Privacy Policy

CymBytes Technologies Private Limited (“CymBytes”, “we”, “us” or “our”) operates the CymBytes cyber range platform, the websites at cymbytes.com and its subdomains, and supporting APIs and services (collectively, the “Service”). This Privacy Policy explains how we handle personal data when you visit our websites, create an account, request a demo, or use the Service. It applies to data we control as the data controller / data fiduciary.

We collect personal data in the following categories:

• Account and profile data: name, work email, organization, role, hashed authentication credentials, and identifiers issued by our identity provider (Clerk).
• Sales and marketing data: information you submit through demo requests, contact forms, or email — including company, job title, and message content.
• Usage and learning data: labs launched, scenarios attempted, scoring events, evidence submitted, AI tutor interactions, time on task, and feature usage telemetry.
• Technical data: IP address, device and browser characteristics, log timestamps, and diagnostic events generated by our infrastructure and content delivery layer.
• Lab content: commands run, files generated, and reports submitted inside the isolated lab environments allocated to you. This may contain personal data only if you choose to enter it.
• Communications: messages you send to support, sales, or partner inboxes, including any attachments.

We do not intentionally collect special category data (such as biometric, health, or government ID numbers). Please do not submit such data through the Service.

We use personal data to:

• provide, operate, secure, and improve the Service;
• provision lab environments and deliver the training, scoring, and analytics features you use;
• authenticate users, prevent fraud, and detect abuse or violations of our Terms;
• respond to demo requests, sales inquiries, and support tickets;
• send service announcements, security notices, and — where permitted — product updates and educational content (you can unsubscribe at any time);
• analyze aggregated usage to understand which labs and features are effective; and
• comply with legal obligations, enforce our agreements, and protect our rights.

Where applicable law requires a legal basis to process personal data, we rely on (a) performance of the contract under which we provide the Service, (b) our legitimate interests in operating, securing, and improving the Service, provided those interests are not overridden by your rights, (c) compliance with legal obligations, and (d) your consent for activities such as optional marketing communications and non-essential cookies, which you may withdraw at any time.

We do not sell personal data. We share personal data only with the following categories of recipients and only for the purposes described in this policy:

• Subprocessors: cloud hosting (Microsoft Azure), authentication (Clerk), AI providers that power features such as our lab assistant (Anthropic, DeepSeek), and other vendors engaged to deliver and support the Service. These vendors process personal data on our behalf under written contracts that require appropriate security and confidentiality. The current list is published at /subprocessors.
• Your organization: if your account is associated with an organization, administrators and instructors of that organization may see your usage, scoring, and lab activity.
• Professional advisors: auditors, accountants, and legal counsel under confidentiality obligations.
• Legal and safety: regulators, law enforcement, or other parties when we are required by law, when necessary to enforce our Terms, or when reasonably necessary to protect the rights, property, or safety of CymBytes, our customers, or others.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, with appropriate confidentiality protections.

CymBytes is headquartered in India and operates infrastructure in multiple regions. Your personal data may be processed in countries other than the one in which you are located. Where required, we put in place appropriate safeguards (such as contractual protections) for cross-border transfers in line with applicable data protection law.

We retain personal data for as long as needed to provide the Service, to meet the purposes described in this policy, and to comply with our legal obligations. Account data is retained for the life of your account and for a reasonable period afterward to handle disputes and meet recordkeeping requirements. Lab content tied to ephemeral environments is deleted on the cleanup schedule applicable to that environment. Aggregated, de-identified information may be retained indefinitely.

We use administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit, role-based access controls, network segmentation, audit logging, and regular review of our security posture. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If you believe your account has been compromised, contact support@cymbytes.com immediately.

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, to data portability, and to withdraw consent. To exercise any of these rights, email privacy@cymbytes.com. We will respond within the timeframe required by applicable law.

If your account was provisioned by an organization (for example, your employer or a learning provider), requests about your personal data should generally be directed to that organization. We will assist them in responding.

We and our service providers use cookies, local storage, and similar technologies to keep you signed in, remember your preferences, secure the Service, and measure usage.

We group cookies into two categories:

• Strictly necessary cookies: required for authentication, security, load balancing, and basic functionality. These cannot be disabled.
• Analytics cookies: Google Analytics, configured with IP anonymization and Google Consent Mode v2. These only run after you grant consent. They help us understand which pages and features are used so we can improve the Service.

When you first visit the Service, you will see a cookie banner where you can accept all cookies, reject all non-essential cookies, or customize your choices. You can change your decision at any time using the “Cookie settings” link in our website footer. You can also control cookies through your browser settings; disabling certain cookies may affect functionality such as authentication. We do not currently respond to “Do Not Track” browser signals.

The Service is intended for users aged 18 or older and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@cymbytes.com and we will take steps to delete it.

Our websites and the Service may include links to third-party sites and embed third-party content. This Privacy Policy does not apply to those third parties, which have their own privacy practices. We encourage you to review their policies.

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date. If changes are material, we will provide additional notice (for example, by email or an in-app banner).

For privacy questions or to exercise your rights, contact us at privacy@cymbytes.com. You may also write to CymBytes Technologies Private Limited, India. If you are not satisfied with our response, you may have the right to lodge a complaint with the data protection authority in your jurisdiction.