appropriate safeguards
Standard Contractual Clauses are available upon request
We maintain Data Transfer Impact Assessments (DTIA) as required

8.4 Your Responsibilities as Controller

You are responsible for:

Ensuring lawful basis for any personal data you submit
Responding to data subject requests
Maintaining your own privacy notices
Ensuring your use complies with applicable privacy laws

9. Data Retention

Our minimal data collection extends to retention:

Email & Name: Kept only while your subscription is active
API Key Hash: Deleted immediately upon subscription cancellation
No Historical Data: We don't keep logs, usage history, or activity records
Clean Deletion: When you cancel, your data is truly gone

10. Your Rights

Since we collect minimal data, exercising your rights is simple:

10.1 Access Your Data

Contact us and we'll tell you: your email, name (if provided), and that we have a hash of your API key. That's all we have.

10.2 Delete Your Data

Cancel your subscription and we delete everything immediately. No waiting periods, no "soft deletes" - it's gone.

10.3 Data Portability

Your data export would be: email address, name (if provided). That's the complete export.

10.4 No Marketing to Opt Out From

We don't do marketing emails, so there's nothing to opt out of. You only receive:

Your API key (once)
Critical security notices (if ever needed)
Billing receipts from Stripe

11. Compliance with Privacy Laws

We're already compliant because we:

Collect minimal data (data minimization principle)
Have a lawful basis (contract performance)
Delete data on request immediately
Don't transfer data unnecessarily
Use SOC 2 compliant infrastructure
Act as a data processor under your control
Provide Data Processing Agreements when required

11.2 CCPA (California)

We're compliant because we:

Don't sell personal information (never have, never will)
Don't profile users
Delete data upon request
Provide equal service regardless of privacy choices
Honor "Do Not Sell" requests (though we never sell data anyway)

11.3 Children's Privacy

Our Service is for businesses and professionals only. We don't knowingly collect data from anyone under 18. If we discover we've collected data from someone under 18, we will delete it immediately.

11.4 Additional Jurisdictions

We maintain compliance with privacy laws in all jurisdictions where we operate, including:

PIPEDA (Canada)
UK GDPR
Australian Privacy Act
Other applicable regional privacy laws

12. Our Privacy Commitment

As cybersecurity professionals, we understand that trust is earned through actions, not words. Our minimal data collection isn't a marketing strategy - it's a security philosophy. We've made the conscious choice to forgo valuable marketing data because your privacy and security matter more than our marketing metrics.

13. Changes to This Policy

If we ever need to update this policy, we will:

Notify you via email at least 30 days before changes take effect
Never reduce your privacy rights
Always maintain our minimal data collection principle
Provide a summary of material changes

14. Contact Us

For privacy questions or to exercise any of your rights:

Email: [email protected]
Support: [email protected]
Principle: If you ask us what data we have on you, the answer will always be minimal.

By using CyberSecFeed, you're choosing a service that prioritizes your privacy and security above all else. We're proud to be different.

1. Introduction​

2. Our Privacy Philosophy: Less Data = More Security​

3. Information We Collect​

3.1 The Only Information We Store​

3.2 Information We Explicitly Do NOT Collect​

3.3 Why We Don't Have a User Database​

4. API Key Security​

4.1 One-Way Encryption​

4.2 Zero Knowledge Architecture​

5. How We Use Your Information​

6. Infrastructure Security​

6.1 SOC 2 Level Infrastructure​

6.2 Security Measures​

6.3 Breach Notification​

6.4 Security Audits​

7. Data Sharing​

7.1 Third-Party Services​

7.2 What We Never Do​

7.3 Legal Compliance​

8. Data Processing Agreement (DPA)​

8.1 Controller vs Processor​

8.2 Enterprise DPA​

8.3 International Data Transfers​

8.4 Your Responsibilities as Controller​

9. Data Retention​

10. Your Rights​

10.1 Access Your Data​

10.2 Delete Your Data​

10.3 Data Portability​

10.4 No Marketing to Opt Out From​

11. Compliance with Privacy Laws​

11.1 GDPR (Europe)​

11.2 CCPA (California)​

11.3 Children's Privacy​

11.4 Additional Jurisdictions​

12. Our Privacy Commitment​

13. Changes to This Policy​

14. Contact Us​