Privacy Policy

1. Introduction

At RansomLeak, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our security awareness training platform. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. Please read this privacy policy carefully.

2. Legal Bases for Processing

We process your personal data based on the following legal grounds:

• Legitimate Interest: To deliver security awareness training services and improve our platform
• Contractual Necessity: To provide the services you have subscribed to and fulfill our obligations under our Terms of Service
• Consent: For marketing communications and optional features, where you have given explicit consent
• Legal Obligation: To comply with applicable laws, regulations, and legal processes

3. Information We Collect

We may collect information about you in a variety of ways. The information we may collect includes:

• Personal Data: Name, email address, company name, job title, and organizational role
• Training Data: Course progress, completion rates, quiz scores, and time spent on modules
• Technical Data: IP address, browser type, operating system, and device information
• Usage Data: Pages visited, features used, and interaction patterns within our platform

4. How We Use Your Information

We use the information we collect in the following ways:

• To provide and maintain our security awareness training services
• To personalize training content and improve user experience
• To track progress and generate training reports for your organization
• To communicate with you about your account and our services
• To comply with legal obligations and protect our rights

5. Data Security

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

• Encryption at Rest: All data stored in our systems is encrypted using AES-256 encryption
• Encryption in Transit: All data transmitted is protected using TLS 1.3 encryption with HTTPS-only enforcement
• Network Security: Our infrastructure uses VPC isolation, security groups, and AWS GuardDuty for threat detection
• Access Controls: We implement role-based access control (RBAC) with the principle of least privilege
• Monitoring & Auditing: Continuous security monitoring through CloudWatch logging and CloudTrail API audit logging

For detailed technical security measures, see our Security & Compliance page.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Specific Retention Periods:

• Training Records: Retained for the duration of your subscription plus a reasonable period thereafter
• Application Logs: 1 year (CloudWatch)
• API Audit Logs: 5 years (CloudTrail, Glacier after 90 days)
• Database Backups: Encrypted backups are retained for 30 days for disaster recovery

Account Deletion:

When you request account deletion, we delete your personal information from our production database immediately. However, your data may remain in encrypted database backups for up to 30 days for disaster recovery purposes, after which it is automatically deleted.

You may request deletion of your personal data at any time by contacting privacy@ransomleak.com.

7. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: You have the right to request a copy of your personal information.
• Right to Rectification: You can update inaccurate personal information through your account settings.
• Right to Erasure: You may request deletion of your personal information.
• Right to Restrict Processing: You can request that we restrict the processing of your personal data.
• Right to Data Portability: You can download your training data through your account dashboard.
• Right to Object: You can object to our processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time.

All data subject requests are processed within 30 days, in compliance with GDPR requirements.

8. International Data Transfers

Your personal data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for these transfers:

• EU-U.S. Data Privacy Framework: We comply with the EU-U.S. Data Privacy Framework for transfers from the European Union
• Standard Contractual Clauses: Where applicable, we use SCCs approved by the European Commission
• Data Processing Locations: Our services are hosted on AWS infrastructure in the US (us-east-1, N. Virginia) in secure, SOC 2 compliant data centers

9. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk
• Provide clear information about the nature of the breach, potential consequences, and measures taken
• Implement immediate remediation measures to secure affected systems

10. Supervisory Authority & Complaints

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The relevant authorities include:

• United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk
• European Union: Your local Data Protection Authority (DPA) in your EU member state

Please contact us at privacy@ransomleak.com before escalating to a supervisory authority.

11. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell
• Right to Delete: You have the right to request deletion of your personal information
• Right to Opt-Out: You have the right to opt-out of the sale of your personal information. We Do Not Sell Your Personal Information
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights

To exercise these rights, please email privacy@ransomleak.com. We will verify your identity and respond within 45 days.

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform.

Types of Cookies We Use:

• Essential Cookies: Required for the platform to function properly. These cannot be disabled.
• Analytics Cookies: Help us understand how visitors interact with our website.
• Functional Cookies: Enable enhanced functionality and personalization.

You can manage your cookie preferences through our cookie consent banner or your browser settings.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes.

14. Google User Data and Limited Use

RansomLeak Reporter, our Google Workspace™ add-on, requests limited access to your Gmail™ account so you can report suspected phishing messages to your security team. When you report a message, the add-on reads only the identifier of that message (the RFC 5322 Message-ID) together with your email address and the time of the report, and sends them to RansomLeak. It never reads message bodies, attachments, or recipient lists.

RansomLeak’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

For more information, see the Google API Services User Data Policy.

We do not use Google user data for advertising, and we do not sell it or transfer it to third parties except as necessary to provide the reporting feature you requested, to comply with applicable law, or as part of a merger or acquisition. We do not allow humans to read this data unless we have your consent for specific messages, it is necessary for security purposes, or to comply with applicable law.

Google Workspace and Gmail are trademarks of Google LLC. RansomLeak is an independent product and is not affiliated with, or endorsed by, Google LLC.

15. Microsoft Teams App

The RansomLeak Security Awareness Training app for Microsoft Teams delivers your assigned training as a private message in Teams. When your administrator connects the app — a one-time, admin-consented setup — RansomLeak uses your Microsoft identity (your Azure AD / Microsoft Entra user identity and your organization’s tenant ID) solely to send you one-to-one notifications through the Microsoft Bot Framework.

The app is notification-only. It never reads your messages, attachments, mailbox, or channel and group conversations, and it never posts to channels. Notifications are sent only to you (1:1), relate solely to training your organization has already assigned, and never ask you to enter information inside the chat.

We do not use Microsoft identity data for advertising, and we do not sell it or transfer it to third parties except as necessary to deliver the notifications you have been assigned, to comply with applicable law, or as part of a merger or acquisition. Training itself is completed in the RansomLeak web player; this app only delivers the reminder. You or your administrator can disconnect the app at any time to stop all notifications.

Microsoft, Microsoft Teams, and Microsoft Entra are trademarks of the Microsoft group of companies. RansomLeak is an independent product and is not affiliated with, or endorsed by, Microsoft.

16. Contact Us

If you have questions or comments about this Privacy Policy, or wish to exercise your data protection rights, please contact us at: