Privacy Policy

Last updated: March 15, 2026

1. Introduction

CISOAIA ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website cisoaia.com and use our services, including the CyRep application.

We comply with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP/DSG), and all applicable data protection legislation.

2. Data Controller

CISOAIA
Adrian Pojar
Reutlingerstrasse 18
8472 Seuzach, Switzerland
Email: privacy@cisoaia.com

3. Data We Collect

3.1 Data You Provide Directly

• Account registration: Email address, display name (optional), password (stored as a salted hash)
• Waitlist signup: Email address
• Contact forms: Name, email address, message content
• Support requests: Email address, message content, any attachments you choose to send

3.2 Data Collected Automatically

• Usage data: Quiz answers, scores, streaks, difficulty levels, topic progress (used to deliver the service)
• Device information: Device type, operating system, browser type and version
• Log data: IP address (anonymized after 30 days), access timestamps, referring URLs

3.3 Data We Do NOT Collect

• We do not use cookies for tracking or advertising purposes
• We do not collect biometric data
• We do not build advertising profiles
• We do not sell or share personal data with third parties for marketing purposes

4. Purpose and Legal Basis

We process your personal data for the following purposes:

• Service delivery (Art. 6(1)(b) GDPR — contract performance): To provide and improve the CyRep application, manage your account, and deliver quiz content
• Communication (Art. 6(1)(b) GDPR): To respond to your inquiries and provide support
• Waitlist management (Art. 6(1)(a) GDPR — consent): To notify you about launch updates when you sign up for our waitlist
• Security and fraud prevention (Art. 6(1)(f) GDPR — legitimate interest): To protect our services and users from security threats
• Legal compliance (Art. 6(1)(c) GDPR): To comply with applicable laws and regulations

5. Data Storage and Security

Your data is stored on servers located in Europe (EU/EEA and Switzerland). We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls with principle of least privilege
• Secure password storage using bcrypt with salting
• Regular backups with encrypted storage

6. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request
• Waitlist data: Retained until launch notification is sent or you unsubscribe, whichever comes first
• Log data: IP addresses anonymized after 30 days. Aggregated logs retained for up to 12 months
• Support correspondence: Retained for up to 3 years for quality and legal purposes

7. Your Rights

Under GDPR and Swiss data protection law, you have the following rights:

• Right of access (Art. 15 GDPR): Request a copy of your personal data
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate data
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data
• Right to data portability (Art. 20 GDPR): Receive your data in a machine-readable format
• Right to restrict processing (Art. 18 GDPR): Request limitation of data processing
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at privacy@cisoaia.com. We will respond within 30 days.

8. Third-Party Services

We use the following third-party services, each selected for their privacy commitments:

• Hosting: Cloud infrastructure providers with EU data residency and appropriate data processing agreements
• Email delivery: Transactional email service for account-related communications only
• Analytics: Privacy-respecting analytics (no personal data collection, no cookies)

We do not use Google Analytics, Facebook Pixel, or any advertising-related tracking tools.

9. International Data Transfers

Your data is primarily processed in Switzerland and the EU/EEA. If data needs to be transferred outside these regions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

10. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@cisoaia.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our website. The "Last updated" date at the top indicates the latest revision.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC):

FDPIC
Feldeggweg 1
3003 Bern, Switzerland
www.edoeb.admin.ch

13. Contact

For any questions regarding this Privacy Policy or your personal data, please contact us:

CISOAIA — Data Protection
Email: privacy@cisoaia.com
Address: Reutlingerstrasse 18, 8472 Seuzach, Switzerland