Privacy Policy

1. Introduction

Faltrox ("we," "our," or "us") is committed to protecting your privacy and complying with applicable data protection laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other regional privacy regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our cybersecurity services.

By engaging our services or using our website, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information

We collect the following categories of personal information:

• Contact information (name, email address, phone number, company name, job title)
• Account credentials (username, password - stored encrypted)
• Billing information (company address, payment details processed through secure third-party providers)
• Communication data (emails, support tickets, consultation notes)
• Technical assessment data (IP addresses, system configurations, vulnerability findings - under strict NDA)

2.2 Automatically Collected Information

• Device information (browser type, operating system, device identifiers)
• Usage data (pages visited, time spent, referring URLs)
• Log data (IP address, access times, error logs)
• Cookies and tracking technologies (see Section 8)

3. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: Conducting penetration tests, security assessments, and delivering reports
• Communication: Responding to inquiries, providing support, and sending service updates
• Billing: Processing payments and maintaining transaction records
• Marketing: Sending security insights, newsletters, and promotional materials (with explicit consent - opt-out available)
• Compliance: Meeting legal obligations and regulatory requirements (SOC 2, ISO 27001, PCI-DSS)
• Security: Protecting against fraud, unauthorized access, and maintaining system integrity
• Improvement: Analyzing usage patterns to enhance our services and website functionality

4. Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our service agreements
• Consent: Marketing communications and non-essential cookies (withdrawable anytime)
• Legitimate Interests: Business operations, fraud prevention, and security improvements
• Legal Obligations: Compliance with applicable laws and regulations

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data with:

• Service Providers: Third-party vendors for hosting, analytics, payment processing (under strict data processing agreements)
• Business Transfers: In connection with mergers, acquisitions, or asset sales (with notification)
• Legal Requirements: When required by law, court order, or government request
• Protection: To protect rights, property, or safety of Faltrox, clients, or the public

All third-party processors are contractually bound to maintain confidentiality and security standards equivalent to our own.

6. Data Security

We implement industry-leading technical and organizational security measures:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access Controls: Role-based access, multi-factor authentication, least privilege
• Network Security: Firewalls, intrusion detection systems, security monitoring
• Compliance: SOC 2 Type II certified, ISO 27001:2022 aligned, annual penetration testing
• Incident Response: 24/7 security operations center, breach notification within 72 hours (GDPR)
• Employee Training: Regular security awareness training and background checks
• Data Segregation: Client assessment data isolated per engagement with strict access logging

7. Your Privacy Rights

7.1 GDPR Rights (EU/UK Residents)

• Right to Access: Obtain confirmation of data processing and copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion ("right to be forgotten") subject to legal retention requirements
• Right to Restriction: Limit processing under certain circumstances
• Right to Data Portability: Receive data in structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for consent-based processing
• Right to Lodge Complaint: File complaint with supervisory authority (e.g., ICO in UK)

7.2 CCPA Rights (California Residents)

• Right to Know: Request disclosure of personal information collected, sources, and business purposes
• Right to Delete: Request deletion of personal information (with exceptions)
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal data)
• Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise

To exercise these rights, contact us at privacy@faltrox.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential Cookies: Required for website functionality (authentication, security)
• Analytics Cookies: Google Analytics (anonymized IP) to understand usage patterns
• Marketing Cookies: Conversion tracking, remarketing (requires consent)

You can control cookies through browser settings. Disabling essential cookies may limit website functionality. Our cookie banner allows granular consent management.

9. Data Retention

We retain personal data for:

• Active Clients: Duration of engagement plus 7 years (legal/regulatory requirements)
• Assessment Data: Securely deleted 90 days post-delivery (unless client requests extended retention)
• Marketing Contacts: Until opt-out or 3 years of inactivity
• Financial Records: 7 years (tax compliance)

Data is securely deleted using DOD 5220.22-M standards or cryptographic erasure.

10. International Data Transfers

We operate globally (US, UK, EU, UAE, India, Singapore, Canada, Australia). When transferring data internationally, we use:

• EU Standard Contractual Clauses (SCCs) for EU data transfers
• UK International Data Transfer Agreement (IDTA)
• Data Processing Agreements with appropriate safeguards
• Regional data centers to minimize cross-border transfers

11. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately for deletion.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or prominent website notice 30 days before effective date. Continued use after changes constitutes acceptance.