Privacy Policy

Last updated: Pending finalization

Draft template — not yet legal advice. This document is a starting template provided for completeness. It must be reviewed, customized, and approved by qualified legal counsel before it is relied upon.

1. Overview

This Privacy Policy explains how SecureAware ("we") processes personal data in connection with the SecureAware platform. We are committed to the principles of the EU General Data Protection Regulation (GDPR) and Algerian Law 18-07 on the protection of personal data.

2. Our roles: controller and processor

For data about our direct customers and website visitors (e.g. account and billing contacts, contact-form submissions), we act as a controller. For the personal data that a customer organization uploads or generates about its own employees (e.g. names, emails, departments, training results, simulation outcomes), we act as a processor on that organization's behalf, under our Data Processing Addendum.

3. Data we process

  • Account data: administrator name, email, organization details.
  • Employee data (on behalf of customers): name, work email, phone (for smishing), department, job title.
  • Activity & results: training progress, quiz scores, phishing/smishing open-click-report events, risk scores.
  • Technical data: IP address, user agent, and audit logs used for security, rate limiting, and abuse prevention.
  • Billing data: handled by our payment processor; we store subscription status, not full card details.

4. Purposes and legal bases

We process personal data to provide and secure the Service, to administer subscriptions, to communicate transactional messages, and to comply with legal obligations. Legal bases include performance of a contract, our legitimate interests in operating and securing the platform, and consent where required. Where we act as a processor, the customer is responsible for establishing the legal basis for processing its employees' data.

5. Sub-processors

We rely on a limited set of sub-processors (e.g. hosting/infrastructure, email delivery, and payment processing). A current list is available on request and is governed by the Data Processing Addendum.

6. Retention

We retain personal data for as long as needed to provide the Service and to meet legal, accounting, or reporting requirements, after which it is deleted or anonymized. Customers can request erasure of an individual employee's data, which anonymizes the record while preserving aggregate, non-identifying statistics.

7. Security

We apply technical and organizational measures including encryption in transit, encryption of sensitive secrets at rest, role-based access control, tenant isolation, two-factor authentication for administrators, and audit logging.

8. Your rights

Subject to applicable law, individuals have rights to access, rectify, erase, restrict, and port their personal data, and to object to certain processing. Where we act as a processor, please direct such requests to the employing organization; we assist our customers in responding. To exercise rights for data we control, use our contact page.

9. International transfers

Where personal data is transferred across borders, we use appropriate safeguards consistent with GDPR and Law 18-07. Details of data location are available on request.

10. Contact

For privacy questions or to reach our data protection contact, please use our contact page.