Legal

Privacy Policy

Last updated: 29 April 2026 · Effective date: 1 May 2026

Applies to: CyberLetics Lite SaaS Platform and the CyberLetics Device Agent

Plain-language summary: CyberLetics collects only what it needs to operate a cybersecurity dashboard for your organisation. We store your account details, device telemetry sent by the agent installed on your machines, and usage logs. We do not sell data, run ads, or share information with third parties beyond the infrastructure services required to run the platform. Indian users have full rights under the Digital Personal Data Protection Act, 2023 (DPDPA).

1 Who We Are

CyberLetics ("we", "our", "us") is a cybersecurity software-as-a-service platform designed for Indian small and medium enterprises (SMEs). We are the Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 for all personal data processed through our platform.

Data Fiduciary Contact

Email: team@cyberletics.com

Platform: cyberleticss.netlify.app

Jurisdiction: India

2 Data We Collect

2.1 Account & Organisation Data

When you sign up, we collect:

  • Full name and email address
  • Organisation name and GST number (optional — used for DPDPA compliance scoring)
  • Password (stored as a bcrypt hash — never in plain text)
  • Role within the organisation (OWNER, ADMIN, or VIEWER)
  • Subscription plan and trial status

2.2 Usage & Operational Data

We automatically collect:

  • Login timestamps and session metadata
  • API request logs (IP address, endpoint path, HTTP status code, response time) — retained 30 days
  • Error events sent to Sentry (anonymised stack traces — no personal data)
  • Security score history and compliance status changes

2.3 Team & Invitation Data

When you invite team members, we temporarily store their email addresses and invitation tokens (valid for 48 hours). Uninvited tokens are automatically deleted.

3 Device Agent Data

The CyberLetics Device Agent is a lightweight program installed by your IT administrator on company-owned devices. It periodically sends a telemetry report to our API. The agent only runs on devices you explicitly enrol.

Data field What it is Purpose
hostnameDevice computer nameDevice identification
ipAddressLocal network IP addressNetwork monitoring
macAddressNetwork interface MAC addressUnique device fingerprint
os / osVersionOperating system and versionPatch compliance tracking
deviceTypeWorkstation, Server, or LaptopInventory categorisation
antivirusInstalledWhether antivirus software is presentEndpoint security score
firewallEnabledWhether the host firewall is activeEndpoint security score
diskEncryptedWhether full-disk encryption is enabledData protection score
pendingUpdatesCountNumber of OS updates waiting to installPatch management
lastPatchedDate of last successful OS updatePatch compliance tracking

The agent communicates using a SHA-256 hashed API key stored in C:\ProgramData\CyberLetics\config.json (Windows) or /etc/cyberletics/config.json (Linux/macOS). The raw API key is never stored on our servers.

3.1 File Scan Data

If your administrator configures file scanning, the agent can submit file hashes (not file contents) to the VirusTotal API for malware detection. We do not upload actual files; only cryptographic hashes (SHA-256) are transmitted. VirusTotal's own privacy policy governs that interaction.

3.2 Security Alert Data

The agent may send security event alerts (e.g., unauthorised login attempt, port scan detection) via a webhook. These alerts contain a title, description, severity level, and timestamp. No personal employee data is included in these payloads.

4 How We Use Your Data

  • To create and manage your organisation account and team memberships
  • To display your device inventory, security alerts, and compliance dashboard
  • To calculate your Security Score and DPDPA 2023 compliance status
  • To send transactional emails: account verification, password reset, alert escalations, weekly security digests, and report download notifications
  • To cross-reference your device software against the NIST National Vulnerability Database (NVD) for known CVEs
  • To detect and prevent fraud, abuse, and unauthorised access
  • To improve the platform using aggregated, anonymised usage patterns
We never: sell your data, use your data for advertising, share individual data with third parties beyond operational necessity, or use your device telemetry for any purpose other than powering your own security dashboard.

