Privacy Policy

1. Introduction

GetCyberRight is a service operated by ColorCode Solutions LLC, a North Carolina limited liability company ("ColorCode Solutions," "we," "us," or "our"). We operate the website getcyberright.com (the "Service"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

As a cybersecurity education organization, we understand the importance of protecting your personal information. We are committed to maintaining the trust and confidence of our visitors and subscribers.

By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used have the same meanings as in our Terms of Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Create an account: Name, email address, password (encrypted), and optional profile information
• Subscribe to our newsletter: Email address and communication preferences
• Contact us: Name, email address, and message content
• Purchase a subscription: Billing information processed securely through our payment provider (we do not store full payment card details on our servers)
• Use our security tools: URLs, email headers, or other content you submit for analysis (processed in real time and not permanently stored unless you create an account)
• Use the GCR Scam Guard browser extension: URLs of pages you visit (when Auto-Protect is enabled) or manually scan, page content analyzed for scam indicators, and your extension authentication token. See Section 3.3 for full details on extension data practices.
• Use our breach monitoring service: Email addresses you submit to check against known data breaches (used solely for monitoring and alert purposes)
• Use our data broker removal service: Personal information you provide to identify and request removal of your data from data broker databases (used solely for removal requests on your behalf)
• Report a scam: Details about suspected scams to help protect our community
• Interact with our AI assistant (Dezi): Questions and messages you send during conversations (used to generate responses and improve service quality)

2.2 Information Collected Automatically

When you access our Service, we automatically collect certain information:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers
• Usage Data: Pages visited, time spent on pages, click patterns, and navigation paths
• Location Data: General geographic location derived from IP address (country, region, city). We do not collect precise geolocation.
• Referral Data: How you arrived at our website (search engine, referral link, direct access)
• Session Information: Session duration, return visits, and engagement metrics

2.3 Information We Do Not Collect

We want to be clear about the types of information we do not collect:

• Biometric data (fingerprints, facial recognition, voiceprints)
• Precise geolocation data (GPS coordinates)
• Financial account numbers (credit card details are processed by our payment provider and never stored on our systems)
• Social Security numbers or government-issued identification numbers
• Health or medical information

3. Artificial Intelligence and Automated Processing

3.1 AI-Powered Features

Our Service uses artificial intelligence to provide certain features. We believe in transparency about how AI is used:

• Dezi AI Assistant: Our conversational assistant uses Anthropic's Claude language model to answer your cybersecurity questions. Your messages are sent to Anthropic for processing and are subject to Anthropic's Privacy Policy. Anthropic does not use your conversations to train its models under our commercial agreement.
• Scam Detection Tools: AI analyzes URLs, email content, and text you submit to identify potential threats. This analysis happens in real time, and submitted content is not stored after analysis unless you have an account and choose to save results.
• Content Generation: AI assists in creating educational articles, guides, and social media content about cybersecurity topics. This does not involve your personal data.
• Threat Intelligence: AI processes publicly available cybersecurity news feeds to identify and simplify trending threats for our users. No personal data is involved in this process.

3.3 GCR Scam Guard Browser Extension

Our GCR Scam Guard browser extension provides real-time scam protection while you browse. Here is exactly what data it collects and how it is used:

