Privacy Policy
Last Updated: June 30th, 2026
Effective Date: June 30th, 2026
CyberHoot, LLC (“CyberHoot,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, and protect personal information in connection with our cybersecurity awareness training platform and related services (“Service”).
This Privacy Policy has two parts:
- Part A: Platform Data Processing (when you use CyberHoot through your employer OR when you create a free individual account)
- Part B: Website Visitor Data (when you visit our website directly)
Note: In Part A, there are different data processing roles depending on account type:
- Employer-sponsored accounts: Your employer is the Data Controller; CyberHoot is the Data Processor
- Free individual accounts: You are the Data Controller; CyberHoot processes data to provide the Service directly to you
For GDPR Standard Contractual Clauses, Data Processing Addendum terms, or international data transfer documentation, see our Terms of Service or contact dpo@cyberhoot.com.
Part A: Platform Data Processing
(For Administrators, Employees and Users Accessing Through an Employer)
1. Your Employer Controls Your Data
When you access CyberHoot through your employer or organization (“Customer”), your employer is the Data Controller and CyberHoot is the Data Processor. This means:
- Your employer determines what data is processed and why
- Your employer uploaded your information to provision your account
- Your employer receives training reports and compliance data
- CyberHoot processes your data solely as instructed by your employer
For questions about your data, training assignments, or to exercise data subject rights, contact your employer (typically HR or IT). We assist your employer in responding to requests but do not respond directly to individual employees unless legally required.
2. Data We Process on Behalf of Your Employer
User & Account Data:
- Names, work email, job title, department, role, organizational hierarchy
- Training completion records, quiz scores, phishing simulation results
- Policy acknowledgments and electronic signatures
- IP addresses, timestamps, device/browser information, session logs
Administrator Authentication Data:
- Login credentials (15+ character passwords, cryptographically hashed)
- Multi-factor authentication: email, phone numbers (SMS), authenticator apps, or passkey credentials (when supported)
- Administrative activity logs (logins, IP addresses, configuration changes, user provisioning)
Note: End users do NOT create accounts or passwords. They access training via secure magic links (unique per user/assignment, active until completion, then deactivated). Only administrators create accounts.
Dark Web Monitoring (if enabled):
- Email addresses, domains, redacted credential fragments (we do NOT store plaintext passwords)
Payment & Billing:
Billing contact information only. All payment processing (credit cards, financial accounts) handled by third-party PCI-DSS processors (Stripe). We never see/store payment info.
Data We Do NOT Process: Social Security numbers, financial credentials, biometric data, health information, plaintext passwords
3. How We Use Your Data
We process your data solely as instructed by your employer for:
- Service delivery (training, phishing simulations, compliance reporting)
- Security and fraud prevention
- Platform improvement using aggregated, de-identified data (NOT individual data for AI/ML training without consent)
- Customer support and troubleshooting
- Legal compliance and protecting our rights
Communications: We send required service announcements and security alerts. Optional product updates or surveys require separate consent (opt out anytime).
We do NOT: Sell data, use it for targeted advertising, or share for third-party marketing.
4. Data Retention
Data is retained during your employer’s subscription plus 30 days for export. After 30 days, we may securely delete data unless legally required to retain it.
5. Subprocessors
We engage vetted subprocessors to deliver the Service. All subprocessors are contractually bound to equivalent data protection obligations.
A current list is available to administrators inside the CyberHoot platform for partners and clients review. We provide 30 days’ advance notice for new subprocessors through the platform and direct communication, not by public posting. Your employer may object within 15 days by contacting dpo@cyberhoot.com. If we cannot provide an alternative, your employer may terminate without penalty.
6. International Data Transfers
CyberHoot’s primary platform data, including all personal data such as user records, training results, authentication data, and administrative information, is hosted and processed in the United States. CyberHoot uses Cloudflare’s content delivery network (CDN) to deliver platform assets including customer-uploaded images (logos). Cloudflare may cache such assets on servers located outside the United States as part of CDN operations. Cloudflare maintains its own GDPR-compliant data transfer mechanisms including Standard Contractual Clauses. For Customers subject to GDPR, UK GDPR, or Swiss data protection laws, CyberHoot’s Standard Contractual Clauses and transfer safeguards are available upon request. Contact dpo@cyberhoot.com to execute transfer documentation.
7. Security
We implement commercially-reasonable security controls including encryption in transit and at rest, MFA for administrators, intrusion detection, annual penetration testing, vulnerability scanning, and role-based access control. Full security commitments are detailed in our Terms of Service, Section 6.7
Your employer is responsible for enabling MFA, maintaining strong passwords (15+ characters minimum), timely user provisioning/deprovisioning, and securing access devices.
8. Data Breach Notification
If a security incident results in unauthorized access to your data:
- We notify your employer without undue delay upon confirming the incident
- For EU/UK/Swiss data subjects: within 72 hours of confirmation
- For U.S. residents: within timeframes required by applicable state laws
- Your employer determines whether to notify you and regulators
9. Your Data Subject Rights
You may have rights to: access, correct, delete, restrict, port, or object to processing of your personal data, and lodge complaints with data protection authorities (under GDPR, UK GDPR, Swiss laws, CCPA/CPRA).
