PrivacyPolicy,
withoutthetheatre.

This Privacy Policy describes how CYBRET AI, Inc. ("CYBRET", "we", "us") collects and processes personal data when you visit cybret.ai, request a demo, receive marketing from us, or use the CYBRET platform as an administrator of a customer organisation.

It does not cover the security telemetry we process on behalf of our customers. That processing is governed by the Data Processing Agreement and the contract between CYBRET and the customer.

CYBRET AI, Inc. is the data controller for the processing described in this policy. Our registered office is 2261 Market Street #4532, San Francisco, CA 94114, United States.

Our Data Protection Officer can be reached at privacy@cybret.ai. Our EU representative under Article 27 GDPR is GDPR Local Ltd., 1st Floor, Block A, Ardilaun Court, 112-114 St Stephen's Green, Dublin 2, Ireland.

We collect only what we need to run a security company. Broadly:

We do not sell personal data. We do not use personal data to train any third-party AI model. We do not run behavioural advertising on this site.

When your organisation subscribes to the CYBRET platform, we process security telemetry on your behalf. That data may incidentally contain personal data — for instance, IP addresses in a log line or usernames in a commit history.

For that processing, CYBRET is the processor and your employer is the controller. We process it strictly on documented instructions, under the terms of the Data Processing Agreement. We do not use it for our own purposes, we do not enrich it, and we do not train any model on it without written instruction.

We share personal data only with vendors we need to run the business. The current list is published on our Trust Center and kept in sync with the contractual list in the DPA. We notify customers at least 30 days before adding or changing a sub-processor with access to customer data.

We also share data with professional advisors, auditors, and where legally compelled. We publish a transparency report every January summarising any binding government requests received the previous year.

Our primary data region for corporate systems is the European Union (Frankfurt). Customer platform data stays in the region the customer selects — US-East, EU-Central, or AP-Southeast.

Where data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses (EU 2021/914), supplemented by organisational and technical measures including encryption in transit, encryption at rest, and customer-managed keys on Enterprise. A copy of the executed SCCs is available on request to privacy@cybret.ai.

Under GDPR, UK GDPR and most comparable frameworks you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You can exercise any of these by emailing privacy@cybret.ai. We respond within 30 days and will never retaliate for a rights request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with a supervisory authority — for most EU residents that will be the authority in the country where you live or work.

Technical and organisational measures are described in full in Annex II of our DPA and summarised on the Trust Center. In short: single-tenant by default, encryption in transit (TLS 1.3) and at rest (AES-256), mandatory MFA for staff, short-lived JIT credentials for production. SOC 2 audit is currently underway, ISO 27001 Stage 2 audit is scheduled; the trust page tracks certification status.

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA — the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to non-discrimination. We do not sell or share (as those terms are defined under the CCPA) personal information.

CYBRET is a B2B security platform. The services are not directed at anyone under 18 and we do not knowingly collect personal data from children.

We keep a public changelog at github.com/CYBRET-AI/legal. Material changes are announced by email to active customer admins at least 30 days before they take effect. The date at the top of this page always matches the currently effective version.