Privacy Policy

Last updated: 19/05/2026

This Privacy Policy explains how Carmen Curtayne (“CyberPsyche”, “we”, “us”) collects, uses, and protects personal data when you use the CyberPsyche service at app.cyber-psyche.com.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, CyberPsyche is the data controller for the personal data described below.

1. Data we collect

We collect only the data necessary to operate the Service.

• Account data: your email address, used to create your account and send magic-link sign-in emails. Where you provide them, your name and the organisation you represent.
• Subscription and billing data: the plan you have selected, your subscription status, billing cycle, invoice history, billing address, and the last four digits of your payment card. We do not store full payment card numbers ourselves — full card details are collected and processed directly by our payment processor (see Section 4).
• Assessment data: the project names, descriptions, business unit names, and assessment answers you input into the Service, together with the scores and risk levels generated from them.
• Usage and technical data: standard server logs (IP address, browser type, timestamp, pages visited) collected automatically when you use the Service.
• Authentication metadata: session tokens and timestamps managed by our authentication provider, Supabase.
• Support and communications data: the content of any messages you send to us, and our responses, when you contact us for support or to exercise your data protection rights.

We do not collect special-category personal data (race, religion, health, biometric, etc.) and ask that you do not enter such data into assessment fields.

2. How we use your data

We use your personal data to:

• create and authenticate your account;
• provide, maintain, and improve the Service;
• generate, store, and let you export your assessments;
• process subscription payments, manage renewals and cancellations, and issue invoices and receipts;
• communicate with you about the Service (sign-in links, service notices, billing notifications, important changes);
• respond to support enquiries and exercise of data protection rights;
• protect the Service and our users against fraud, abuse, and security threats;
• comply with legal, accounting, and tax obligations.

We do not use your assessment data to train machine learning or AI models, sell it to third parties, or build aggregate data products without your separate, explicit consent.

3. Legal basis for processing (GDPR)

• Performance of a contract (Article 6(1)(b)) — to provide the Service to you, manage your subscription, process payments, and otherwise perform our obligations under our Terms of Service.
• Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the Service; to prevent fraud and abuse; and to communicate with you about the Service. Our legitimate interests are balanced against your rights and freedoms.
• Consent (Article 6(1)(a)) — where required for optional communications or non-essential analytics.
• Legal obligation (Article 6(1)(c)) — where applicable law requires processing, including the retention of accounting and tax records relating to subscription payments.

4. Sharing your data

We share personal data only with the service providers necessary to operate the Service, under written agreements that restrict their use of the data to providing services to us.

• Supabase — authentication and database hosting, delivery of magic-link sign-in emails. Data is stored in the EU.
• Vercel — application hosting and content delivery.
• Titan — service emails.
• Stripe — processing of subscription payments. The payment processor collects and processes full payment card details directly under its own privacy policy and acts as an independent data controller in respect of those details for fraud-prevention and regulatory purposes. We receive only the subscription metadata necessary to manage your account (e.g. plan, status, last four digits of card, billing address).

We do not sell or rent your personal data. We may disclose data where legally required (court order, regulator request) or to protect our rights and the safety of users.

5. International transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum.

6. Data retention

We retain your personal data only for as long as necessary to provide the Service, meet our legal obligations, and resolve disputes.

• Account data: kept for the lifetime of your account, deleted within 30 days of account closure.
• Assessment data: kept for the lifetime of your account, deleted within 30 days of account closure or earlier upon your written request.
• Subscription and billing data: retained for the duration of your subscription and for 5 to seven 7 years after the end of the relevant financial year, as required by South African accounting and tax law.
• Invoices and payment records: retained for the same statutory period as subscription and billing data.
• Support and communications data: retained for up to 24 months after the matter is resolved.
• Server logs: retained for up to 90 days for security and operational purposes.
• Backups: standard rolling backups are overwritten within 30 days.

7. Your rights

Under the GDPR and UK GDPR, you have the right to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data;
• erase your data (right to be forgotten), subject to our obligation to retain certain billing and accounting records as required by law;
• restrict or object to processing;
• receive your data in a portable format;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, contact us at info@cyber-psyche.com. We respond within 30 days.

8. Security

We use industry-standard security measures to protect your data, including encryption in transit (HTTPS), authentication via magic-link one-time codes, row-level security on the assessment database (so each user can only access their own data), and access controls on production infrastructure. Payment card data is handled entirely by our PCI-DSS compliant payment processor and never stored on our servers. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

9. Cookies

The Service uses only essential cookies and local storage required for authentication and core functionality (for example, to maintain your sign-in session and remember your selected subscription plan during checkout). We do not use advertising cookies or third-party tracking cookies.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated to you in-app or by email before they take effect.

12. Contact us

For questions about this Privacy Policy or to exercise your data protection rights, contact:

Carmen Curtayne
CyberPsyche
info@cyber-psyche.com