Privacy policy

Last updated: March 2026 · Effective immediately

Plain language summary: We collect the minimum data needed to run your account and track learning progress. We don't sell data, don't run ads, don't use tracking cookies, and don't share your information with anyone except the infrastructure needed to operate the service. All data is processed in the EU.

1. Who we are

modularCISO ("we", "us", "our") operates the website modularciso.com. We provide cybersecurity training and tools for security professionals.

For data protection inquiries, contact us at: privacy@modularciso.com

2. What data we collect

Account data (provided by you)

Email address — Required for account creation, login, and password recovery
Name — Required for personalization and community identity
Company and role — Optional, used for content personalization
Password — Stored as a PBKDF2-SHA256 hash with 100,000 iterations and unique salt. We never store your actual password.

OAuth data (if you use social login)

If you sign in with Google, GitHub, or LinkedIn, we receive your name, email address, and profile picture from the provider. We do not store access tokens or request ongoing access to your provider account.

Usage data (generated automatically)

Learning progress — Which modules and lessons you've started, completed, and your quiz scores
Session data — IP address, browser type, login times, and session identifiers for security monitoring
Audit log — Records of login events, profile changes, and security-relevant actions. Retained for 12 months.
Content attribution — A cryptographic representation of your unique user ID may be invisibly embedded into the curriculum text you view to deter unauthorized redistribution.

What we do NOT collect

No tracking cookies or analytics scripts
No advertising identifiers
No browsing behavior outside our site
No device fingerprinting
No location data beyond IP-derived country

3. Why we process your data

Account management — To create and maintain your account, authenticate you, and manage your subscription tier. (Legal basis: contract performance)
Service delivery — To provide training content, track your progress, and save quiz results. (Legal basis: contract performance)
Security & IP Protection — To protect your account from unauthorized access, detect abuse, embed attribution watermarks to prevent intellectual property theft, and maintain platform security. (Legal basis: legitimate interest)
Communication — To send account verification emails, password reset links, and critical service notifications. (Legal basis: contract performance)

4. Who has access to your data

Infrastructure providers

Cloudflare (USA, EU processing available) — Hosts our website, API, and database. Cloudflare processes data under their privacy policy and has a Data Processing Addendum (DPA) in place.
Resend (USA) — Sends transactional emails (verification, password reset). Receives only your email address and name for this purpose.

We do not sell, rent, or share your personal data with any other third parties. We do not use your data for advertising or profiling purposes.

5. Where your data is stored

Your data is stored on Cloudflare's infrastructure with EU data processing configured. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Password hashes use PBKDF2-SHA256 with 100,000 iterations.

6. How long we keep your data

Account data — Retained while your account is active. Accounts inactive for 24 months are scheduled for deletion.
Session data — Sessions expire after 30 days. Expired sessions are purged automatically.
Audit logs — Retained for 12 months, then deleted.
Login attempt records — Retained for 90 days for security purposes.
After account deletion — All data is permanently purged within 30 days of deletion request (with a 7-day grace period to cancel).

7. Your rights under GDPR

As a data subject in the EU, you have the following rights:

Right of access — Download all data we hold about you from your Privacy & Data page.
Right to rectification — Update your profile information at any time from your Profile page.
Right to erasure — Delete your account and all associated data from your Privacy & Data page.
Right to data portability — Export your data in machine-readable JSON format.
Right to restriction of processing — Contact us to restrict processing of your data.
Right to object — Contact us to object to specific processing activities.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, use the self-service tools in your account settings or email privacy@modularciso.com.

8. Cookies

We use a single cookie:

session — A session identifier used to keep you logged in. HttpOnly, Secure, SameSite=Strict. Expires after 30 days. This is a strictly necessary functional cookie and does not require consent under GDPR.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

9. Children

modularCISO is not directed at individuals under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to registered users and noted on this page with an updated "last updated" date. Continued use of the service after changes constitutes acceptance.

11. Contact

For privacy-related inquiries, data protection requests, or complaints:

Email: privacy@modularciso.com

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).