Legal

Privacy Policy

EEVSEC PRIVATE LIMITED (“EEVSEC”, “we”, “us”, or “our”) operates the EEVSEC CyberRange platform (the “Platform”) at eevsec.com. This Privacy Policy explains how we collect, use, share, and protect personal data for users worldwide, and the rights available to you. It applies to all visitors and account holders regardless of location, and is supplemented by the region-specific provisions in Section 10.

Effective: 30 May 2026 Last updated: 1 June 2026

1. Who we are

The data controller responsible for your personal data is EEVSEC PRIVATE LIMITED, a company incorporated in India (CIN U62013GJ2026PTC177190), with its registered office at 401, Garud Apartment, Opp: Mahabaleshwar Flat, Jodhpur Char Rasta, Ahmedabad, Gujarat 380015, India. For any privacy question, contact our Data Protection Officer at dpo@eevsec.com.

2. Scope of this policy

This policy applies globally to everyone who visits the Platform, joins our waitlist, or holds an account, wherever they are located. Where local law grants you additional rights, the region-specific provisions in Section 10 apply on top of this global baseline. Where this policy and a mandatory provision of your local law conflict, the mandatory local law prevails for residents of that region.

3. Personal data we collect

We are currently in pre-launch, so today we collect only the waitlist sign-up details listed below (your name, email, and the role you select). The other categories describe data the Platform will process once live training opens. Across all of these, we collect only what is needed to operate the Platform, deliver live training simulations, and keep the service secure:

  • Account and identity data: your name, email address, organisation or institution, and any role information you provide at sign-up or on the waitlist.
  • Identity verification data: where local law or an enterprise customer requires it, a government or institutional identifier may be requested solely to confirm eligibility. We collect this only when necessary and keep it only as long as required.
  • Usage and technical data: IP address, device and browser information, session logs, in-simulation command history, and performance metrics generated as you use the Platform and the AI Coach.
  • Billing data: transaction records and limited billing metadata. Full payment card details are collected and processed by PCI DSS compliant payment providers and are never stored on our systems.
  • Support and assistant data: messages you send to support or to our conversational assistant, retained in de-identified form to improve the service.

4. How and why we use your data

We use personal data to:

  • provide, operate, and maintain the Platform and your account;
  • run training simulations and deliver AI Coach feedback and analysis;
  • process payments, manage subscriptions, and prevent fraud;
  • secure the Platform, detect abuse, and preserve the integrity of simulations;
  • respond to your requests and provide customer support;
  • send service messages and, where permitted, marketing you can opt out of at any time;
  • comply with legal obligations and enforce our Terms of Service.

5. Legal bases for processing

Where data protection law requires a legal basis, we rely on one or more of the following:

  • Performance of a contract: to deliver the services you sign up for.
  • Consent: for marketing, optional features, and any processing that legally requires it. You may withdraw consent at any time.
  • Legitimate interests: to secure, protect, and improve the Platform, balanced against your rights and freedoms.
  • Legal obligation: to meet tax, accounting, and other statutory duties.

6. How we share data

We do not sell your personal data. We share it only with:

  • Service providers that host our infrastructure, process payments, deliver email, and provide analytics, each bound by contract to protect your data and act only on our instructions;
  • Professional advisers and authorities where required by law, regulation, or valid legal process;
  • A successor entity in connection with a merger, acquisition, or asset sale, subject to this policy.

For waitlist sign-ups and email communications we use Loops, Inc. (“Loops”) as our email service provider. The name and email address you submit are processed by Loops to send you these messages. You can review how Loops handles personal data in the Loops Privacy Policy.

Our waitlist and contact forms are protected by Google reCAPTCHA to detect automated abuse. When you use a form, Google processes limited device and usage data as our processor for this security purpose; see Section 12 and Google's Privacy Policy for details.

7. International data transfers

We operate globally, so your data may be processed in countries other than your own, including India. When we transfer personal data across borders, we rely on recognised safeguards such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms, so that your data stays protected to the standard of your home jurisdiction.

8. Retention and security

We keep personal data only for as long as needed for the purposes described here, to comply with legal obligations, resolve disputes, and enforce our agreements, after which it is deleted or anonymised. We protect data with encryption in transit and at rest, access controls, isolated single-use simulation environments, and ongoing security monitoring. No method of transmission or storage is completely secure, but we use industry-standard measures to safeguard your data.