• URLs of pages you visit: When Auto-Protect is enabled, page URLs are sent to our servers for real-time threat analysis against known phishing databases, malware registries, and AI-powered scam detection. URLs are analyzed and discarded immediately for free-tier users. Paid subscribers may have scan history retained for up to 90 days if they opt in.
• Page content: The extension collects page metadata (title, headings, form indicators, external links) and an excerpt of the page text (up to 1,500 characters). This data is sent to our servers for AI-powered threat analysis. The extension does not capture passwords, form inputs you type, or full page content.
• Community Trust System: When Community Trust is enabled, the extension contributes to and reads from a community-sourced site reputation database. Domain names are cryptographically hashed using SHA-256 before being sent to our servers for reputation lookups. When you flag a site as dangerous or confirm a site as safe, the domain name and its SHA-256 hash are sent together to enable community reporting. This data is aggregated and anonymized - it is never linked to your personal identity or browsing history.
• Scam reporting: When you submit a scam report, the reported URL, scam type classification, and your optional description are sent to our servers to help protect the community. Reports are anonymous unless you are signed in.
• Email scanning (webmail): When Webmail Scanning is enabled (paid feature), the extension can scan individual emails within Gmail and Outlook that you explicitly choose to scan by clicking the "Scan with GCR" button. Only the email subject, sender, and body text (up to 2,000 characters) of the selected email are sent for analysis. The extension does not automatically scan, read, or access any emails without your explicit action.
• Authentication token: A 90-day token is stored locally in your browser to link the extension to your GetCyberRight account. This token can be revoked at any time from your account settings or by signing out of the extension.
• Subscription status: The extension periodically checks your subscription tier (Free, Essential, or Professional) to determine which features are available. This status is cached locally for up to 10 minutes to minimize server requests.
• Extension settings and statistics: Your preferences (Auto-Protect on/off, notification settings, feature toggles) and usage statistics (scan counts, threat counts) are stored locally in your browser using Chrome's storage API and are never sent to our servers.
• Weekly Safety Digest: When enabled (paid feature), the extension generates a weekly summary of your browsing safety entirely from locally stored statistics. This digest is displayed as a browser notification and is never sent to our servers.

Extension Permissions Explained

The GCR Scam Guard extension requests the following browser permissions, each necessary for its security scanning functionality:

• Access to all websites (host permissions): Required to scan any website you visit for scam indicators, phishing attempts, and malicious content. Without this, the extension could only scan a pre-defined list of sites, which would defeat its purpose as a comprehensive security tool.
• Active tab and scripting: Used to analyze page content (titles, links, forms) when you initiate a scan or when Auto-Protect is enabled. This allows the extension to detect suspicious forms, lookalike domains, and phishing indicators on the current page.
• Tabs and web navigation: Used to track when you navigate to a new page so the extension can clear previous scan results and scan the new page. Also used to display per-tab safety badges.
• Context menus: Adds right-click options to scan links, pages, and selected text for threats.
• Storage: Stores your extension settings, scan history, and authentication token locally in your browser.
• Notifications: Displays alerts when high-risk threats are detected and delivers your weekly safety digest.
• Alarms: Schedules periodic tasks like refreshing threat intelligence data and generating weekly safety digests.

The extension does not collect browsing history, passwords, form inputs, or any data from pages you do not scan. It does not track your browsing activity for advertising or analytics purposes. All data sent to our servers is transmitted over encrypted HTTPS connections. The extension includes a first-run welcome screen that explains its data practices before any scanning occurs.

Data retention: Scanned content is processed in real time and not stored on our servers after analysis. Community trust scores are retained indefinitely as aggregated, anonymous data. Scan history stored locally in your browser is limited to the 20 most recent scans and can be cleared at any time by uninstalling the extension or clearing extension data.

Your controls: You can disable any feature at any time through the extension's Settings panel. You can sign out to disconnect your account. You can uninstall the extension at any time, which removes all locally stored data. No data collection occurs when all scanning features are disabled.

3.4 Automated Decision-Making

Our Service does not make automated decisions that produce legal effects or similarly significant effects on you. AI-powered features such as scam detection provide recommendations and assessments for your information only. You are always free to make your own decisions based on the information we provide.

If you are located in the European Economic Area, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, as provided under Article 22 of the GDPR.

4. Analytics and Tracking Technologies

4.1 Google Analytics

We use Google Analytics 4 ("GA4"), a web analytics service provided by Google LLC, to help us understand how visitors use our Service. Google Analytics uses cookies and similar technologies to collect and analyze information about use of the Service.

Google Analytics collects:

• Page views and user interactions
• Device and browser characteristics
• Geographic location (country, region, city level based on IP address)
• Session and engagement metrics
• Traffic sources and referral information

User Identification:

For registered users, we may use Google Analytics' User-ID feature to associate your activity across different sessions and devices with your account. This helps us understand how you interact with our Service over time and improve your experience. This data is associated with a unique identifier, not your personal details, within Google Analytics.

Data Processing:

Google may use the data collected to contextualize and personalize the ads of its own advertising network. Google's ability to use and share information collected by Google Analytics is governed by the Google Analytics Terms of Service and the Google Privacy Policy.

