Legal
Privacy Policy
Overview
Cyberyami HRM(“we”, “us”) provides a Human Risk Management platform for organisations. This page summarises how we collect, use, and safeguard data on behalf of you and your team.
Note: this is a placeholder. The final privacy policy will be reviewed by counsel before launch and will replace this content.
Data we collect
- Account data: name, work email, organisation name, password (stored as a bcrypt hash, never plaintext).
- Product telemetry: simulation events (open, click, submit), training enrollments and completions, risk scores.
- Operational logs: IP address, user agent, request timestamps — used for rate limiting and abuse detection. Retained 90 days.
How we use it
- To run phishing simulations and training campaigns you configure.
- To compute per-user, per-team, and per-org risk scores.
- To send transactional emails (verification codes, training reminders, alerts).
- To improve the product — aggregated, never sold to third parties.
Your rights (GDPR / CCPA)
- Request a copy of your personal data.
- Request correction or deletion (right to erasure).
- Object to specific processing activities.
- Lodge a complaint with your local data-protection authority.
Email support@cyberyami.com to exercise any of the above. We respond within 30 days.
Data retention
- Active account data: until deletion + 30-day grace period.
- Audit logs: 1 year hot, then archived; retained for 7 years for compliance.
- Drafts and temporary uploads: 7 days and 24 hours respectively.
Security
All data is encrypted in transit (TLS 1.2+) and at rest. Tenant data is isolated per organisation; Enterprise customers can opt into a dedicated database. Secrets are encrypted with AES-256-GCM before being stored. Production access is restricted to a small operations team with mandatory MFA.
Contact
Questions about this policy? Email support@cyberyami.com.