privacy policy

We hold less
than you'd expect.

We're a security company. We treat data the way we'd want our own data treated. We collect the minimum, hold it briefly, lock it down, and tell you exactly what we have and what we'll do about it.

Effective · 2026-05-01

0. Who runs this

Syber ("Syber," "we," "us") is a Delaware C-Corporation. Syber is the data controller for everything described in this policy.

Reach us at team@syber.sh for any privacy question, request, or complaint.

1. Our principles

These are the rules we hold ourselves to. Everything below is a consequence of these:

  • Minimum collection. We collect what's needed to deliver the service. Nothing speculative, nothing "in case it's useful later."
  • Single-purpose use. Data collected for one purpose is not repurposed without telling you.
  • No sale, no rent, no trade. Personal data is not a product we sell. Ever.
  • No model training. We do not feed your data, your application's responses, or our findings into any third-party AI training pipeline.
  • No silent sharing. Findings, logs, evidence, and engagement data stay between us and you, unless you ask us to share them or law compels it.
  • Defense in depth. Encryption in transit, locked-down storage, secrets in vaults, hashes for tokens. We do this for ourselves the same way we'd do it for you.
  • Tell you fast when something goes wrong. If your data is exposed, we notify within 72 hours of confirming the incident.
  • Honor deletion. Ask us to delete what we have on you, and we delete it. Fully, not just "hidden from view."

2. What we collect, and why

2.1 Marketing site (syber.sh)

Hosted on Vercel. Vercel logs request metadata (IP, user agent, referrer, path) at the edge for abuse and reliability. We don't run third-party analytics, behavioral trackers, ad pixels, retargeting, or session-replay tools.

2.2 Scan request form

When you submit the scan form, we store:

  • Email address you provided
  • Site URL you want scanned + its derived registrable domain
  • Optional notes you typed in
  • IP and User-Agent at submission, for rate-limiting and abuse review
  • SHA-256 hash of the verification token (the raw token only ever appears in the email link, never in the database)
  • Timestamps for created, verified, and notified states

2.3 Calendly bookings

If you book through /contact, what you enter (name, email, optional notes) goes to Calendly under their privacy policy. We receive that data through their notification email; we don't replicate it elsewhere.

2.4 Email delivery

Verification and notification emails are sent through Resend, which processes the recipient address, subject, body, and standard delivery metadata as our sub-processor.

2.5 During paid engagements

While testing, our agents observe your application's responses. We grab the minimum evidence needed to reproduce a finding (typically request/response pairs and screenshots). We do not extract user data beyond the smallest proof; if our agents encounter sensitive values they redact in-place and flag them.

3. Lawful basis for processing

Under GDPR (EU/UK), CCPA/CPRA (California), and equivalent regimes, we rely on:

  • Contract. Processing necessary to deliver a scan, assessment, or engagement you asked for.
  • Legitimate interest. Rate-limit logs, abuse-prevention telemetry, and basic operational logging on syber.sh. Balanced against your privacy interests.
  • Consent. Calendly bookings (you initiate it). We don't process anything else on the basis of consent because we don't do marketing.
  • Legal obligation. Where a law requires us to retain or disclose specific records.

4. How we use what we collect

  • Verify you control the email and site you're asking us to test
  • Send transactional email about your request (verification, scheduling, findings)
  • Detect and block abuse: automated submissions, scraping, enumeration
  • Deliver the engagement you signed up for
  • Meet legal, accounting, and tax obligations on paid engagements

That's the full list. We do not profile you, target you, or build a behavioral record of you across visits.

5. Sub-processors

The third parties we route data through, and why:

  • Vercel Inc. (USA). Application hosting, edge CDN, edge logs.
  • Supabase Inc. (USA). Postgres database. Access is service-role-only from our server; Row-Level Security denies all anonymous access.
  • Resend (USA). Outbound transactional email. Our sending domain (syber.sh) is signed with SPF, DKIM, and DMARC.
  • Calendly (USA). Meeting scheduling, only when you use that flow.

Each sub-processor has its own data-protection commitments and is engaged under terms compatible with this policy. If we add or replace a sub-processor we'll update this list.

