Privacy Policy

• Minimization. We ask for the least information necessary to deliver a service.
• No sale, no rental. We never sell, rent, or trade personal information.
• No surveillance ads. We do not run behavioral advertising or share data with ad networks.
• Short retention. We delete what we no longer need.
• Encryption in transit and at rest. Sensitive consulting communications are handled accordingly.

Information you provide: name, email address, and any details you share when you contact us, register for a webinar, subscribe to the newsletter, purchase a course, or book a consultation.

Consulting intake: clients may share threat models, exposure inventories, or other sensitive context. This data is treated as confidential client material, stored separately, and retained only as long as the engagement requires.

Automatic information: standard server logs (IP address, user agent, timestamp, referring URL) used for security, abuse prevention, and aggregate traffic analysis. We do not build advertising profiles from these logs.

Cookies: only first-party, essential cookies for session state and authenticated areas. We do not use third-party tracking cookies.

• Deliver the service, course, or consultation you requested.
• Send transactional messages (confirmations, receipts, briefings you subscribed to).
• Respond to inquiries.
• Protect the site and our clients from abuse, fraud, or attack.
• Meet legal, accounting, and tax obligations.

We do not use your information to train third-party AI models or for any purpose unrelated to the service you came here for.

Where applicable, we rely on the following lawful bases: performance of a contract (delivering a service you purchased), consent (newsletter, optional communications), legitimate interests (site security, fraud prevention), and legal obligation (tax, accounting, lawful requests).

We share personal information only with the limited service providers required to operate the business: payment processing, email delivery, hosting, and (where you have engaged us) the specific tools required to complete the consulting work. These vendors are bound by contract to use your data only to provide the service to us.

We do not share or sell personal information with marketers, data brokers, or advertising networks.

We may disclose information when required by valid legal process. When legally permitted, we will notify the affected individual before responding, and we will challenge requests that are overbroad, defective, or inconsistent with applicable law.

• Newsletter subscribers: retained until you unsubscribe.
• Contact / inquiry messages: up to 24 months, then deleted.
• Course enrollments and receipts: retained as required by tax and accounting law (typically 7 years).
• Consulting client files: retained for the engagement and a defined post-engagement window agreed in writing, then securely destroyed.
• Server logs: 90 days, then aggregated or deleted.

We use encryption in transit (TLS) and at rest for stored personal information, scoped access controls, multi-factor authentication on administrative accounts, and least-privilege vendor relationships. No system is perfectly secure; if a breach affecting your information occurs, we will notify you and the appropriate authorities as required by law.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion ("right to be forgotten").
• Restrict or object to certain processing.
• Request a portable copy of your information.
• Withdraw consent at any time, without affecting prior processing.
• Lodge a complaint with your data protection authority.

To exercise any of these rights, reach us through our contact form. We respond within 30 days.

Our services are for adults. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

We may process information in jurisdictions outside your country of residence. Where required, we use Standard Contractual Clauses or equivalent safeguards.

We will update this policy as the business evolves. Material changes will be announced on this page with a revised effective date and, where appropriate, by direct notice to registered users.

Grayman Protection — Privacy Office
Send us a message