9. Your privacy rights

Subject to your local law, you may have the right to access, correct, delete, or receive a portable copy of your personal data; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with your supervisory authority. To exercise any right, contact dpo@eevsec.com. We respond within the period your law requires, and within 30 days where no specific period applies. We will not discriminate against you for exercising your rights.

10. Region-specific rights

European Economic Area and United Kingdom (GDPR / UK GDPR)

You have the rights set out in Section 9, including the right to complain to your national data protection authority. Our legal bases are described in Section 5, and cross-border transfers are safeguarded as described in Section 7.

United States (state privacy laws)

This section applies to residents of US states with comprehensive privacy laws, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and Montana. Subject to your state law, you may: confirm whether we process your personal information and access it; correct inaccurate information; request deletion; obtain a portable copy; opt out of the sale of personal information; and opt out of sharing for cross-context behavioral advertising, targeted advertising, and certain profiling. California residents may also request that we limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.

We do not sell your personal information, we do not share it for cross-context behavioral advertising, and we do not use it for targeted advertising, so there is nothing to opt out of in those respects; we will still honour a request, including one sent through a Global Privacy Control (GPC) signal, where it applies. To exercise any right, contact us using the details in Section 14. We will verify your identity before responding, and you may use an authorised agent where the law allows.

India (Digital Personal Data Protection Act, 2023)

Under India's Digital Personal Data Protection Act, 2023 (DPDPA), EEVSEC PRIVATE LIMITED acts as a Data Fiduciary and processes your personal data on the basis of your consent or for a legitimate use permitted by the Act. As a Data Principal you may obtain a summary of the personal data we hold and how we process it, request its correction, completion, or erasure, nominate another person to exercise your rights in the event of death or incapacity, and withdraw your consent at any time. Withdrawing consent is as easy as giving it and does not affect processing already carried out. You may register a grievance with our Data Protection Officer, which we address within the period prescribed by law, and where we offer one you may give or manage consent through a registered Consent Manager. If a grievance remains unresolved, you may escalate it to the Data Protection Board of India.

United Arab Emirates (PDPL)

If you are in the UAE, you may exercise the access, correction, erasure, objection, and consent-withdrawal rights granted by Federal Decree-Law No. 45 of 2021, and you may complain to the UAE Data Office.

Switzerland (FADP)

If you are in Switzerland, under the Federal Act on Data Protection you may request access to your personal data, object to its processing (including asking that processing be restricted or that data be deleted or destroyed), receive your data and have it transferred to another controller where feasible, and ask that inaccurate data be corrected. To exercise these rights, contact us using the details in Section 14; requests are free of charge and answered as soon as possible.

Brazil (LGPD)

If you are in Brazil, under the Lei Geral de Proteção de Dados you may: confirm the existence of processing and access your personal data; correct incomplete, inaccurate, or outdated data; request the anonymisation, blocking, or deletion of unnecessary or excessive data, or of data not processed in line with the LGPD; obtain information about the entities with whom we share your data; request portability to another provider; obtain deletion of data processed on the basis of your consent; revoke consent at any time; and lodge a complaint with the National Data Protection Authority (ANPD). We process personal information only where we have a legal basis under the LGPD, such as your consent, performance of a contract, compliance with a legal obligation, or our legitimate interests. To exercise any right, contact us using the details in Section 14.

Other regions

If your country grants additional or different rights, we honour those rights to the extent the applicable law requires.

11. Children

The Platform is intended for adults. We do not knowingly collect personal data from children below the age of digital consent in their jurisdiction, and minors may not take part in live simulations without verifiable parental or guardian consent where the law permits their participation at all. We do not profile minors or serve them targeted advertising. If you believe a child has provided us personal data, contact us and we will delete it.

12. Cookies and local storage

We use a small number of first-party cookies and local storage. An essential cookie named cr_consent records your cookie choice, and your theme preference is kept in your browser's local storage; these are necessary for the site to function and are not used to track you. With your consent (and only then) we use analytics to understand how the site is used:

  • a first-party cookie named cr_visit that recognises repeat visits and counts page views on our own site, and, where we have enabled it, sends that visit information (a random identifier, the page, the referring page, your browser language, and a timestamp) to a private spreadsheet we control via Google Apps Script;
  • Google Analytics 4, provided by Google, which sets its own cookies (for example _ga) and processes usage and approximate-location data to produce aggregate reports. Google acts as our processor for this; we have not enabled Google Analytics advertising features or Google Signals.

