Privacy Policy

Welcome to CyberGapAudit, a cybersecurity gap analysis platform designed to help organizations assess their cybersecurity posture against industry frameworks. This Privacy Policy explains how Devon Waller, operating as CyberGapAudit (“I,” “me,” “my,” or “CyberGapAudit”), collects, uses, processes, and protects your personal information when you use my website, platform, and services.

I am committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy applies to all users of my services, including visitors to my website, registered users, and customers who purchase my assessment services.

This Privacy Policy is designed to comply with applicable data protection laws, including the EU GDPR, California Consumer Privacy Act (CCPA), and Swiss FADP. I regularly review and update this policy to ensure continued compliance.

I collect personal information that you voluntarily provide to me when you use my services. As a sole proprietorship, I personally handle all data collection and processing activities.

• Personal Information You Provide
  Name, email, company, billing details when you register, purchase, or contact me.
• Information Collected Automatically
  IP address, browser/device metadata, pages viewed, and session identifiers via cookies and analytics.
• Information from Third Parties
  Authentication providers (Supabase), payment processors (Stripe), and email deliverability providers (Resend).

I use your personal information primarily to provide, maintain, and improve my cybersecurity assessment services.

• Primary Service Delivery
  Run assessments, generate reports, and deliver purchased outputs.
• Platform Improvement and Analytics
  Aggregate usage metrics to improve quality and reliability.
• Legal and Compliance Purposes
  Invoicing, tax obligations, fraud prevention, and regulatory compliance.
• Marketing and Communications
  Transactional emails always; marketing only with explicit opt-in.

As a cybersecurity professional, I implement multiple layers of security to protect your personal information. Your data is stored securely using enterprise-grade cloud infrastructure.

• Data Storage Infrastructure
  Supabase (PostgreSQL) in EU region for user data; Stripe for payment tokens (PCI DSS Level 1).
• Security Measures
  TLS in transit, AES-256 at rest, row-level security, least-privilege access, 2FA for admin accounts.
• Data Backup and Recovery
  Daily encrypted backups with 30-day retention and tested recovery procedures.
• Third-Party Security
  Vendors reviewed for SOC 2 / ISO 27001 attestation and GDPR-compliant data processing agreements.

I do not sell, rent, or trade your personal information to third parties for their marketing purposes.

• General Principles
  Minimum necessary, contract-bound processing only.
• Service Providers
  Supabase, Stripe, Resend, Sentry — all under DPAs.
• Legal Requirements
  Court order, regulator request, or safety of persons.
• Business Transfers
  Merger or acquisition with notice and equivalent protections.
• Consent-Based Sharing
  Only with your explicit opt-in.
• Aggregated and Anonymized Data
  Non-identifiable statistics for research and marketing.

I retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce my agreements.

• Account Information
  Active account lifetime + 2 years.
• Assessment Data
  7 years for professional liability recordkeeping.
• Payment Information
  Held by Stripe per their retention schedule; I retain receipts for 10 years (CH tax law).
• Website Usage Data
  Aggregated analytics up to 26 months.
• Communication Records
  Support emails retained 3 years.
• Legal Hold
  Extended retention during active legal matters.
• Secure Deletion
  Verified erasure from primary and backup systems on request.

You have several rights regarding your personal information. As a sole proprietorship, I personally handle all privacy rights requests and am committed to responding promptly and thoroughly.

• Access Rights
  Request a copy of the personal data I hold about you.
• Correction and Update Rights
  Request correction of inaccurate or incomplete data.
• Deletion Rights (Right to be Forgotten)
  Request deletion subject to legal retention obligations.
• Data Portability
  Receive your data in a structured, machine-readable format.
• Objection and Restriction Rights
  Object to processing or request temporary restriction.
• Consent Withdrawal
  Withdraw marketing consent at any time.
• Cookie Controls
  Manage preferences via in-site cookie banner or browser settings.
• Complaint Rights
  Lodge a complaint with your data protection authority.

If you have questions, concerns, or requests regarding this Privacy Policy or my data practices, please contact me directly.

CyberGapAudit uses only strictly necessary cookies for authentication, session management, and CSRF protection. No advertising, tracking, or third-party analytics cookies are loaded without consent.

• Session cookies — issued by Supabase Auth on login; cleared on logout.
• CSRF token — Next.js Server Action protection; per-request, not persisted.
• Preference cookies — stored client-side only when you change theme or layout settings; never transmitted.

You can clear cookies anytime via your browser. Doing so will log you out and reset preferences.

By using CyberGapAudit you agree that the assessment outputs are advisory in nature and do not constitute formal compliance certification or legal advice. The platform is provided “as is” under Swiss law. Disputes are resolved by the competent Swiss courts.

Subscription terms, refunds, and cancellation policies are set by the operator (sole proprietor Devon Waller). Emailemail us for terms questions or to request the full Terms of Service document.