6. International data transfers

Syber is a Delaware C-Corporation and our infrastructure and sub-processors are primarily based in the United States. If you are accessing the service from the EEA, the UK, or any jurisdiction outside the US, personal data is transferred to the United States. We rely on each provider's standard contractual clauses or equivalent safeguards for those transfers, and limit what crosses the border to what's required to deliver the service.

7. Retention

  • Scan requests: up to 12 months from last status update, then deleted. Verified leads that turn into paid engagements roll into the engagement record.
  • Rate-limit events: 7 days.
  • Keep-alive pings: 30 days, automatically pruned.
  • Engagement evidence: for the contracted period (typically 12 months post-engagement) and then purged. You can request earlier purge in writing.
  • Invoices & tax records: retained as long as US tax law requires (typically up to 7 years).
  • Email logs (Resend): retained per Resend's default retention.

8. Security

What we actually do, not just claim:

  • HTTPS-only with HSTS preload and modern TLS.
  • Database access from the server only, using a service-role key kept in environment variables. RLS on every public table denies all anonymous access.
  • Verification tokens are 32-byte cryptographic random values; only their SHA-256 hash is stored. Tokens are single-use and expire in 30 minutes.
  • Outbound mail is signed with SPF, DKIM, and DMARC under syber.sh.
  • Application secrets live in Vercel environment variables. They are never bundled into client JavaScript.
  • Internal access on a need-to-know basis. Founders and explicitly-authorized engineers only. All access is logged.
  • Engagement workspaces are isolated per customer. Your data does not bleed into another customer's view.
  • Our own surface is monitored continuously by the same agents we sell.

9. Breach notification

If your personal data is exposed in a confirmed security incident, we will notify affected individuals within 72 hours of confirming the incident. The notice will tell you what was exposed, what we know about how it happened, what we're doing about it, and what (if anything) you should do.

10. Your rights

You can ask us to:

  • Access: show you what we have on you
  • Correct: fix something inaccurate
  • Delete: purge your records (subject to legal retention obligations)
  • Export: give you a portable copy of your data
  • Object: object to specific processing (e.g. legitimate-interest uses)
  • Restrict: pause processing while a dispute is being resolved
  • Withdraw consent: for anything we processed on the basis of consent
  • Authorized agent: designate someone to exercise these rights on your behalf, where local law permits

Email team@syber.sh from the address on file. We respond within 30 days. If we can't fully action a request (because of a legal hold or active engagement contract) we'll tell you why and what we can do.

11. Marketing & communications

We don't send unsolicited marketing email. We don't run ads. We don't operate retargeting pixels. The only emails we send unprompted are operational: security advisories or breaking changes that affect an active engagement. You can opt out of those in one click.

12. Automated processing & AI agents

Our service is built on autonomous agents. A few things to be clear about:

  • Our agents make decisions about your application: what to test, what to file as a finding, what (when scoped) to attempt to fix. They do not make decisions about you as a person.
  • We do not use automated decision-making to produce legal effects on individuals or to make significant decisions about them, in the sense of GDPR Article 22 or equivalent provisions.
  • A human reviews findings and remediation suggestions before anything is shared outside our team.
  • We do not feed your data, your application's responses, or our findings into any third-party AI training pipeline.

13. Engagement data

During paid engagements, evidence we collect is stored in a workspace scoped to that engagement. It is not co-mingled with other customers' evidence. On engagement close it is purged on the contracted schedule. If we encounter user data while testing (PII in error messages, accidentally-exposed records, etc.) we log the location, redact in-place, and flag it as a finding rather than copying it out.

14. Children

The service is intended for businesses. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, contact us and we'll delete it.

15. Cookies

The marketing site does not set tracking cookies. The Calendly embed sets its own cookies under their domain when you interact with it. Your browser's standard cookie controls apply.

16. Changes to this policy

If we make a material change we'll bump the "Effective" date at the top and, where appropriate, notify users with active engagements directly. Routine clarifications happen without a notification.

17. Complaints

First, talk to us. Most issues resolve faster that way: team@syber.sh.

Syber · a Delaware C-Corporation · team@syber.sh