5 Legal Basis for Processing

Under the DPDPA 2023, we process personal data on the following bases:

  • Consent — you provide consent at account creation and when enrolling devices.
  • Contractual necessity — processing is required to deliver the services you have subscribed to.
  • Legitimate use — operational security (fraud prevention, uptime monitoring, error tracking).
  • Legal obligation — compliance with applicable Indian law, including responding to lawful government requests.

You may withdraw consent at any time by requesting account deletion (see Section 10).

6 Data Retention

Data type Retention period
Account & organisation dataUntil account deletion + 30 days
Device telemetry recordsUntil device is removed from organisation
Security alerts12 months (rolling)
API request logs30 days
Refresh tokens7 days (auto-purged daily)
Team invitation tokens48 hours (auto-purged)
Generated reports (PDF)90 days
Error/crash traces (Sentry)30 days

Account deletion removes all personal data from active systems within 30 days. Backup copies are purged within 90 days of account closure.

7 Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase on AWS in the ap-south-1 (Mumbai) region, keeping your data within India.

  • All data in transit is encrypted with TLS 1.3
  • Database connections use SSL and are scoped to the CyberLetics API server only
  • Passwords are hashed with bcrypt (cost factor 12) — never stored in plain text
  • API keys are stored as SHA-256 hashes — the raw key is shown once at creation and never stored
  • Access tokens (JWT) expire after 15 minutes; refresh tokens expire after 7 days
  • Database access is restricted to the API server and authorised engineering staff with MFA

Despite these measures, no method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

8 Third-Party Services

We use the following sub-processors to operate the platform. We share only the minimum data necessary for each service to function.

Service Purpose Data shared
Supabase / AWS (Mumbai) PostgreSQL database hosting All stored platform data
Render Node.js API server hosting API request payloads in transit
Netlify Static frontend hosting (HTML/CSS/JS) Browser IP (CDN logs only)
Resend Transactional email delivery Recipient email address, email content
Sentry Error monitoring & crash reporting Anonymised stack traces (no personal data)
Razorpay Payment processing & subscription billing Order amount, currency, plan tier. No card numbers are stored by CyberLetics.
Google Safe Browsing URL threat detection in Website Scanner Scanned URL only (no user identity or org data)
VirusTotal (Google) File hash malware scanning File SHA-256 hashes only (no file content)
NIST NVD API CVE vulnerability data feed No personal data — read-only public API

Each of these providers maintains its own privacy policy and data processing agreements. We have entered into Data Processing Agreements (DPAs) with all sub-processors that handle personal data.

9 Cookies & Session Tokens

CyberLetics uses a minimal number of browser storage mechanisms:

  • HTTP-only Secure Cookie (refresh token)

    A single HTTP-only, Secure, SameSite=Strict cookie stores your 7-day refresh token. It cannot be accessed by JavaScript. This is the only cookie we set.

  • sessionStorage (access token + user profile)

    A short-lived JWT access token (expires in 15 minutes) and your basic profile (name, email, role) are stored in sessionStorage. This data is automatically cleared when you close the browser tab.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookie services.

10 Your Rights Under DPDPA 2023

As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access

Request a summary of the personal data we hold about you and how it has been processed.

Right to Correction

Request correction of inaccurate or incomplete personal data, including your name and email.

Right to Erasure

Request deletion of your account and all associated personal data. Processed within 30 days.

Right to Grievance Redressal

File a complaint with our Grievance Officer (see Section 13) and receive a response within 48 hours.

Right to Nominate

Nominate another individual to exercise these rights on your behalf in the event of death or incapacity.

Right to Withdraw Consent

Withdraw consent at any time. This will result in account closure and data deletion.

To exercise any of these rights, contact us via the Contact page or email team@cyberletics.com. We will respond within 72 hours.

11 Children's Privacy

CyberLetics is a business-to-business platform intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that a child's data has been submitted, we will delete it promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all organisation owners for material changes
  • Require re-acknowledgement of the policy on next login for significant changes

Continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.

13 Contact & Grievance Officer

For privacy questions, data requests, or to file a grievance under DPDPA 2023, please contact our Grievance Officer:

Grievance OfficerCyberLetics Privacy Team
Response SLA72 hours for all privacy requests