Privacy Policy

Short version: We collect what's necessary to run the platform. We don't sell your data. You can request deletion at any time. We comply with GDPR and CCPA.

1. Who Controls Your Data

Steeled Inc. ("we", "us", "our") operates CyberStackHub and is the data controller for personal information collected through the Service. Contact us at privacy@cyberstackhub.ai with any privacy questions.

2. What We Collect and Why

Category	What we collect	Why
Account data	Email address, name, password hash	To create and manage your account
Usage data	Pages visited, tools used, session duration, IP address, browser type	Analytics, service improvement, security monitoring
Assessment data	Inputs you provide for security assessments (company size, tech stack, answers to questionnaires)	To generate your cybersecurity intelligence outputs
Payment data	Billing name, last 4 digits, billing address (Stripe processes full card data)	To process transactions. We never store full card numbers.
Communications	Emails you send us, support tickets	To respond to your requests

3. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for the platform to function (session management, authentication). Cannot be disabled.
• Analytics cookies: We use first-party analytics to understand how people use CyberStackHub. This includes anonymized page views, session counts, and feature usage. We do not use Google Analytics or third-party ad-tracking cookies.
• Preference cookies: Remember your settings and preferences across sessions.

You can disable non-essential cookies in your browser settings. This may affect some functionality.

4. How We Use Your Data

• To deliver and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (account confirmations, receipts)
• To send product updates and security tips (you can unsubscribe at any time)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data to train AI models.

5. Who We Share Data With

We share data only with service providers who help us operate the platform, under strict data processing agreements:

• Stripe — payment processing
• Neon / Render — database and application hosting (US-based servers)
• Anthropic / OpenAI — AI inference for generating assessments (inputs are processed, not stored for training)
• Postmark — transactional email delivery

We may disclose data if required by law, court order, or to protect the safety of users or the public.

6. Data Retention

We retain your account data for as long as your account is active. Assessment outputs are stored so you can access your history. You can request deletion at any time — see Section 8.

Aggregated, anonymized analytics data may be retained indefinitely. Log data is retained for up to 90 days for security and debugging purposes.

7. Security

We use industry-standard security practices: encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security reviews. No method of transmission or storage is 100% secure — but we take it seriously.

If we become aware of a breach affecting your data, we will notify you within 72 hours as required by GDPR.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you
• Correction: Request that we fix inaccurate or incomplete data
• Deletion: Request deletion of your data ("right to be forgotten")
• Portability: Request your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request we limit processing of your data
• Opt-out of sale (CCPA): We don't sell data, so this right is already satisfied

To exercise any of these rights, email privacy@cyberstackhub.ai. We'll respond within 30 days. We may need to verify your identity before processing requests.

9. AI Data Processing (EU AI Act Article 10)

CyberStackHub uses artificial intelligence to generate cybersecurity assessments, documents, and recommendations. Here is exactly how your data is used within our AI systems:

• What is sent to AI models: Only the inputs you provide when using a tool — company name, industry, questionnaire answers, and descriptive context. We do not enrich inputs with third-party data before sending them to AI providers.
• What is never sent to AI models: Your email address, payment information, account credentials, or any data you haven't explicitly entered into a tool form.
• No training on your data: Your inputs are not used to train, fine-tune, or improve AI models — ours or any provider's. Both OpenAI and Anthropic operate under commercial API terms that prevent training on API inputs. We have verified this with both providers.
• Cross-border AI processing: AI inference calls are processed by OpenAI and Anthropic on US-based servers. This transfer is covered by Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.
• AI output retention: AI-generated outputs are stored in your account so you can access reports later. Associated inputs are retained for the same period. You can request deletion at any time — see Section 8.
• No automated decisions with legal effects: AI outputs are advisory only. No automated decisions that produce legal or similarly significant effects are made based on our AI outputs.

For full AI system documentation including risk classification, methodology, and known limitations: AI Transparency page (EU AI Act Article 11 technical documentation).

10. GDPR (EU/EEA Users)

Our legal bases for processing personal data under GDPR are:

• Contract performance — to deliver the Service you signed up for
• Legitimate interests — analytics, security, fraud prevention
• Consent — for marketing communications (you can withdraw at any time)
• Legal obligation — compliance with applicable laws

If you're in the EU/EEA, you have the right to lodge a complaint with your local Data Protection Authority.

11. CCPA — California Residents

We do not sell personal information as defined by the California Consumer Privacy Act. California residents have the right to know what personal information we collect and to request its deletion. Contact us at privacy@cyberstackhub.ai to exercise these rights.

12. Children's Privacy

CyberStackHub is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If we learn we've done so, we'll delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy. We'll update the effective date and, for material changes, notify you by email or a prominent notice on the platform. Continued use after changes means you accept the updated policy.

14. Contact Us

Privacy questions or requests: privacy@cyberstackhub.ai

Steeled Inc., c/o CyberStackHub