Exercising Rights: Contact your employer first. We assist your employer in responding within 30 calendar days. If your employer is unresponsive, contact dpo@cyberhoot.com with proof of identity.
Exception: Free Individual Accounts
If you created a free individual CyberHoot account (not through an employer or organization), YOU are the Data Controller of your account and CyberHoot processes your data to provide the Service directly to you. For free individual accounts:
- You control your own data and account
- You can exercise your data subject rights directly with CyberHoot
- Contact dpo@cyberhoot.com to access, correct, delete, restrict, port, or object to processing of your data
- We will respond within 30 calendar days
- You do not need to go through an employer
Marketing Communications for Free Accounts:
CyberHoot may send you product-related communications including:
- Service announcements and feature updates
- Upgrade offers to paid plans
- Cybersecurity awareness educational content
- Training best practices and tips
Legal Basis (GDPR): Legitimate business interest in providing product information to our users. You may opt out of promotional communications at any time using the unsubscribe link in emails or by contacting dpo@cyberhoot.com. Service-critical communications (security alerts, account notifications, terms changes) cannot be opted out of while your account is active.
This exception does NOT apply if your account was provisioned by an employer, organization, school, or MSP partner. Those accounts remain subject to the employer control provisions above.
Part B: Website Visitor Data
(For Prospective Customers Visiting CyberHoot.com)
When you visit our website or request product information, CyberHoot is the Data Controller. You can exercise rights directly with us.
1. Data We Collect
- Contact Information: Name, email, company, phone, job title (from contact forms, demo requests, newsletter signups)
- Website Analytics: IP address, browser type, device info, pages visited, time on site, referral source (via cookies and analytics tools)
- Demo & Sales Data: Company size, security needs, budget/timeline, meeting notes, CRM records
2. Cookies and Tracking Technologies
Our website uses cookies and tracking technologies for: (a) essential functionality required to operate the website; (b) analytics to understand visitor behavior and improve content; and (c) personalization. Non-essential cookies require your consent under applicable law. You may manage cookie preferences through your browser settings or our cookie consent tool. Blocking essential cookies may impair website functionality. For EU and UK visitors, we rely on your consent for non-essential cookies as required by the ePrivacy Directive. Under CCPA/CPRA, you have the right to opt out of the sale or sharing of personal information collected through tracking technologies.
3. How We Use This Data
- Sales & Business Development: Responding to inquiries, scheduling demos, managing sales pipeline
- Marketing: Sending newsletters, product updates, event invitations (with consent – unsubscribe anytime)
- Website Improvement: Analyzing visitor behavior to improve content and experience
Legal Basis (GDPR): Legitimate business interest (sales), consent (marketing emails), contract performance (demo fulfillment)
4. Sharing
We share website data with service providers (email platforms, CRM, analytics, webinar tools) bound by confidentiality. We do NOT sell your information.
5. Your Rights
- Access, correct, delete your data
- Unsubscribe from marketing emails (link in every email)
- Opt out of cookies via browser settings
- Withdraw consent at any time where processing is based on consent; withdrawal does not affect prior lawful processing
- California residents: no penalty or pricing difference for exercising CCPA rights
- Contact us: dpo@cyberhoot.com
We respond within 30 calendar days. You may also lodge a complaint with your data protection authority.
General Provisions
1. Children and Minors
We do not knowingly collect personal data from children under 13 (US/COPPA) or under 16 (EU/UK/GDPR and Canada) without verifiable parental or guardian consent. For users between 13 and 16 in GDPR jurisdictions, CyberHoot requires that the employer or organization (as Data Controller) obtain and document appropriate parental consent before provisioning the user’s account.
2. PIPEDA and Australian Privacy Act Acknowledgement
CyberHoot acknowledges its obligations under additional applicable data protection laws where our services are used, including the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the Australian Privacy Act 1988. Customers in these jurisdictions may contact dpo@cyberhoot.com for jurisdiction-specific documentation or representations.
3. AI and Machine Learning
We do not use individual Customer Data to train AI/ML models without Customer consent. We may use aggregated, anonymized usage patterns for platform improvements. Customers may not use the Service or its outputs to train AI/ML models without our express written consent.
4. Changes to This Policy
We may update this Privacy Policy from time to time. The current version will be posted at https://cyberhoot.com/privacy-policy/. For material changes affecting data processing practices, we will notify affected parties via email or in-platform notification.
5. Contact Us
CyberHoot is evaluating its obligations under GDPR Article 27 regarding appointment of an EU or UK representative. Customers in the EU or UK with data protection inquiries may contact our Data Protection Officer directly at dpo@cyberhoot.com pending designation of a formal representative.
- Data Protection Officer: dpo@cyberhoot.com
- General Support: support@cyberhoot.com
- Phone: +1 (603) 793-1382
- Mail: CyberHoot, LLC, 21 Mary Batchelder Rd., Hampton, NH 03842, USA
We respond within 30 calendar days.
Last Reviewed and Approved: June 30th 2026
