Privacy & Data Handling

How we collect, use, and protect personal information and client data.

Effective Date: May 17, 2026

Last Updated: May 17, 2026

This Privacy & Data Handling Policy ("Policy") describes how Fighting Smart Cyber, LLC ("FSC," "we," "us," or "our") collects, uses, discloses, and protects information when you visit fightingsmartcyber.com, contact us, engage us for services, or use any FSC platform or training environment. It supplements our Terms & Conditions and Acceptable Use Policy.

For Services delivered under a signed Master Services Agreement, Statement of Work, Rules of Engagement, or a Data Processing Addendum, the data-handling terms in that agreement control to the extent they conflict with this Policy.

Contents

  1. Who We Are and Our Role
  2. Information We Collect
  3. How We Use Information
  4. Legal Bases for Processing
  5. How We Share Information
  6. Service Providers and Subprocessors
  7. Cookies and Analytics
  8. Client Data & Assessment Findings
  9. Data Security
  10. Data Retention
  11. Your Privacy Rights
  12. International Transfers
  13. Children's Privacy
  14. Government & Classified Engagements
  15. Changes to This Policy
  16. Contact Us

1. Who We Are and Our Role

FSC is a Service-Disabled Veteran-Owned Small Business (SDVOSB) headquartered in the United States. We provide cybersecurity advisory, training, assessments, and platforms to government, defense industrial base, critical infrastructure, and commercial clients.

For information we collect through our public website, contact form, marketing communications, and account/billing interactions, FSC acts as a data controller (or "business" under U.S. state privacy laws). For Client data we process to deliver Services under a signed agreement, FSC typically acts as a data processor (or "service provider") on behalf of the Client.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide

  • Contact & engagement details: name, business email, organization, role/title, organization type, area of interest, timeframe, and the contents of messages you send through our contact form or by email.
  • Account & portal data: credentials, profile information, and preferences for platforms, the client portal, and training environments.
  • Billing & payment data: billing contact, billing address, tax IDs, and payment method. Card and ACH details are collected and stored by our payment processor (Stripe); we do not store full payment card numbers on FSC systems.
  • Engagement materials: documents, scoping information, network diagrams, and credentials you share with us to perform Services.

2.2 Information Collected Automatically

  • Usage data: pages visited, referring URL, approximate location (derived from IP), browser and device characteristics, and timestamps.
  • Analytics: we use Vercel Analytics, which provides privacy-friendly aggregate metrics without setting third-party tracking cookies in a personally identifiable manner.
  • Operational logs: server, application, and security logs from FSC platforms and training environments, including access events, errors, and abuse-related signals.

2.3 Information from Third Parties

We may receive limited information from referral partners, public business directories, government procurement systems, and identity/clearance verification sources, only as needed to evaluate or fulfill an engagement.

3. How We Use Information

  • To respond to inquiries, scope engagements, and provide quotes;
  • To deliver, support, secure, and improve Services, platforms, and training;
  • To bill, collect payment, and manage accounts;
  • To comply with legal, regulatory, audit, and contractual obligations;
  • To detect, investigate, and prevent abuse, fraud, and security incidents;
  • To send service-related communications (e.g., scheduling, invoices, security advisories);
  • With your consent, to send marketing communications you can unsubscribe from at any time.

4. Legal Bases for Processing

Where applicable law (such as the EU/UK GDPR) requires a legal basis, we rely on: (a) performance of a contract, (b) our legitimate interests in running and securing our business, (c) compliance with a legal obligation, or (d) your consent for marketing and optional analytics.