4.2 Opting Out of Analytics

You can opt out of Google Analytics by:

• Installing the Google Analytics Opt-out Browser Add-on
• Adjusting your browser settings to reject cookies
• Using browser privacy features or extensions that block tracking

4.3 Essential Cookies

We use essential cookies that are strictly necessary for the operation of our Service. These include session cookies to maintain your login state and preference cookies to remember your settings. These cookies cannot be disabled as they are required for the Service to function.

4.4 Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites you visit indicating that you do not want to be tracked. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, our Service does not respond to DNT signals. However, you can use the opt-out methods described in Section 4.2 to limit tracking on our Service.

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Delivery

• Provide, maintain, and improve our educational resources and tools
• Process your account registration and manage your subscription
• Respond to your inquiries and provide customer support
• Send transactional emails (account confirmations, password resets, subscription updates)
• Process data broker removal requests on your behalf
• Monitor data breaches and alert you if your information is found in a known breach

5.2 Communication

• Send our newsletter with cybersecurity tips and scam alerts (with your consent)
• Notify you about important security threats relevant to your region
• Send breach monitoring alerts when your email is found in a data breach
• Inform you of changes to our Service or policies

5.3 Improvement and Analytics

• Analyze usage patterns to improve our content and user experience
• Develop new features and educational resources
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent or unauthorized access

5.4 Legal and Safety

• Comply with legal obligations and respond to lawful requests
• Protect the rights, property, and safety of GetCyberRight and our users
• Enforce our Terms of Service and other policies

6. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties.

We may share your information in the following limited circumstances:

6.1 Service Providers

We work with trusted third-party service providers who assist us in operating our Service:

• Payment Processors: Payment processing is handled by PCI-DSS compliant third-party providers. We do not store your full payment card details on our servers.
• Google Analytics: Website analytics and performance measurement
• Anthropic: Powering our Dezi AI assistant. Conversations are processed under our commercial agreement. Anthropic does not use your data to train its models.
• Replit: Application hosting and infrastructure
• Email service providers: Newsletter and transactional email delivery

These providers are contractually obligated to protect your information and may only use it to perform services on our behalf. We do not share more information with service providers than is necessary for them to perform their specific function.

6.2 Data Broker Removal Services

When you use our data broker removal service, we submit opt-out and removal requests to data brokers on your behalf. This requires sharing certain personal information (such as your name and email address) with those data brokers solely for the purpose of identifying and removing your records from their databases. We only share the minimum information necessary to complete the removal request.

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, government request)
• Protect our legal rights or defend against legal claims
• Prevent fraud, security threats, or illegal activity
• Protect the safety of any person

6.4 Business Transfers

If GetCyberRight is involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

6.5 Aggregated Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you for research, analysis, or improving cybersecurity awareness in the broader community.

7. Data Security

We implement robust security measures to protect your personal information:

• Encryption in Transit: All data transmitted to and from our Service uses TLS/SSL encryption (HTTPS)
• Encryption at Rest: Sensitive data stored in our databases is encrypted
• Password Security: Passwords are hashed using bcrypt with industry-standard salt rounds and are never stored in plain text
• Access Controls: Strict internal access controls limit who can access personal data, following the principle of least privilege
• Regular Audits: We regularly review and update our security practices and conduct vulnerability assessments
• Secure Infrastructure: Our Service is hosted on enterprise-grade infrastructure with security certifications
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks and other security vulnerabilities

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Breach Notification

In the event of a data breach that affects your personal information, we are committed to notifying you promptly. Our breach notification procedures include:

• Investigating the breach to determine the scope and nature of the compromised data
• Notifying affected users by email within 72 hours of confirming the breach, as required by applicable law
• Providing details about the nature of the breach, the types of information involved, and the steps we are taking to address it
• Offering guidance on steps you can take to protect yourself
• Reporting the breach to relevant regulatory authorities as required by applicable law, including state attorneys general and data protection authorities

9. Data Retention

We retain your personal information for as long as necessary to:

• Provide you with the Service and fulfill the purposes described in this policy
• Comply with legal obligations (such as tax and accounting requirements)
• Resolve disputes and enforce our agreements

