Privacy Policy

1. Data We Collect

Account & Organization Data

• Email address (and email hash for PII minimization in internal identifiers)
• Display name, job title, department, manager relationship
• Slack user ID (used as primary identifier when Slack integration is active)
• Slack profile photo URL (avatar)
• Organization name, domain, Slack Team ID
• Billing email and Stripe customer/subscription IDs

Training & Security Behavior Data

• Training module completion status, scores, and timestamps
• Phishing simulation results: whether a simulated email was opened, a link clicked, or reported
• Smishing (SMS) simulation results
• Policy acknowledgment records
• Incident drill participation and outcomes
• Gamification data: points, badges, and activity streaks
• Human risk scores derived from the above behavioral data
• Security culture scores at the organizational level

Vendor Risk Data

• Vendor names, categories, risk ratings, and review notes entered by your team
• Vendor documents you upload (SOC 2 reports, contracts, questionnaires)

Technical Data

• Session tokens (HTTP-only cookies)
• IP address (recorded in audit logs)
• Browser and device type for session management

2. How We Use Your Data

• Deliver training, phishing simulations, and other platform features to your organization
• Calculate individual and organizational risk scores to support your security program
• Send training assignments and reminders via Slack or email
• Process billing and subscription management through Stripe
• Detect abuse, enforce our Terms of Service, and investigate security incidents
• Improve the Platform using aggregated, anonymized usage data

We do not sell your data. We do not share individual behavioral data (phishing results, risk scores) with any third party except as needed to operate the Platform.

3. PII Minimization

Where possible, we use Slack user IDs as primary identifiers rather than email addresses, reducing personally identifiable information stored in training and simulation records. Email addresses are hashed for use in internal cross-references. Full email addresses are stored only where needed for direct user communication.

4. Data Sharing & Sub-processors

5. Data Retention

• Active org data retained for the lifetime of the organization's subscription
• Cancelled orgs: data deleted within 30 days of subscription end
• Audit logs retained for 12 months
• Training and simulation records retained for the life of the subscription
• Data deletion requests honored within 30 days

6. Your Rights (GDPR & CCPA)

We support data subject rights. You or your organization administrator may:

• Request access to your personal data
• Request correction of inaccurate data
• Request deletion of your data (right to erasure)
• Request portability of your training data
• Object to processing of your behavioral data

Deletion requests can be submitted via Settings → Account, or by emailing privacy@anchorcybersecurity.com. We will process requests within 30 days.

Important: Individual user data deletion requests from employees should be initiated through your Organization Admin, as employee data is processed on behalf of your organization as a data controller.

7. Security

See our Security Overview for details on encryption, access controls, MFA, and audit logging.

8. Contact

Anchor Cyber Security LLC
Biddeford, Maine 04005
privacy@anchorcybersecurity.com