Privacy Policy

Last updated: June 2026

1. Introduction

CIPHIUM ("we", "us", or "our") operates the website ciphium.com and provides offensive cybersecurity assessment services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website or use our services.

We are committed to protecting your privacy and handling your data in an open and transparent manner. By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Personal Data

When you register for an account, request a demo, or contact us, we may collect the following personal information:

  • Full name
  • Email address
  • Company or organization name
  • Job title and department
  • Phone number (if provided)
  • Billing and payment information

Usage Data

We automatically collect certain information when you visit our website, including:

  • IP address and geolocation data
  • Browser type and version
  • Operating system
  • Pages visited and time spent on each page
  • Referring URL
  • Device identifiers

Cookies and Tracking

We use cookies and similar tracking technologies to monitor activity on our website and store certain information. See Section 9 for more details on cookies.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve our cybersecurity assessment platform and services.
  • Communication: To send you important updates, security alerts, and administrative messages related to your account.
  • Improvement: To analyze usage patterns and improve our products, services, and user experience.
  • Marketing: To send promotional materials and information about new features, with your consent where required by law.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.
  • Security: To detect, prevent, and address fraud, security breaches, and other harmful activities.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

  • Consent: Where you have given us explicit consent to process your data for specific purposes, such as marketing communications.
  • Contract Performance: Where processing is necessary to fulfill our contractual obligations to you, including providing our services.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our services, provided these interests are not overridden by your rights.
  • Legal Obligation: Where we are required to process data to comply with applicable laws and regulations.

5. Data Sharing

We do not sell your personal data. We may share your information in the following circumstances:

  • Third-Party Service Providers: We work with trusted third-party processors who assist in operating our platform, processing payments, and providing customer support. These providers are contractually bound to protect your data.
  • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data is subject to a different privacy policy.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, including for legal, accounting, or reporting requirements.

When you request deletion of your account, we will remove your personal data within 30 days, unless we are required to retain it for legal compliance. Anonymized and aggregated data may be retained indefinitely for analytics purposes.

7. Your Rights (GDPR)

If you are a resident of the EEA or a jurisdiction with similar data protection laws, you have the following rights:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure: You can request that we delete your personal data, subject to legal retention requirements.
  • Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.
  • Right to Restriction: You can request that we restrict the processing of your personal data under certain conditions.
  • Right to Object: You can object to the processing of your personal data for direct marketing or where we rely on legitimate interests.
  • Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning you.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws than your jurisdiction.

Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.

9. Cookies

We use the following types of cookies:

  • Essential Cookies: Necessary for the website to function properly. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors interact with our website to improve user experience.
  • Functional Cookies: Remember your preferences and settings for a personalized experience.
  • Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness.

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, disabling essential cookies may affect website functionality.

10. Security Measures

We implement robust security measures to protect your personal data, including:

  • End-to-end encryption for data in transit and at rest
  • Role-based access controls and multi-factor authentication
  • Regular security audits and penetration testing
  • Incident response procedures and breach notification protocols
  • Employee security awareness training
  • Secure development practices following OWASP guidelines

While we strive to use commercially acceptable means to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take immediate steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and, where required by law, sending you an email notification.

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: [email protected]

Website: ciphium.com

Data Protection Officer: You may reach our DPO at [email protected]