Privacy Policy

Last updated: December 15, 2025

1. Who Is the Data Controller?

The data controller for processing personal data is:

CyberResilient AB

Org.nr: 556702-0200

Email: info@cyberdefencely.com

2. What Personal Data Do We Collect?

Information you provide when registering:

  • Name
  • Email address
  • Telephone number
  • Organisation name
  • Position/role in the organisation

Data that arises when you use the Service:

  • Login and account information (e.g. time of registration, last login)
  • Technical logs (e.g. IP address, browser type, time of access)
  • Your answers in the maturity assessment
  • Reports

3. Why Do We Process Your Personal Data and on What Legal Basis?

To create and administer your account

  • Purpose: Create user account, enable login and access to the Service, manage permissions
  • Information: Name, email address, phone number, organisation name, login details
  • Legal basis: Performance of contracts (Article 6.1 b GDPR) to provide services to your organisation

To provide and develop the maturity measurement tool

  • Purpose: Conducting the maturity assessment, view performance reports, improve the features, user experience and security of the Service, follow up usage patterns at an aggregate level (statistics)
  • Information: Your survey responses, usage data, technical logs
  • Legal basis: Legitimate interest (Article 6.1 f GDPR) in providing, developing and improving the Service and ensuring IT and information security

For customer service and support

  • Purpose: Answer questions, manage bug reports, assist you with your use of the Service
  • Information: Contact information (name, email, telephone), information about your organisation, the content of your question/matter
  • Legal basis: Legitimate interest in providing service and support (Article 6(1)(f))

For sending information and marketing communications (optional)

  • Purpose: Send information about updates to the Service, send news, tips or invitations to webinars/events related to cybersecurity and maturity measurement
  • Information: Name, email address, organisation
  • Legal basis: Legitimate interest (Article 6(1)(f)) of communicating with existing users in a professional role about services and information relevant to their activities
  • Your right to object: You may object to marketing communications by clicking the unsubscribe link in emails or contacting info@cyberdefencely.com

4. How Long Do We Keep Your Personal Data?

User accounts and account information

Information linked to your user account is saved as long as the account is active and you use the Service. If your account is inactive (no login) for 36 months, we may contact you to confirm if you still want to keep the account. If we do not receive a response within 30 days, the account may be deleted.

Deleted accounts

If you actively choose to delete your account:

  • You have 30 days from the deletion request to export your data
  • After these 30 days, your personal data will be permanently deleted or anonymised
  • Data in encrypted backups can be retained for up to 30 additional days for disaster recovery, then permanently deleted

Measurement results and reports

Your responses to the maturity assessment and generated reports are saved as long as your account is active. If you delete your account, your personal measurement results will be deleted according to the timeframes above.

Technical logs and backups

Technical logs (IP addresses, login attempts, system events) are saved for 12 months for IT security, troubleshooting and traceability. Backups for active accounts are retained for up to 90 days for disaster recovery.

Marketing communications

Data for marketing communications (name, email, organisation) is saved as long as you are an active user or until you opt out. If you opt out, your choice is saved permanently. If your account is inactive for 36 months and you have not interacted with marketing communications, we may delete you from the marketing list.

Accounting documents and legal requirements

Data that must be saved according to the Accounting Act (e.g. invoices, payment information, agreements) is saved for 7 years from the end of the financial year. Data retained under other legal obligations will be retained for as long as the legal obligation persists.

Anonymised and aggregated data

Anonymised and aggregated data that does not identify you or your organisation may be stored indefinitely for statistics, benchmarking, and product development.

5. To Whom Do We Disclose Personal Data?

Data Encryption and Protection

All data is encrypted both at rest and in transit at the infrastructure level and, for personal data, with an additional application-level encryption layer that we control.

Specifically:

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Personal data has additional encryption (AES-256-GCM) only we can decrypt
  • Email address (required for authentication) is the only identifying information not protected by additional encryption

Data Protected by Additional Encryption

Your name, phone numbers, organisation information, all maturity assessment responses, all report contents and recommendations, user preferences and settings.

Data Processors Within the EU/EEA

  • Database and authentication services: Storage of user data and secure login management. Categories: Email address, username, encrypted passwords, account information. Legal basis: Performance of contracts (Article 6(1)(b) GDPR).
  • Email services: Send service messages, support communications, and other communications. Categories: Email address, name, content of messages. Legal basis: Performance of contracts (Article 6(1)(b) GDPR) for service notifications; Legitimate interest (Article 6(1)(f) GDPR) for marketing communications.
  • Cookie consent management: Manage and store user cookie consents. Categories: Consent information, IP address (anonymised), browser information. Legal basis: Legal obligation (Article 6(1)(c) GDPR).

An updated list of specific data processors within the EU/EEA is available upon request.

Data Processors Outside the EU/EEA

Cloud hosting and serverless computing services:

Website hosting, application delivery, and server-side processing. Physical location: EU (Sweden). Company jurisdiction: USA.

