Privacy Policy

MySecurity Scores (“we”, “us”, “our”) is committed to protecting your privacy and personal data. This comprehensive Privacy Policy details how we manage, collect, use, and safeguard your personal information in compliance with global data protection regulations, including the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws as of February 2026.

This policy applies to all users of MySecurity Scores, including visitors to our website, users of our free and paid security assessment tools, and participants in our educational programs. We process personal data as both a controller (determining purposes and means of processing) and, in limited cases, as a processor on behalf of our enterprise customers.

1. What Data We Collect

We collect personal data only when necessary to provide our services, comply with legal obligations, or pursue legitimate business interests. The categories of data we collect include:

1.1 User Identity and Contact Information

When you create an account or interact with our platform, we collect:

• Account Registration Data: Full name, email address, organization name (if applicable), phone number (optional), job title, and other information you voluntarily provide during registration.
• Professional Information: Details about your role, industry, organization size, and security responsibilities, used to tailor assessment recommendations.
• Contact Preferences: Your preferences for communication frequency, channels (email, SMS), and types of content you wish to receive.

1.2 Security Assessment Data

For our security assessment tools to function, we collect:

• Domain/Website Information: Domain names, public IP addresses, and websites you submit for security scanning. This information is used solely to conduct the assessment and is not used for any purpose beyond your request.
• Assessment Results: Findings from vulnerability scans, configuration reviews, and compliance checks you authorize on your systems or properties.
• Configuration Details: Non-sensitive technical information about your infrastructure, including server types, software versions, SSL certificate details, and DNS configuration (all publicly discoverable information).
• Assessment History: Records of previous assessments, scores, and remediation progress, allowing you to track improvements over time.

1.3 Usage and Interaction Data

We automatically collect information about how you interact with our platform:

• Website Analytics: Pages visited, time spent on each page, click patterns, and user flow through the platform.
• Device Information: Device type (mobile, tablet, desktop), operating system, browser type and version, and device identifiers.
• Network Information: IP address, ISP information, and geographic location (derived from IP address, not precise location).
• Log Data: Access logs, error logs, and system logs that record interactions with our platform for security and troubleshooting purposes.
• Session Data: Session IDs, login timestamps, logout timestamps, and session duration to maintain security and provide audit trails.

1.4 Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies to collect data about your browsing behavior. Detailed information is provided in section 3.

1.5 Communication Data

When you contact us through email, contact forms, chat, or support tickets, we collect:

• The content of your messages and attachments
• Communication metadata (date, time, sender, recipient)
• Any personal data you include in your message

1.6 Payment Information

For users who subscribe to premium services, we collect payment information through our payment processor (Stripe). We do not directly collect or store credit card information. Our payment processor handles all credit card data according to PCI DSS standards.

2. How We Use Your Data

We process personal data based on the following legal grounds: (1) contract performance, (2) legal obligation, (3) legitimate interests, and (4) user consent. Specific uses of your data include:

2.1 Providing Security Assessment Services

• Conducting automated and manual security scans of domains and systems you authorize
• Analyzing assessment data to generate security scores and reports
• Providing personalized recommendations for vulnerability remediation
• Tracking your security improvement progress over time
• Delivering assessment reports and detailed findings

2.2 Service Improvement and Optimization

• Analyzing aggregated usage data to improve platform functionality and user experience
• Identifying and fixing bugs, performance issues, and security vulnerabilities
• Developing new features based on user feedback and usage patterns
• Testing new tools and improvements before deployment
• Conducting research on cybersecurity threats and trends

2.3 Communication and Account Management

• Sending service updates, system maintenance notifications, and security alerts
• Responding to your inquiries and support requests
• Notifying you of changes to our terms, privacy policy, or services
• Sending account-related information (password resets, login alerts, billing notices)
• Providing educational content and cybersecurity insights (with your consent)

2.4 Legal Compliance and Protection

• Complying with legal obligations, court orders, and government requests
• Enforcing our Terms of Service and other agreements
• Detecting, preventing, and addressing fraud, abuse, and security incidents
• Maintaining audit trails for regulatory compliance (GDPR, SOC 2, ISO 27001)
• Protecting the rights, property, and safety of MySecurity Scores, our users, and the public

