Privacy Policy

1. Introduction

At RansomLeak, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our security awareness training platform. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. Please read this privacy policy carefully.

2. Legal Bases for Processing

We process your personal data based on the following legal grounds:

• Legitimate Interest: To deliver security awareness training services and improve our platform
• Contractual Necessity: To provide the services you have subscribed to and fulfill our obligations under our Terms of Service
• Consent: For marketing communications and optional features, where you have given explicit consent
• Legal Obligation: To comply with applicable laws, regulations, and legal processes

3. Information We Collect

We may collect information about you in a variety of ways. The information we may collect includes:

• Personal Data: Name, email address, phone number, company name, and job title
• Training Data: Course progress, completion rates, quiz scores, and time spent on modules
• Technical Data: IP address, browser type, operating system, and device information
• Usage Data: Pages visited, features used, and interaction patterns within our platform

4. How We Use Your Information

We use the information we collect in the following ways:

• To provide and maintain our security awareness training services
• To personalize training content and improve user experience
• To track progress and generate training reports for your organization
• To communicate with you about your account and our services
• To comply with legal obligations and protect our rights

5. Data Security

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

• Encryption at Rest: All data stored in our systems is encrypted using AES-256 encryption, including databases (RDS), file storage (S3), and secrets management (AWS Secrets Manager)
• Encryption in Transit: All data transmitted to and from our platform is protected using TLS 1.3 encryption with HTTPS-only enforcement
• Network Security: Our infrastructure uses VPC isolation, security groups, and AWS GuardDuty for continuous threat detection and monitoring
• Access Controls: We implement role-based access control (RBAC) with the principle of least privilege, ensuring personnel only access data necessary for their role
• Monitoring & Auditing: Continuous security monitoring through CloudWatch logging, AWS GuardDuty threat detection (15-minute intervals), and CloudTrail API audit logging
• Incident Response: Automated security incident alerts via SNS for high-severity findings, with documented incident response procedures

For detailed technical security measures and infrastructure details, see our Security & Compliance page.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Specific Retention Periods:

• Training Records: Retained for the duration of your subscription plus a reasonable period thereafter for backup and audit purposes
• Application Logs: 90 days (CloudWatch)
• API Audit Logs: 3 years (CloudTrail)
• Access Logs: 1 year (CloudFront)
• Account Data: Retained while your account is active, plus legal retention requirements
• Database Backups: Encrypted database backups are retained for 30 days for disaster recovery, data corruption protection, and service reliability purposes

Account Deletion and Backup Retention:

When you request account deletion, we delete your personal information from our production database immediately. However, your data may remain in encrypted database backups for up to 30 days for disaster recovery purposes, after which it is automatically deleted.

We retain database backups for 30 days to:

• Protect against data corruption and accidental data loss
• Enable disaster recovery and service continuity
• Comply with legal obligations and regulatory requirements
• Maintain service reliability and operational integrity

You may request deletion of your personal data at any time by contacting privacy@ransomleak.com. All deletion requests are processed in accordance with applicable data protection laws.

7. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: You have the right to request a copy of your personal information. To exercise this right, email privacy@ransomleak.com with the subject "Data Access Request." We will provide your data within 30 days after identity verification.
• Right to Rectification: You can update inaccurate personal information through your account settings or by contacting our support team at privacy@ransomleak.com.
• Right to Erasure: You may request deletion of your personal information by emailing privacy@ransomleak.com with the subject "Data Deletion Request." Please note that some data may be retained for legal compliance or backup purposes.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability: You can download your training data through your account dashboard, export SCORM packages for LMS integration, or request bulk data retrieval via our API.
• Right to Object: You have the right to object to our processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where we rely on consent to process your data, you can withdraw your consent at any time through your account settings or by contacting us.
• Automated Decision-Making: We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

All data subject requests are processed within 30 days, in compliance with GDPR requirements. We will verify your identity before fulfilling any requests to ensure data security.

8. International Data Transfers

Your personal data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for these transfers:

• EU-U.S. Data Privacy Framework: We comply with the EU-U.S. Data Privacy Framework for transfers of personal data from the European Union to the United States
• UK Extension to EU-U.S. DPF: We adhere to the UK Extension to the EU-U.S. Data Privacy Framework for transfers from the United Kingdom
• Swiss-U.S. Data Privacy Framework: We comply with the Swiss-U.S. Data Privacy Framework for transfers from Switzerland
• Standard Contractual Clauses (SCCs): Where applicable, we use Standard Contractual Clauses approved by the European Commission
• Data Processing Locations: Our services are hosted on AWS infrastructure in secure, SOC 2 compliant data centers

9. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
• Provide clear information about the nature of the breach, potential consequences, and measures taken to address it
• Implement immediate remediation measures to secure affected systems and prevent further unauthorized access

For detailed information about our security measures and incident response procedures, see our Security & Compliance page.

10. Supervisory Authority & Complaints

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The relevant authorities include:

• United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk
• European Union: Your local Data Protection Authority (DPA) in your EU member state
• Other Jurisdictions: Contact your local data protection or privacy regulatory authority

We are committed to resolving any complaints directly with you. Please contact us at privacy@ransomleak.com before escalating to a supervisory authority, so we can address your concerns promptly.

11. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell
• Right to Access: You can request access to the specific pieces of personal information we have collected about you in the past 12 months
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out: You have the right to opt-out of the sale of your personal information. We Do Not Sell Your Personal Information
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights

To exercise these rights, please email privacy@ransomleak.com with your request. We will verify your identity before processing your request and respond within 45 days.

Additional Privacy Rights for Canadian and South African Residents:

• PIPEDA (Canada): Canadian residents have rights under the Personal Information Protection and Electronic Documents Act, including rights to access and correct personal information
• POPIA (South Africa): South African residents have rights under the Protection of Personal Information Act, including rights to access, correction, and objection to processing

12. Third-Party Services and Data Processors

We may share your information with third-party service providers who assist us in operating our platform, conducting our business, or servicing you. These third parties are contractually obligated to maintain the confidentiality and security of your information and are restricted from using your personal information for any purpose other than providing services to us.

Our sub-processors include AWS (cloud infrastructure), Google Tag Manager (analytics), and other service providers necessary for platform operation. For a complete list of sub-processors, please contact privacy@ransomleak.com.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. Cookies are small text files stored on your device that help us understand how you interact with our services.

Types of Cookies We Use:

• Essential Cookies: Required for the platform to function properly. These cookies enable core functionality such as session management, security features, and authentication. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website by collecting and reporting information anonymously. We use Google Tag Manager (GTM) for analytics purposes.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences, language selection, and display settings.

Cookie Lifespan:

• Session Cookies: Temporary cookies that expire when you close your browser
• Persistent Cookies: Remain on your device for a set period (up to 12 months) to remember your preferences

Managing Your Cookie Preferences:

We use CookieControl, implemented via Google Tag Manager, to manage your cookie consent preferences. You can:

• Accept or reject non-essential cookies through our cookie consent banner when you first visit our site
• Change your cookie preferences at any time by accessing the cookie settings in your browser or through our cookie preference center
• Configure your browser settings to refuse all cookies or alert you when cookies are being sent

Please note that blocking certain cookies may impact your experience and limit some functionality of our platform. For more information on how to control cookies through your browser settings, visit your browser's help documentation.

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes.

15. Contact Us

If you have questions or comments about this Privacy Policy, or wish to exercise your data protection rights, please contact us at:

For enterprise customers requiring a Data Protection Agreement (DPA) or information about our Data Protection Officer (DPO), please contact privacy@ransomleak.com.