None of this is used for advertising, we do not sell your personal data, and analytics only loads after you accept. You can decline, or withdraw a previous acceptance, at any time through the cookie notice; declining or withdrawing stops Google Analytics from loading and removes the cr_visit cookie. For Google's handling of data, see Google's privacy policy and "How Google uses information from sites that use our services". For the full list of cookies and how to manage them, see our Cookie Policy Cookie preferences.

Separately, to protect our waitlist and contact forms from spam and automated abuse, those forms use Google reCAPTCHA. reCAPTCHA loads only when you interact with a form, at which point Google may set its own cookie (for example _GRECAPTCHA) and process device and usage signals to tell humans from bots. This is a security measure, not advertising or cross-site ad tracking, and it applies whether or not you accept analytics cookies. Your use of reCAPTCHA is governed by Google's Privacy Policy and Terms of Service.

13. Changes to this policy

We may update this policy from time to time. We will post the new version here with a revised effective date and, for material changes, give additional notice where the law requires it.

14. Contact us

For privacy questions or to exercise your rights, contact our Data Protection Officer:

Ishaan Sharma, Data Protection Officer
Email: dpo@eevsec.com
EEVSEC PRIVATE LIMITED, CIN U62013GJ2026PTC177190
401, Garud Apartment, Opp: Mahabaleshwar Flat, Jodhpur Char Rasta, Ahmedabad, Gujarat 380015, India

15. Mode and place of processing

We take appropriate technical and organisational security measures to prevent unauthorised access, disclosure, modification, or destruction of personal data. Processing is carried out using computers and IT tools, following procedures related to the purposes described above. In addition to us, data may in some cases be accessible to people involved in operating this site (for example administration, support, or system administration) and to the external service providers we use as processors (such as our hosting and content-delivery provider, our waitlist email provider, our contact-form delivery provider, our web-font provider, and, where enabled, our analytics provider). An updated list of these parties is available from us on request.

We process data at our operating location in India and in any other place where the parties involved in the processing are located. Depending on your location, this may involve transferring your data to a country other than your own; where that happens we rely on the safeguards described in Section 7. Personal data is processed and retained as described in Section 8, for as long as needed for the purposes it was collected for, and longer where a legal obligation or your consent requires.

16. Additional information about data processing

Legal action. Your personal data may be used for legal purposes by us in court or in the stages leading to possible legal action arising from improper use of this site or the related services. You acknowledge that we may be required to disclose personal data at the request of public authorities.

System logs. For operation and maintenance, this site and the third-party services it uses may record information that documents interaction with the site (system logs), which can include data such as your IP address. We do not run our own server for this site, so such logs are held by our hosting and service providers.

Information not contained in this policy. More details about the collection or processing of personal data can be requested from us at any time using the contact details in Section 14.

17. Definitions and legal references

Personal Data (or Data) / Personal Information. Any information that, directly, indirectly, or in connection with other information, allows the identification or identifiability of a natural person.

Sensitive Personal Information. Personal information that is not publicly available and reveals information considered sensitive under the applicable privacy law.

Usage Data. Information collected automatically through this site or third-party services it uses, which can include IP addresses, the pages and URIs requested, the time of requests, the request method and response status, the country of origin, browser and operating-system features, time spent on pages, and the path followed within the site.

User. The individual using this site who, unless otherwise specified, is the Data Subject.

Data Subject. The natural person to whom the personal data refers.

Data Processor. The person or body that processes personal data on behalf of the controller, as described in this policy.

Data Controller (or Owner). The person or body that, alone or jointly with others, determines the purposes and means of processing personal data. For this site the controller is EEVSEC PRIVATE LIMITED.

Sale. Any exchange of personal information for monetary or other valuable consideration, as defined by applicable US state law. Disclosing personal information to a processor under a compliant written contract is not a sale.

Sharing. Disclosing personal information to a third party for cross-context behavioral advertising, as defined by California law.

Targeted advertising. Showing advertisements selected based on personal information obtained from a person's activities across nonaffiliated sites or applications, as defined by applicable US state law.

This policy was prepared based on provisions of multiple laws, including the GDPR, the UK GDPR, the Swiss FADP, the Brazilian LGPD, the India DPDPA 2023, the UAE PDPL, and US state privacy laws, and relates solely to this site unless stated otherwise.