2.5 Marketing and Analytics (With Consent)

• Sending marketing emails about new features, guides, and industry insights (only with your opt-in consent)
• Analyzing user behavior to improve marketing effectiveness
• Conducting surveys and gathering user feedback
• Creating anonymized, aggregated reports about security trends and industry benchmarks

3. Cookies and Tracking Policy

Cookies are small text files stored on your device that help us provide, improve, and secure our services. You can control cookie settings through your browser, and most browsers allow you to refuse cookies or alert you when cookies are being sent. However, blocking certain cookies may impact your ability to use our platform effectively.

3.1 Strictly Necessary Cookies

These cookies are essential for the platform to function and cannot be disabled:

• Session ID Cookie: Maintains your login session and user authentication (expires after 24 hours of inactivity)
• Security Token Cookie: Prevents cross-site request forgery (CSRF) attacks
• Preference Cookie: Remembers your language and accessibility preferences
• Cookie Consent Cookie: Records your cookie preferences (persists for 1 year)

3.2 Performance and Analytics Cookies

These optional cookies help us understand how users interact with our platform:

• Google Analytics Cookies (ID: G-SV8LBXML45): Track user behavior, page views, and engagement metrics. Data is anonymized and aggregated. Set by Google LLC and persists for 2 years. You can opt out by installing the Google Analytics Opt-out Browser Add-on.
• Custom Analytics Cookies: Track specific user journeys to identify popular features and improve user experience. Persist for 90 days.
• Performance Timing Cookies: Record page load times and performance metrics to identify optimization opportunities. Persist for 30 days.

3.3 Advertising Cookies (Third-Party)

We use Google AdSense to display relevant advertisements. Google and its partners may place cookies on your device:

• Google AdSense Cookies: Used to select and display ads relevant to your interests. Google maintains detailed information about cookie usage at https://policies.google.com/technologies/cookies.
• Third-Party Ad Network Cookies: Other advertising partners may place cookies to serve interest-based ads. You can manage these through Your Ad Choices.

3.4 Third-Party Integrations

Some external services integrated into our platform may set cookies:

• Google Fonts: Used to serve optimized fonts. Google's font service may collect limited usage data.
• YouTube (if embedded): May set tracking cookies if you interact with embedded videos.

4. Data Sharing and Security

4.1 Data We Do NOT Share

MySecurity Scores is adamant about user privacy. We categorically do not sell, rent, lease, or trade your personal information to third parties for marketing purposes. We do not create detailed profiles based on your data for advertising purposes.

4.2 Limited Data Sharing with Service Providers

We may share personal data with carefully vetted third-party service providers who assist us in operating our platform and conducting our business, but only to the extent necessary and under strict data processing agreements (Data Processing Addendums):

• Cloud Hosting Providers: Amazon Web Services (AWS) and other cloud infrastructure providers host our platform and user data. All data is encrypted in transit and at rest.
• Payment Processors: Stripe handles payment processing for premium subscriptions. Stripe is PCI DSS compliant and does not share payment information with us.
• Analytics Services: Google Analytics provides aggregated usage insights. Data is pseudonymized and governed by Google's data processing terms.
• Email Delivery Services: SendGrid or similar services may transmit your email address to deliver transactional emails on our behalf. They do not use this data for marketing.
• Customer Support Tools: Zendesk or similar platforms may store support conversations. Only support staff access this data.
• Legal and Compliance Services: We may share data with legal counsel and compliance consultants as necessary to meet legal obligations.

4.3 Data Sharing in Other Circumstances

We may disclose personal data without your consent in the following circumstances:

• Legal Requirement: We are required by law, court order, or government request to disclose information (we will notify you unless legally prohibited).
• Law Enforcement: We may share information with law enforcement to prevent or investigate illegal activities.
• Business Transfer: In the event of a merger, acquisition, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction. You will be notified of any change in ownership.
• Protecting Rights: We may disclose information necessary to protect the legal rights, privacy, safety, or property of MySecurity Scores, users, or the public.
• Aggregate Data: We may share anonymized, aggregated data about security trends, vulnerability statistics, and industry benchmarks without any identifying information.