  • Data accessible: HTTP request metadata, application performance metrics, error logs
  • Data NOT accessible (encrypted): User names, assessment responses, report contents
  • Protective measures: GDPR Data Processing Agreement, TLS 1.3, AES-256
  • Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Database and Authentication Services (US-based):

Data storage, user authentication, database management. Physical location: EU (Sweden). Company jurisdiction: USA.

  • Data accessible: Email addresses, IP addresses, user preferences
  • Data NOT accessible (encrypted): Display names, phone numbers, organisation details, assessment data, reports
  • Protective measures: GDPR DPA, TLS 1.3, AES-256, AES-256-GCM application-level encryption
  • Legal basis: Performance of contract (Article 6(1)(b)), Legal obligation (Article 6(1)(c))

Why US Companies Can Access Data Stored in the EU: Even though data is physically stored on servers in Sweden, some service providers are US-based companies. Due to additional encryption, personal data they can access is encrypted and unreadable without encryption keys stored separately. Only email address is stored unencrypted.

Sharing with group companies

Personal data is shared with:

  • Cyber Defencely Sweden AB (559501-5594)
  • Navis Mater AB (559537-7184)
  • Internetworking Stockholm AB (556990-8220)

Purpose: Joint management of user accounts, support and customer service, monitoring and development of the Service, joint administration and IT operations.

Data shared: Name, email, phone, organisation, position/role, account information, support issues.

Legal basis: Performance of contracts (Article 6(1)(b) GDPR). All companies in Sweden under GDPR.

Other recipients

  • Authorities and regulatory bodies (if required by law)
  • Accountants and legal advisors
  • Potential buyers (in event of sale)

6. Transfer to Countries Outside the EU/EEA

The majority of our services and data are stored within the EU/EEA. When personal data transfers occur outside this region, we ensure legal basis and adequate protection through:

  • EU adequacy decisions or approved standard contractual clauses
  • Technical and organisational measures including encryption, access control and regular security audits
  • Supplier evaluation focusing on security and data protection standards

7. How We Protect Your Personal Data

We implement technical and organisational security measures including:

  • Access control and authorisation management
  • Secure authentication for administrators and users
  • Logging and monitoring of system events
  • Data encryption with extra layers for sensitive information
  • Regular security updates and backup routines

No internet-based service can be 100% secure against all threats. In case of data breach likely to create high risk, users are notified without undue delay per GDPR Article 34.

8. Your Rights

Under GDPR you have the right to:

  • Access your personal data and information about how it is processed
  • Correction of inaccurate or incomplete information
  • Deletion in certain circumstances ("right to be forgotten")
  • Restriction of processing in some cases
  • Object to processing based on legitimate interests
  • Withdraw consent without affecting prior lawful processing
  • Data portability for information you have provided

Regarding AI: We do not use automated decision-making within the meaning of GDPR Article 22 since recommendations are indicative only, though you retain information and opinion rights.

Response timeframe: Within 1 month of receipt (can be extended to 3 months in complex cases). Requests are normally handled at no cost.

9. Right to Lodge a Complaint

If you believe your personal data has been processed in violation of GDPR, you have the right to lodge a complaint with Integritetsskyddsmyndigheten (IMY):

10. Cookies and Similar Technology

Necessary cookies are always active and cover:

  • Authentication and sessions
  • Security and access control
  • Technical operation and basic functionality

Analytics and tracking cookies are only set with your explicit consent. When you opt in, we use:

  • Google Analytics — to understand how visitors use the site (anonymised IP).
  • LinkedIn Insight Tag — to measure the effectiveness of our campaigns.

You can change or withdraw your consent at any time via the "Cookie Settings" link in the footer. We do not share cookie information with third parties for advertising or profiling.

11. Changes to This Privacy Policy

We may update this Privacy Policy at any time. Material changes will be notified at least 30 days in advance. Minor updates may occur without prior notice and take effect upon posting. Continued use of the Services after changes take effect constitutes acceptance.

1
Details
2
Verify
3
Org.
4
Welcome

Create a free account

Provide your email and choose a password.

OR

By continuing you agree to our Terms of Service and Privacy Policy.

Verify your email

We sent a 6-digit code to your email.

Didn't receive it?

About your organisation

Help us tailor your experience.

What industry are you in?

Company size

You're all set!

Your free account is ready. You have 2 free maturity assessments waiting for you — no credit card required.

Account created
2 free assessments activated
AI-powered recommendations included
Go to your dashboard
plan
1
Account
2
Verify
3
Org.
4
Billing
5
Payment

Create your account

Provide your email and choose a password.

OR

By continuing you agree to our Terms of Service and Privacy Policy.

Verify your email

We sent a 6-digit code to your email.

Didn't receive it?

About your organisation

Help us tailor your experience.

What industry are you in?

Company size

Choose your billing

Save 20% with an annual subscription.

Total today

Payment details

Your card will be charged .

Secured by Stripe. We never store your card details.

You're all set!

Your Pro subscription is now active.

Subscription activated
Unlimited maturity assessments
AI-powered recommendations included
Go to your dashboard