PRIVACY POLICY

CybersecTools is operated by Mandos Cyber, a company registered in the Netherlands (KVK: 97994448, VAT: NL005301434B12, registered address: 124, 1230 AC, Loosdrecht, Netherlands).

We value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and Dutch data protection laws.

1. INFORMATION WE COLLECT

1.1 Account Information
When you create an account, we collect:
- Name
- Email address

1.2 Professional Profile (Optional)
When signing up for paid services or completing your profile, we may collect: job title/role, company name, company size, country, and intended use case. This data helps us understand our user base and improve the platform. It is never shared with third parties.

1.3 LinkedIn Verification (Optional)
When you connect LinkedIn for verification: name, email, profile picture, email verification status, and locale. Connecting LinkedIn marks your account as "verified". We do NOT collect work history, connections, or endorsements.

1.4 Authentication Cookies
We use essential cookies to:
- Keep you logged in
- Maintain your session
- Ensure platform security
- Remember your preferences

1.5 Usage Analytics (Plausible Analytics)
We use Plausible Analytics, a GDPR-compliant, privacy-friendly analytics tool that does NOT use cookies. Plausible collects anonymous, aggregated data including:
- Page views and visit duration
- Referral sources
- General geographic location (country level only)
- Device type and browser information
- No personal information or identifying data

All analytics data is anonymous and cannot be used to identify individual visitors.

1.6 Payment Information
ALL payment processing is handled exclusively by Stripe. We DO NOT store, access, or process your credit card, bank account, or payment information. We only receive transaction confirmation data.

1.7 Vendor Contact Information (Lead Capture)
When you voluntarily choose to contact a vendor through our Platform, we collect and share: name, business email, phone number, company details, job title, location, and optional message. This sharing only occurs when you fill out the contact form, check the consent box, and submit. The vendor receives your information via email.

1.8 MCP Data Access Service
When you sign up for our MCP (Model Context Protocol) Data Access Service, we collect and store:
- API access key (stored as a cryptographic hash; we cannot retrieve your original key)
- Selected subscription plan and billing interval
- Credit balance and usage history
- MCP usage logs: tool names called, timestamps, credits consumed, and query parameters
- Subscription status and payment history (via Stripe)

MCP usage logs are retained for billing verification, abuse prevention, and service improvement. Query parameters are logged to detect misuse patterns; they are not shared with third parties.

1.9 Search Analytics
We track search queries made on the Platform for the sole purpose of improving search functionality and understanding market trends. Search queries are fully anonymous: they are NOT linked to any user account, IP address, or session. We cannot identify who performed any given search.

1.10 User-Submitted Content
- Reviews, comments, and feedback you submit
- Tool submissions and edits from vendors
- Communication through contact forms

1.11 Automatically Collected Information
- IP address (for security purposes only)
- Browser type and version
- Operating system
- Access times and pages visited

2. HOW WE USE YOUR DATA

We use collected data to:
- Provide and maintain the Platform
- Manage your account and authentication
- Process subscriptions and payments (via Stripe)
- Manage MCP Data Access subscriptions, credit billing, and usage tracking
- Facilitate vendor contact requests (when you choose to contact vendors)
- Improve user experience, search functionality, and Platform features
- Analyze Platform usage and performance (using anonymous, aggregated data)
- Monitor MCP usage for abuse prevention and Terms of Service enforcement
- Communicate with you about your account
- Prevent fraud and ensure security
- Comply with legal obligations

2.1 Legal Basis (GDPR)
We process your data based on:
- Contractual necessity (to provide our services)
- Legitimate interests (platform improvement, security)
- Your consent (where applicable)
- Legal obligations (compliance requirements)

3. DATA SHARING AND DISCLOSURE

3.1 We DO NOT sell, rent, or trade your personal data.

3.2 We share data only with:
- Stripe (payment processing) - https://stripe.com/privacy
- Plausible Analytics (anonymous usage) - https://plausible.io/data-policy
- LinkedIn (optional verification) - https://www.linkedin.com/legal/privacy-policy
- Vendors/tool providers (only when you explicitly request contact via lead capture)

3.3 We may disclose data when required by law or to:
- Comply with legal processes
- Protect our rights and property
- Prevent fraud or security threats
- Protect user safety