4.4 International Data Transfers

Our servers are located in the United States, and your personal data is processed and stored there. If you are located in the European Union or other jurisdiction outside the United States:

• We rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.
• We comply with the adequacy determination between your jurisdiction and the United States (if applicable).
• We maintain technical and organizational security measures equivalent to those required in your jurisdiction.
• You have the right to obtain information about the specific safeguards in place by contacting us.

4.5 Data Security Measures

MySecurity Scores implements comprehensive technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction:

Technical Security

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (or higher), the industry standard protocol. Certificates are issued by reputable Certificate Authorities and regularly monitored for validity.
• Encryption at Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption, the same standard used by government agencies for classified information.
• Access Control: Database access is restricted to authorized personnel only through multi-factor authentication. Access logs are maintained and regularly audited.
• Intrusion Detection: We deploy intrusion detection and prevention systems to monitor for unauthorized access attempts and malicious activity.
• Firewalls and Network Segmentation: Our systems are protected by enterprise-grade firewalls and internal network segmentation to prevent lateral movement of attackers.
• Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scans identify and remediate security weaknesses.

Organizational Security

• Data Minimization: We collect only the minimum data necessary to provide our services.
• Purpose Limitation: Data is used only for the purposes disclosed in this policy.
• Staff Training: Employees receive regular data protection and information security training.
• Confidentiality Agreements: All staff members sign confidentiality agreements prohibiting unauthorized disclosure.
• Incident Response Plan: We maintain a documented incident response plan and will notify users of any data breach affecting their personal information within 72 hours (as required by GDPR).
• Audit Trail: We maintain detailed logs of who accesses personal data, when, and for what purpose.

4.6 Data Retention Policy

We retain personal data for as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: Personal information for active accounts is retained for the duration of your account and 30 days after account deletion (to recover deleted accounts if requested).
• Assessment Results: Historical assessment data is retained for 2 years after your account deletion or last activity, then securely deleted.
• Support Communications: Support tickets and communications are retained for 1 year after resolution for reference purposes, then securely deleted.
• Log Data: Server logs and access logs are retained for 90 days for security and troubleshooting, then automatically deleted.
• Legal Hold: Data subject to legal proceedings or investigations is retained until legal requirements are satisfied.
• Backup Data: Deleted data may persist in backup systems for up to 90 days. You can request expedited deletion of backups; standard backup cycles will eventually purge the data.

5. Your User Rights (GDPR, CCPA, LGPD)

Depending on your location, you have rights regarding your personal data. MySecurity Scores honors these rights for all users, regardless of location:

5.1 Right to Access (GDPR Article 15, CCPA Section 1798.100)

Your Right: You have the right to request a copy of the personal data we hold about you in a structured, commonly used, portable format (your “data subject access request”).

How to Request: Submit a written request to privacy@mysecurityscores.com with the subject line “Data Access Request.” Include your full name, email address, and account ID (if applicable). We will verify your identity and provide your data within 30 days (GDPR) or 45 days (CCPA).

Response Format: We will provide a comprehensive report including all personal data we process about you, including: email address, account information, assessment history, usage logs, communication records, and any other data we store.

5.2 Right to Rectification (GDPR Article 16)

Your Right: You have the right to request correction of inaccurate or incomplete personal data.

How to Request: You can update your profile information directly through your account settings. For other data you believe is inaccurate, contact privacy@mysecurityscores.com with details about the inaccuracy and the correct information.

Our Response: We will correct inaccurate data within 5 business days and confirm the correction in writing.

5.3 Right to Erasure / “Right to be Forgotten” (GDPR Article 17, CCPA Section 1798.105)

Your Right: You have the right to request deletion of your personal data in certain circumstances (e.g., data is no longer necessary for its purpose, you withdraw consent, data was collected unlawfully).

Exceptions: We may retain data when: (1) necessary to comply with legal obligations, (2) necessary to establish or defend legal claims, (3) necessary for historical or statistical purposes, or (4) data is anonymized.