5. How We Share Information

We do not sell personal information. We share information only as follows:

  • Service providers / subprocessors who help us operate (see § 6);
  • Client direction, when we are processing Client data on a Client's behalf;
  • Legal, safety, and compliance disclosures required by law, valid legal process, regulator, or to protect the rights, property, or safety of FSC, our clients, or others;
  • Business transfers in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

6. Service Providers and Subprocessors

We use vetted service providers to operate the website, platforms, and back office. Categories include:

  • Hosting & CDN / analytics: Vercel (website hosting and analytics).
  • Database / backend: Supabase (contact form submissions and certain platform data).
  • Email: Google Workspace (email and document collaboration).
  • Payments & billing: Stripe (ACH and card processing, customer portal, invoices).
  • Cloud infrastructure for FSC platforms and training environments (e.g., major hyperscalers or government cloud, as applicable to the engagement).

Each provider is contractually bound to handle data only as instructed and to maintain appropriate security. A current subprocessor list is available on request at team@fightingsmartcyber.com.

7. Cookies and Analytics

The FSC website uses a minimal set of first-party storage needed for the site to function plus Vercel Analytics for aggregate page-view metrics. We do not use cross-site advertising trackers. Most browsers allow you to control cookies via settings; disabling them may affect site functionality.

8. Client Data & Assessment Findings

For consulting, assessment, training, and platform engagements, FSC may receive Client systems data, source code, configuration, vulnerability findings, network diagrams, and similar sensitive material. We handle this information under the following principles:

  • Need-to-know access: only FSC personnel assigned to the engagement access Client materials;
  • Encryption in transit and at rest: we use industry-standard cryptographic protections for Client data;
  • Segmented storage: Client materials are kept in engagement-scoped repositories with audit logging;
  • Coordinated disclosure: vulnerabilities discovered in Client systems are reported to the Client first and are not disclosed to third parties without authorization;
  • Return or destruction: upon written request after engagement close, FSC will return or securely destroy Client-supplied materials, subject to retention required by law or our reasonable backup cycles.

Confidentiality obligations are described in the Terms § 9.

9. Data Security

FSC maintains administrative, technical, and physical safeguards designed to protect information from unauthorized access, alteration, disclosure, or destruction. These include least-privilege access controls, multi-factor authentication for production systems, encryption, vulnerability management, and personnel training. No system is perfectly secure; you are responsible for using strong, unique credentials and reporting any suspected compromise promptly.

10. Data Retention

We retain personal information only as long as needed for the purposes described in this Policy, to provide Services, to satisfy legal, tax, accounting, audit, and contractual obligations, or to defend or pursue legal claims. Contact form submissions, billing records, and engagement deliverables are typically retained for the life of the relationship plus a reasonable archive period. Logs may be retained for a shorter period sufficient for security and operational use.

11. Your Privacy Rights

Depending on where you live, you may have rights to: access, correct, delete, port, or restrict our processing of your personal information, object to certain processing, or withdraw consent. To exercise these rights, email team@fightingsmartcyber.com from the address associated with your information, or write to the address below. We will verify your identity before acting and respond within the time required by applicable law.

Where FSC processes data on behalf of a Client, please direct your request to that Client; we will support the Client in responding.

12. International Transfers

FSC is based in the United States. If you access our Services from outside the U.S., your information will be transferred to and processed in the U.S. and any country where our subprocessors operate. For transfers from regions with cross-border restrictions (e.g., the EU/UK), we rely on lawful transfer mechanisms such as Standard Contractual Clauses, where applicable.

13. Children's Privacy

FSC Services are intended for business and government users and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us so we can delete it.

14. Government & Classified Engagements

Some FSC engagements involve U.S. government customers, controlled unclassified information (CUI), or classified environments. Those engagements are governed by separate agreements, government authorizations, and applicable federal handling requirements (e.g., NIST SP 800-171, FedRAMP authorization boundaries, or classified IS security plans). Nothing in this Policy authorizes disclosure of classified information, methods, or sources.

15. Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected by an updated "Effective Date" above. Continued use of FSC Services after an update constitutes acceptance of the revised Policy.

16. Contact Us

Fighting Smart Cyber, LLC

Privacy & data inquiries: team@fightingsmartcyber.com

Web: https://fightingsmartcyber.com