Legal

Privacy Policy

Effective date: · Last updated:

This Privacy Policy explains how CyDuck collects, uses, stores, and protects your personal data. It applies to all users of cyduck.com and dashboard.cyduck.com globally, and is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws including the California Consumer Privacy Act (CCPA).

1. Who Is Responsible for Your Data

CyDuck ("CyDuck", "we", "us", "our") is the data controller for personal data processed through the Services. For data protection enquiries, contact us at [email protected].

2. What Data We Collect

2.1 Data you provide directly

  • Email address — when you create an account or use our email breach checker.
  • Phone number — if you add a phone asset to your dashboard.
  • Social profile URLs — if you add a social account asset to your dashboard.
  • Security declarations — your self-reported answers about password age, two-factor authentication status, and account recovery settings. These are declarations only; we never ask for or store your actual passwords.

2.2 Data generated by your use of the Services

  • Breach findings — results of breach lookups performed against your verified assets via Have I Been Pwned.
  • Security score and history — your Personal Cyber Score and its historical trend over time.
  • Actions and declarations — records of remediation actions you declare (e.g. "changed my password").
  • Streak and activity data — your daily engagement streak and check-in dates.
  • Notification preferences — your chosen notification settings.

2.3 Data collected automatically

  • Usage analytics — anonymized, aggregated data about how features are used, collected via Google Analytics. No personally identifiable information is included in these analytics reports.
  • Authentication tokens — session tokens issued by Clerk for the purpose of keeping you securely signed in. These are not used for any purpose other than authentication.

2.4 Data we do NOT collect

  • We do not collect or store your actual passwords at any point.
  • We do not collect payment information (CyDuck is currently free).
  • We do not build advertising profiles or sell your data.
  • Free tools at cyduck.com operate without any account or tracking — consistent with our Duck Law.

3. How We Use Your Data

We use your personal data only for the following purposes:

Purpose Legal basis (GDPR) Legal basis (US / CCPA)
Providing and operating the Services Contract performance (Art. 6(1)(b)) Necessary for service delivery
Performing breach scans against your assets Contract performance (Art. 6(1)(b)) Necessary for service delivery
Calculating and displaying your security score Contract performance (Art. 6(1)(b)) Necessary for service delivery
Sending security alerts and notifications Legitimate interests (Art. 6(1)(f)) Necessary for service delivery
Sending transactional emails (OTP, verification) Contract performance (Art. 6(1)(b)) Necessary for service delivery
Improving and analyzing service usage Legitimate interests (Art. 6(1)(f)) Analytics (opt-out available)
Complying with legal obligations Legal obligation (Art. 6(1)(c)) Legal compliance

We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.

4. Third-Party Processors

We share data with the following trusted processors only to the extent necessary to operate the Services:

Processor Purpose Data shared
Clerk Authentication and session management Email address, session tokens
Have I Been Pwned (HIBP) Breach database lookups Email address (hashed where possible)
Resend Transactional email delivery Email address, message content
Anthropic AI spam analysis (spam checker tool only) Text content submitted for analysis
Google Analytics Anonymized usage analytics Anonymized usage events, no PII
Cloudflare Hosting, CDN, and infrastructure IP address (standard web traffic)

All processors are bound by Data Processing Agreements and are required to handle your data in compliance with GDPR and applicable law. We do not sell your data to any third party.

5. International Data Transfers

Some of our processors are based in the United States. Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom to the US, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognized under UK law.

You may request details of the safeguards we rely on by contacting [email protected].

6. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

  • Account data — retained for the lifetime of your account, plus 30 days following deletion to allow for recovery.
  • Breach findings and score history — retained for the lifetime of your account.
  • Security declarations and actions — retained for the lifetime of your account.
  • Anonymized analytics data — retained for up to 26 months by Google Analytics, per their standard retention settings.
  • Authentication logs — retained for up to 90 days for security and fraud prevention.

When you delete your account, we delete your personal data within 30 days, except where retention is required by law.

7. Your Rights

Rights under GDPR (EU and UK users)

If you are located in the EU or UK, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to certain legal exceptions.
  • Right to restriction of processing — request that we limit how we use your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Right to lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority.

Rights under CCPA (California users)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, or sell.
  • Delete personal information we have collected from you, subject to certain exceptions.
  • Opt out of the sale of personal information. CyDuck does not sell personal information.
  • Non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request.

8. Cookies and Tracking

CyDuck uses a minimal set of cookies and local storage:

  • Authentication cookies — set by Clerk to maintain your signed-in session. These are strictly necessary and cannot be disabled without breaking the dashboard.
  • Analytics cookies — set by Google Analytics to collect anonymized usage data. These are not linked to any personally identifiable information.
  • Local storage — used to cache your dashboard state (score, assets) on your device to improve load times. This data stays on your device and is not transmitted to third parties.

The free tools at cyduck.com operate without cookies or account tracking, in line with our Duck Law.

9. Security

We take the security of your data seriously. We implement appropriate technical and organizational measures including:

  • Encrypted data transmission via HTTPS/TLS.
  • Authentication handled by Clerk, a dedicated identity provider with industry-standard security practices.
  • Database access restricted to authenticated, authorized requests only.
  • No storage of plaintext passwords at any point in our system.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to [email protected].

10. Children's Privacy

CyDuck is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via the Services.

Your continued use of the Services after any change constitutes acceptance of the updated policy.

12. Contact and Complaints

For any privacy-related questions, requests, or complaints, contact us at:

CyDuck — Privacy
Email: [email protected]
Website: cyduck.com

If you are in the EU and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your national data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.