How to Request: Submit a written request to privacy@mysecurityscores.com with the subject line “Deletion Request.” Include your full name, email address, and specific data you want deleted.

Our Response: We will delete your requested data within 30 days and confirm deletion in writing. Assessment data, logs, and backups may take up to 90 days to be fully purged from all systems.

Account Deletion: You can also request complete account deletion, which will remove all associated personal data (subject to the exceptions listed above).

5.4 Right to Restrict Processing (GDPR Article 18)

Your Right: You have the right to request restriction of how we process your data while we verify accuracy, lawfulness, or other issues.

Effect: We will continue to store your data but will limit processing to storage only, except where necessary for legal reasons or with your consent.

How to Request: Contact privacy@mysecurityscores.com with the subject line “Restrict Processing Request.” Specify which processing activities you want restricted.

5.5 Right to Data Portability (GDPR Article 20, CCPA Section 1798.100)

Your Right: You have the right to obtain and reuse your personal data across different services in a machine-readable format.

Format: We will provide your data in a commonly used, portable format such as CSV or JSON, suitable for import into other systems.

How to Request: Submit a written request to privacy@mysecurityscores.com with the subject line “Data Portability Request.” Specify the data you want (all data or specific categories).

Our Response: We will provide your data in machine-readable format within 30 days at no cost.

5.6 Right to Object (GDPR Article 21, CCPA Section 1798.120)

Your Right: You have the right to object to processing of your personal data for legitimate interests, marketing, or profiling purposes.

Marketing Emails: All marketing emails include an unsubscribe link. Click it to instantly opt out of marketing communications.

Legitimate Interests: For other processing, contact privacy@mysecurityscores.com. We will evaluate your objection and cease processing unless we have compelling legitimate interests.

Cookies: You can manage or disable cookies through your browser settings or our cookie consent tool.

5.7 Right to Withdraw Consent

Your Right: For any processing based on your consent, you have the right to withdraw consent at any time without penalty.

Effect: Withdrawal of consent does not affect processing that occurred before withdrawal.

How to Withdraw: Contact privacy@mysecurityscores.com or use the opt-out options provided in emails and account settings.

5.8 Right to Lodge a Complaint

Your Right: If you believe we have violated your data protection rights, you have the right to lodge a complaint with your local data protection authority.

EU: Contact your national Data Protection Authority (list available at https://edpb.ec.europa.eu/)

California: Contact the California Attorney General's office

Brazil: Contact the National Data Protection Authority (ANPD)

5.9 Processing Your Requests

To process any data rights request:

• Submit a written request to privacy@mysecurityscores.com (email preferred for record-keeping)
• Include your full name, email address, and account ID (if applicable)
• Clearly specify which right you're exercising
• We will verify your identity before processing
• We will respond within 30 days (may be extended to 90 days for complex requests)
• There is no cost unless the request is manifestly unfounded or excessive
• We will confirm completion of your request in writing

6. Children's Privacy

MySecurity Scores does not knowingly collect personal data from children under the age of 13 (or the applicable age of digital consent in your jurisdiction). Our services are designed for adults and organizations. If we become aware that we have collected data from a child, we will delete it immediately and notify the child's parent or guardian.

For children aged 13-18, we provide educational content about cybersecurity. Parents or guardians can review what data we collect about their children and request deletion by contacting privacy@mysecurityscores.com.

7. Third-Party Links and Services

Our website may contain links to third-party websites and services not controlled by MySecurity Scores. This Privacy Policy applies only to MySecurity Scores. We are not responsible for the privacy practices of third-party sites. We recommend reviewing their privacy policies before providing personal information.

Third-party services integrated into our platform (such as Google Fonts, analytics providers, and ad networks) have their own privacy policies. Their use of your data is governed by their policies, not this policy.

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes by:

• Posting the updated policy on this page with an updated “Last Updated” date
• Sending an email notification to users with accounts (for significant changes)
• Requiring explicit consent to continued use of the platform (for material changes affecting your rights)

Your continued use of MySecurity Scores after changes constitute your acceptance of the updated policy.

9. Contact Us About Privacy

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Last Updated: February 2026 | Policy Version: 2.1