⚡ Cyber Wed

Privacy Policy

Last Updated: June 3, 2025 Effective Date: June 3, 2025

This Privacy Policy describes how [Company Name] ("we," "us," or "our") collects, uses, and discloses information when you use the Cyber Wed platform ("Service"), accessible at [yourdomain.com].

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

When you register or authenticate, we collect:

  • Name — your display name as provided by your identity provider
  • Email address — used as your account identifier and for transactional communications
  • Organization / tenant information — associated with your Microsoft account

We do not collect passwords. Authentication is handled entirely by Microsoft Entra External ID.

1.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Log data — IP addresses, browser type, pages visited, timestamps
  • Device information — operating system, browser version
  • Usage data — features accessed, session duration

2. Cookies and Session Technology

We use strictly necessary cookies only. These cookies are essential for the Service to function and cannot be disabled.

| Cookie Name | Purpose | Duration | Provider | |---|---|---|---| | authjs.session-token | Maintains your authenticated session (JWT) | 24 hours | Auth.js (first-party) | | authjs.csrf-token | Prevents cross-site request forgery attacks | Session | Auth.js (first-party) | | authjs.callback-url | Remembers where to redirect after sign-in | Session | Auth.js (first-party) |

No analytics cookies, advertising cookies, or tracking pixels are used. Because these cookies are strictly necessary for security and authentication, no cookie consent banner is required under GDPR and ePrivacy regulations.

3. Third-Party Services

3.1 Microsoft Entra External ID

We use Microsoft Entra External ID (formerly Azure AD B2C) to authenticate users. When you sign in:

  • Microsoft processes your name, email address, and tenant/organization ID
  • An OpenID Connect token is issued to establish your session
  • Microsoft may collect and retain data according to their own privacy practices

Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement

We do not receive or store your Microsoft password. We receive only the profile claims included in your ID token (name, email, unique identifier).

3.2 Stripe

We use Stripe to process subscription payments and add-on service purchases. When you initiate a checkout:

  • You are redirected to a Stripe-hosted payment page
  • Stripe collects and processes your payment card details directly
  • We receive only a Stripe Customer ID and subscription status — we never see or store your full card number
  • Stripe is certified as a PCI DSS Level 1 Service Provider, the highest level of payment security certification

Stripe Privacy Policy: https://stripe.com/privacy

All transactions are conducted in Test Mode during the beta period. No real charges are processed.

4. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service — authenticate your identity and display your dashboard
  • Process transactions — manage subscription billing through Stripe
  • Send transactional communications — account confirmations, billing receipts, security alerts
  • Improve the Service — analyze usage patterns to fix bugs and enhance features
  • Comply with legal obligations — respond to lawful requests from government authorities

We do not sell, rent, or share your personal information with third parties for marketing purposes.

5. Data Retention

| Data Type | Retention Period | |---|---| | Account information (name, email) | Duration of your account + 90 days after deletion | | Session tokens | 24 hours | | Payment records | 7 years (legal/tax requirement) | | Server logs | 30 days |

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate data
  • Deletion — request that we delete your account and associated data
  • Portability — receive your data in a machine-readable format
  • Restriction — request that we limit how we process your data
  • Objection — object to certain types of processing

To exercise any of these rights, contact us at legal@[yourdomain].com. We will respond within 30 days.

California Residents (CCPA): You have additional rights including the right to know, delete, and opt-out of sale. We do not sell personal information.

7. Security

We implement industry-standard security measures including:

  • TLS/HTTPS encryption for all data in transit
  • JWT-based session tokens with 24-hour expiration
  • CSRF protection on all authenticated endpoints
  • Stripe PCI-DSS Level 1 compliance for payment processing
  • Microsoft Entra External ID OIDC/PKCE authentication flow

8. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated "Last Updated" date. For significant changes, we will provide additional notice (e.g., email notification).

10. Contact Us

If you have questions about this Privacy Policy or our data practices:

[Company Name] Email: legal@[yourdomain].com Address: [Company Address] Jurisdiction: [State/Country]