4. DATA STORAGE AND SECURITY

4.1 Data Storage:
- Data is stored on secure servers in the European Union
- Plausible Analytics data is hosted in EU data centers
- We implement industry-standard security measures

4.2 Security Measures:
- Encrypted passwords
- Secure HTTPS connections
- Regular security audits
- Access controls and authentication

4.3 Data Retention:
- Account data: Retained while your account is active
- MCP usage logs: Retained for 24 months for billing verification and abuse prevention
- MCP API keys: Retained (hashed) while subscription is active; revoked upon cancellation
- Search query data: Retained indefinitely (anonymous, aggregate data with no personal identifiers)
- Lead capture data: Processed and transmitted to vendors immediately; we retain records for compliance purposes (12 months)
- Analytics data: Retained for 24 months (aggregated, anonymous)
- Backup data: Retained for disaster recovery purposes
- Deleted data: Permanently removed within 90 days of deletion request

5. YOUR GDPR RIGHTS

As a data subject under GDPR, you have the right to:

5.1 Access: Request a copy of your personal data
5.2 Rectification: Correct inaccurate or incomplete data
5.3 Erasure ("Right to be Forgotten"): Request deletion of your data
5.4 Restriction: Limit how we process your data
5.5 Data Portability: Receive your data in a structured format
5.6 Object: Object to processing based on legitimate interests
5.7 Withdraw Consent: Withdraw consent at any time (where applicable)
5.8 Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us via: https://cybersectools.com/contact

6. COOKIES POLICY

6.1 Essential Cookies (Required):
- Authentication and session management
- Security and fraud prevention
- These cookies are necessary for Platform functionality

6.2 Analytics (Optional - No Cookies Used):
- Plausible Analytics does NOT use cookies
- All analytics data is anonymous and aggregated
- No tracking across websites

6.3 Managing Cookies:
You can manage cookies through your browser settings. Disabling essential cookies may affect Platform functionality.

7. THIRD-PARTY SERVICES

7.1 Vendor Lead Capture:
When you contact a vendor, you provide explicit consent to share your information. The vendor becomes an independent data controller and is responsible for their own privacy practices. We transmit the information via email and are not responsible for how vendors handle your data thereafter.

7.2 External Links:
Our Platform may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies.

8. CHILDREN'S PRIVACY

Our Platform is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

9. INTERNATIONAL DATA TRANSFERS

9.1 EU Data Protection:
- Data is primarily stored and processed in the EU
- We comply with GDPR for all international transfers
- Adequate safeguards are in place for non-EU transfers

9.2 Standard Contractual Clauses:
Where necessary, we use Standard Contractual Clauses approved by the European Commission.

10. AI TECHNOLOGY NOTICE

We use artificial intelligence technology from Anthropic and other providers for certain Platform features (such as search, recommendations, and operational purposes).

10.1 MCP Data Access Service
Our MCP Service provides structured data to AI assistants and applications via the Model Context Protocol. When you use the MCP Service:
- Your AI assistant sends queries to our API; we process the query and return cybersecurity market data
- We do NOT process, store, or have access to your AI assistant's conversation history
- We do NOT train AI models on your queries or usage patterns
- Data returned through the MCP Service is factual market intelligence, not AI-generated advice

IMPORTANT: We do NOT use AI to process your personal information or personal data. AI is only used for non-personal Platform functionality.

11. DATA BREACH NOTIFICATION

In the event of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours
- Report to relevant data protection authorities as required by GDPR
- Take immediate action to mitigate the breach

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated "Last Updated" date. Continued use of the Platform after changes constitutes acceptance of the updated policy.

13. CONTACT US

For privacy-related questions, to exercise your GDPR rights, or to file a complaint:

Mandos Cyber
Website: https://cybersectools.com
Contact Form: https://cybersectools.com/contact
Terms of Service: https://cybersectools.com/tos

Company Registration:
KVK Number: 97994448
VAT Number: NL005301434B12
Registered Address: 124, 1230 AC, Loosdrecht, Netherlands

Data Protection Inquiries: Use the contact form with "Privacy Request" in the subject line.

14. THIRD-PARTY SERVICE DETAILS

For detailed privacy policies of our third-party services:
- Stripe Payment Processing: https://stripe.com/privacy
- Plausible Analytics (cookieless, GDPR-compliant): https://plausible.io/data-policy
- LinkedIn Verification: https://www.linkedin.com/legal/privacy-policy