Document ID: LEG-2026-003 · Effective: January 15, 2026 · Supersedes: LEG-2025-005
Prepared by: Office of the General Counsel · Reviewed by: Data Protection Officer
This Privacy Policy describes how CYFR Technology, Inc. ("CYFR," "we," "our," or "us") collects, uses, discloses, and protects information in connection with the CYFR platform and related services (the "Platform"). This Policy applies to all users of the Platform, including individual account holders and personnel of enterprise customers and MSP partners (collectively, "Users" or "you").
This Policy does not apply to Customer Data — the encrypted files, media, and other content that Users store on the Platform. As described in Section 4 below and in our Security Architecture documentation, CYFR has no technical ability to access, read, or process Customer Data in unencrypted form. Customer Data is not "personal information" collected by CYFR within the meaning of this Policy.
CYFR collects only the minimum information necessary to operate the Platform and provide services:
(a) Account Information. When a User registers for an Account, we collect: (i) an email address, used for authentication credential recovery and service notifications; (ii) a username selected by the User; and (iii) a hashed and salted password credential. We do not collect names, physical addresses, telephone numbers, government identification numbers, or demographic information as a condition of account creation.
(b) Payment Information. When a User makes a payment, payment instrument details are collected and processed exclusively by our third-party payment processors. CYFR does not receive, store, or have access to full payment card numbers, bank account numbers, or cryptocurrency private keys. We receive only a transaction identifier and the amount processed, which we retain for billing and reconciliation purposes.
(c) Usage and Technical Information. When a User accesses the Platform, our servers automatically log: (i) IP address; (ii) timestamp of access; (iii) the specific resource accessed; (iv) HTTP status code; and (v) user agent string. This information is used for security monitoring, rate limiting, incident response, and platform analytics. Logs are retained for a period of ninety (90) days, after which they are automatically purged unless retained for a specific security investigation.
(d) Communications. When a User contacts CYFR via electronic mail, web form, or the abuse reporting portal, we collect the User's email address and the content of the communication. We retain correspondence for the period necessary to address the inquiry and for record-keeping purposes consistent with applicable law.
We use the information described in Section 2 solely for the following purposes: (a) to provide, maintain, and improve the Platform; (b) to authenticate Users and secure Accounts; (c) to process payments and maintain billing records; (d) to communicate with Users regarding their Accounts and the Platform; (e) to detect, prevent, and respond to security incidents, fraud, and abuse; (f) to comply with legal obligations; and (g) for any other purpose with the User's express consent.
We do not use Account Information or Usage Information for advertising, marketing profiling, or any purpose unrelated to the provision of the Platform. We do not sell, rent, license, or otherwise disclose Account Information or Usage Information to third parties for their own commercial purposes.
CYFR operates a zero-knowledge architecture. This is not a policy — it is a technical property of the system. Specifically:
Consequently, CYFR does not — and cannot — "collect," "process," "share," or "sell" Customer Data within the meaning of data protection laws. Customer Data is not part of CYFR's data inventory. Our obligations with respect to Customer Data are governed by the Terms of Service and any applicable Data Processing Agreement, not by this Privacy Policy.
CYFR may disclose Account Information and Usage Information only in the following circumstances:
(a) Service Providers. To third-party service providers who perform services on our behalf — including payment processing, infrastructure hosting, and electronic mail delivery — under contractual obligations of confidentiality and data protection consistent with this Policy.
(b) Legal Process. In response to a valid subpoena, court order, search warrant, or other legal process that complies with applicable law. CYFR will: (i) review each request for facial validity and jurisdictional propriety; (ii) notify the affected User prior to disclosure unless legally prohibited from doing so; and (iii) disclose only the specific information required by the legal process. As described in our DMCA Policy, CYFR cannot produce Customer Data in unencrypted form, as it does not possess the necessary decryption keys.
(c) Abuse Reports. When a third party submits a valid abuse report through our reporting portal, the information provided in the report may be shared with the affected Customer to the extent necessary for the Customer to respond or to take corrective action.
(d) Protection of Rights. To protect the rights, property, or safety of CYFR, our Users, or the public, including to detect, prevent, or otherwise address fraud, security, or technical issues.
(e) Corporate Transactions. In connection with a merger, acquisition, reorganization, or sale of all or substantially all of CYFR's assets, subject to standard confidentiality arrangements and the continuing application of this Policy.
Account Information is retained for the duration of the Account's existence. Upon Account termination: (a) Account Information is retained for a period of ninety (90) days to permit account restoration in the event of accidental termination; (b) thereafter, Account Information is permanently deleted or anonymized, except for information required to be retained by applicable law or for legitimate business purposes (such as fraud prevention or billing record retention); and (c) Customer Data is rendered irrecoverable through cryptographic key destruction. Usage and Technical Information is retained for ninety (90) days and automatically purged thereafter except as described in Section 2(c).
Depending on the User's jurisdiction, applicable data protection laws may grant certain rights regarding Account Information, including the right to: access, correct, delete, or port such information; restrict or object to its processing; and withdraw consent where processing is based on consent. To exercise these rights, Users may contact CYFR at privacy@cyfr.technology. CYFR will respond within the timeframe required by applicable law.
Because CYFR's collection of Account Information is minimal by design, the practical scope of these rights is correspondingly narrow. CYFR does not maintain behavioral profiles, inference models, or marketing databases on Users.
CYFR's infrastructure is located in the United States. Account Information is processed and stored in the United States. For Users located outside the United States, CYFR relies on applicable transfer mechanisms — including standard contractual clauses and adequacy decisions — to ensure an adequate level of protection for Account Information transferred to the United States.
The Platform is not directed to individuals under the age of eighteen (18). CYFR does not knowingly collect information from individuals under the age of eighteen. If we become aware that an individual under eighteen has provided us with information, we will delete such information from our systems.
For questions, concerns, or complaints regarding this Privacy Policy, contact:
Users in the European Economic Area, the United Kingdom, or Switzerland have the right to lodge a complaint with their local data protection supervisory authority. CYFR encourages Users to contact us first to allow us the opportunity to address any concerns directly.
Document Control
LEG-2026-003 · Approved by: General Counsel & Data Protection Officer
This document is maintained in CYFR's document management system. Printed copies are uncontrolled.