Privacy Policy

Who this policy applies to

CyberGuards is a penetration-testing firm based in San Francisco, California. This policy describes how we handle data on the public website at cyberguards.ai and on related public pages. It does not describe how we handle data inside customer engagements — that is governed by the engagement contract and any applicable Business Associate Agreement (BAA) or Data Processing Agreement (DPA) we sign with the customer.

Outbound business outreach

In addition to handling inbound contact (described below), we send targeted business-to-business outreach emails to publicly-available work email addresses as part of our sales process. If you received an email from us and want to understand what we do with your data, this section is for you.

Who we contact

We contact people in roles relevant to penetration testing — engineering leadership, security leadership, compliance leadership, and founders or operators at scale-stage companies — at organizations whose risk profile suggests they may benefit from our services. We do not send personal-account outreach, consumer outreach, or business-to-consumer marketing.

Where the contact data comes from

We source business-contact data from publicly-available business directories, professional networking platforms (for example, LinkedIn), and opt-in business-to-business lead-generation partners. We do not scrape personal or consumer email addresses, purchase consumer marketing lists, or use data sourced through deceptive collection.

Lawful basis

EU and UK (GDPR). Our lawful basis for processing business-contact data for outreach is legitimate interest under Article 6(1)(f). We have conducted a Legitimate Interests Assessment (balancing test) which is available on request to [email protected]. You may object to this processing at any time under Article 21 — the unsubscribe link in any of our emails is the simplest way to exercise that right.
United States (CAN-SPAM). Our outreach complies with the CAN-SPAM Act: accurate sender and subject headers, clear identification as commercial email, a valid physical postal address (see contact), and a working unsubscribe mechanism honored within 10 business days.
California (CCPA/CPRA). Business-to-business communications to employees of other businesses, for the direct purpose of business communication, fall under the CCPA business-to-business exemption. The rights described in the "Your rights" section below still apply.

Opting out

Every outbound email includes a one-click unsubscribe link. Unsubscribes are:

Immediate. Processed within minutes of click; no confirmation step required.
Permanent. Applied to your email address indefinitely.
Cross-campaign. Opting out of one campaign opts you out of all current and future campaigns.
Recorded on a suppression list. We retain opt-out records indefinitely so a previously unsubscribed address is never re-contacted by mistake.

You can also email [email protected] with "REMOVE" in the subject line; we will add your address and any related addresses you list to the suppression list manually.

Tracking inside outreach emails

Outreach emails may include open-tracking pixels and link-click tracking. We use this to measure campaign effectiveness, time follow-ups, and stop sending to addresses that bounce or unsubscribe. We do not use this data to build personal profiles, share it with advertising networks, or sell it to third parties.

What we do not do

We do not send unsolicited marketing to personal email addresses.
We do not contact people we have previously suppressed.
We do not share, sell, or rent contact data sourced for outreach.
We do not use covert tracking, fingerprinting, or any technique that records personal data beyond aggregate engagement metrics per campaign.

What we collect on this website

The data we collect on cyberguards.ai falls into three categories:

1. Information you submit voluntarily

If you contact us by email or use the calendar booking link, you provide your name, email address, and any context you choose to share about what you are looking for. If you book a scoping call through our calendar, the calendar provider (Google) handles the scheduling data per their terms.

2. Standard server-log information

Like most websites, our hosting provider (Cloudflare Pages) logs basic request information: IP address, user-agent, timestamp, requested URL, referrer. We use this for operational and security purposes only — diagnosing issues, detecting abuse, and complying with legal obligations.

3. Analytics

At present we do not run a third-party analytics script on the site, and we set no analytics cookies. We may add privacy-respecting, aggregate analytics later (planned via Cloudflare). If we do, we will update this policy first, will not share the data with advertising networks, and will add a consent mechanism before any consent-requiring cookie is set.

What we do not collect

We do not run advertising trackers, ad networks, or ad-targeting cookies.
We do not sell or rent user data to anyone, ever.
We do not enrich website visitor data with third-party datasets to build profiles.
We do not run social-media tracking pixels (Meta, LinkedIn, X, etc.).

Why we collect what we do

To respond to your inquiries. If you email or book a call, we use the information you provide to talk with you about whether we are a good fit for what you are trying to do.
To operate the website securely. Server logs and security telemetry let us run the site, fix bugs, and prevent abuse.
To improve the content. If we add aggregate analytics later, it would tell us which guides and service pages are useful so we can prioritize keeping them up to date.

We do not sell or rent personal data. We share data only with:

Service providers we rely on to operate the site — Cloudflare (hosting and DNS), Google (calendar booking), and our email provider (general inbox). These providers process data on our behalf under their own published terms.
Legal requirements. If we receive a valid legal request (subpoena, court order), we comply only with the specific scope of the request and notify you when permitted by law.

How long we keep data

Inbound emails: retained as part of business correspondence; archived within seven years per typical business-records practice.
Server logs: retained at the hosting provider for diagnostic purposes per their documented retention; typically 30–90 days for operational logs.
Analytics data: none currently collected. If analytics is added later, this section will state the retention window before it goes live.
Outreach campaign engagement data: retained for the active campaign window plus 12 months for performance analysis, then deleted.
Suppression list (unsubscribes): retained indefinitely so we never accidentally re-contact an address that opted out.

Your rights

If you are in a jurisdiction with privacy rights (including California under CCPA/CPRA, EU/UK under GDPR, or any U.S. state with comparable rights), you have the right to:

Know what personal information we hold about you.
Request a copy of that information.
Request correction or deletion.
Opt out of analytics on this website (decline cookies in the banner).
Lodge a complaint with a supervisory authority.

To exercise any of these rights, email [email protected]. We respond to verified requests within 30 days.

Children's privacy

This website is not directed at children under 13, and we do not knowingly collect information from children. If you believe a child has submitted information, contact us and we will delete it.

Changes to this policy

We update this policy when our practices change or when applicable law changes. Material changes are reflected by updating the "Last updated" date at the top. Continued use of the website after a policy update constitutes acceptance of the updated terms.

Contact

Privacy questions: [email protected]
Security disclosures: [email protected] (see the security policy)