Privacy Policy

Last updated: February 2026

1. Who We Are

YourInfoSec ("we", "us", "our") operates the website yourinfosec.com. We provide free cybersecurity assessment tools designed to help individuals and organisations understand and improve their security posture.

For the purposes of the General Data Protection Regulation (GDPR), YourInfoSec is the data controller responsible for your personal data.

2. What Data We Collect

Assessment Data (Anonymous Users)

When you take our cybersecurity assessment without an account, your answers are processed entirely in your browser. We do not transmit, collect, or store your assessment responses on any server. Your data stays on your device and is cleared when you close the browser tab.

Assessment Data (Registered Users)

If you create an account and are logged in, your assessment answers, scores, and results are stored on our servers so you can track your progress over time. You can view, export, or delete all stored assessment data at any time from your profile page.

Account Data

When you create an account, we collect:

  • Email address — used for login, account verification, and password recovery. We verify your email before activating your account.
  • Name (optional) — used for personalisation within the platform.
  • Password — stored as a cryptographic hash using PBKDF2-SHA256 with 100,000 iterations and a unique random salt per account. We never store passwords in plain text and cannot retrieve your password.
  • Language preference — your chosen language (English or Portuguese).

Business Waitlist

If you sign up for our business features waitlist, we collect your email address solely to notify you when business features become available. You can unsubscribe at any time.

Automatically Collected Data

When you visit our website, we may automatically collect:

  • IP address — used for rate limiting and security (protection against brute-force attacks). IP addresses are not stored long-term.
  • Usage analytics — via Google Analytics, we collect anonymised usage data such as pages visited, time on site, and device type. See section 6 for details.

Cookies and Local Storage

We use essential cookies for authentication and security, and local storage for temporary data. We do not use advertising or tracking cookies. See our Cookie Policy for full details.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Consent (Art. 6(1)(a)) — for optional analytics cookies and the business waitlist.
  • Performance of a contract (Art. 6(1)(b)) — to provide the assessment service, manage your account, and save your results when you sign up.
  • Legitimate interests (Art. 6(1)(f)) — for security measures (rate limiting, audit logs, fraud prevention) and service improvement. We balance our interests against your rights and freedoms.

4. How We Use Your Data

  • To provide and operate the cybersecurity assessment service
  • To create and manage your account
  • To authenticate you and keep your sessions secure
  • To save your assessment history and display progress over time
  • To send transactional emails (account verification, password reset)
  • To notify business waitlist subscribers when features launch
  • To protect against abuse, fraud, and security threats
  • To analyse aggregated, anonymised usage patterns to improve our service

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not engage in profiling or automated decision-making that produces legal effects.

5. Data Storage and Security

We take the security of your data seriously and implement multiple layers of protection:

  • Encryption in transit — all communications use TLS 1.2+ (HTTPS).
  • Encryption at rest — data stored in our database is encrypted at rest.
  • Password hashing — passwords are hashed with PBKDF2-SHA256 (100,000 iterations) using a unique random salt per account. We cannot read your password.
  • Secure tokens — authentication tokens are stored as httpOnly, Secure cookies with SameSite=Strict to prevent cross-site attacks. Tokens are hashed before storage.
  • Account lockout — accounts are temporarily locked after 5 failed login attempts to prevent brute-force attacks.
  • CSRF protection — all state-changing requests are protected against cross-site request forgery.
  • Rate limiting — API endpoints are rate-limited to prevent abuse.

Anonymous assessment data is processed and stored locally in your browser (sessionStorage). It is never transmitted to our servers.

6. Third-Party Services

We use a limited number of third-party services to operate YourInfoSec:

ServicePurposeData SharedPrivacy Policy
Cloudflare Hosting, CDN, database, and DDoS protection IP address, request data Cloudflare Privacy Policy
Google Analytics Anonymised website usage analytics Page views, device type, country (no personal identifiers) Google Privacy Policy
Resend Transactional email delivery Email address (for verification and password reset emails only) Resend Privacy Policy

We do not use any advertising platforms, social media trackers, or data brokers.

7. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA) through our third-party service providers (Cloudflare and Google). These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The service providers' compliance with applicable data protection frameworks

8. Data Retention

We retain your data only for as long as necessary to fulfil the purposes described in this policy:

  • Account data — retained until you delete your account.
  • Assessment history — retained until you delete your account.
  • Email verification tokens — automatically expire and are deleted after 24 hours.
  • Password reset tokens — automatically expire and are deleted after 1 hour.
  • Refresh tokens (sessions) — automatically expire after 30 days.
  • Audit logs — retained for 90 days for security purposes, then permanently deleted.
  • Business waitlist — retained until you unsubscribe or the feature launches.

9. Account Deletion

You can delete your account and all associated data at any time from your profile page. When you delete your account:

  • All personal data is permanently and irreversibly deleted
  • All assessment history and results are removed
  • All authentication tokens and sessions are invalidated
  • Audit log entries are anonymised

Deletion is immediate. We do not retain backups of deleted accounts.

10. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data, or delete your account directly from your profile.
  • Right to restriction (Art. 18) — request that we limit processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD)www.cnpd.pt.

11. Children's Privacy

YourInfoSec is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.

12. Contact

For any privacy-related questions, requests, or concerns, contact us at:

Email: privacy [at] yourinfosec.com

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users by email for material changes

We encourage you to review this page periodically.