Specific retention periods:

• Account data: Retained while your account is active. When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal purposes.
• Analytics data: Retained according to Google Analytics' data retention settings (currently set to 14 months for user-level data).
• Breach monitoring data: Email addresses submitted for breach monitoring are retained as long as you maintain an active monitoring subscription. You can request removal at any time.
• AI assistant conversations: Conversations with Dezi are retained for up to 30 days to improve service quality and then automatically deleted.
• Security scan results (server): Results from scam detection and URL scanning tools are not retained on our servers for free-tier users. Professional subscribers may have server-side scan history retained for up to 90 days.
• Security scan results (extension): The GCR Scam Guard browser extension stores a local history of recent scans on your device using your browser's storage. This data remains on your device and is never sent to our servers. You can clear it at any time through your browser settings.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

10.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Receive your data in a structured, commonly used, machine-readable format
• Opt-out: Unsubscribe from marketing communications at any time using the unsubscribe link in any email
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by businesses
• Right to opt-out of the sale or sharing of personal information (we do not sell or share your data for cross-context behavioral advertising)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit the use and disclosure of sensitive personal information

We do not sell personal information as defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA.

10.3 Virginia Residents (VCDPA)

If you are a Virginia resident, you have the following rights under the Virginia Consumer Data Protection Act:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a portable copy of your personal data
• Right to opt out of the processing of your personal data for targeted advertising, sale, or profiling

10.4 Colorado Residents (CPA)

If you are a Colorado resident, you have similar rights under the Colorado Privacy Act, including:

• Right to opt out of the processing of personal data for targeted advertising or the sale of personal data
• Right to access, correct, and delete your personal data
• Right to data portability

10.5 Connecticut, Utah, and Other State Residents

Residents of Connecticut (CTDPA), Utah (UCPA), Montana (MCDPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy laws have similar rights regarding access, correction, deletion, portability, and opt-out of targeted advertising or sale of personal data. We honor these rights for all users regardless of location.

10.6 European Economic Area Residents (GDPR)

If you are in the EEA, you have rights under the General Data Protection Regulation:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right not to be subject to automated decision-making, including profiling
• Right to lodge a complaint with your local data protection supervisory authority

Our legal bases for processing your data include: consent (where you have given it), contract performance (where processing is necessary to fulfill our agreement with you), legitimate interests (such as improving our Service and ensuring security), and compliance with legal obligations.

10.7 United Kingdom Residents (UK GDPR)

If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation and the Data Protection Act 2018. You may contact the Information Commissioner's Office (ICO) if you have concerns about how your data is being processed.

10.8 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or sooner as required by applicable law). We will not charge a fee to process your request unless it is clearly unfounded or excessive. We may request specific information from you to verify your identity before processing your request.

If we decline your request, we will inform you of the reasons and your right to appeal. You may also contact your local data protection authority to file a complaint.

11. Children's Privacy

Our Service provides educational content designed for various age groups, including children. However, account registration and data collection features are intended for users 13 years of age or older.

We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected]. If we discover that a child under 13 has provided personal information without parental consent, we will promptly delete it.

For our Kids Digital Safety Hub content, no account or personal information is required to access the educational materials. These resources are designed to be used with parental supervision.

12. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that are different from the laws of your country of residence.

We take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy, including:

• Using Standard Contractual Clauses approved by the European Commission where required for transfers from the EEA
• Ensuring service providers maintain appropriate security measures and data protection agreements
• Implementing supplementary technical and organizational measures where necessary

13. Third-Party Links and Integrations

Our Service may contain links to third-party websites and services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

We encourage you to review the privacy policy of every site you visit. When we link to government resources (FTC, FBI, CISA), those sites are governed by their own privacy policies.

Our social media presence (LinkedIn, Facebook, Instagram) is subject to the privacy policies of those respective platforms. Any interactions you have with our content on those platforms are governed by the platform's privacy policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page with a new "Last Updated" date
• Sending an email to registered users (for significant changes)
• Displaying a prominent notice on our Service

We encourage you to review this Privacy Policy periodically for any changes. Changes are effective when they are posted on this page. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: