Privacy Policy

Effective Date: February 19, 2026

1. Introduction

Welcome to White Dragon Cyber Security LLC (the "Service"), a white-hat phishing simulation platform designed to help organizations enhance their cybersecurity awareness. We provide simulated phishing exercises to companies ("Clients") who subscribe to our services, allowing them to test and train their employees in a controlled environment. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you interact with our Service.

We are committed to protecting your privacy. We do not sell your personal data to third parties. All data is stored securely and privately on our servers. This Policy applies to all users, including Client administrators, employees participating in simulations ("End Users"), and visitors to our website.

By using our Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use our Service.

Note: We are currently in the process of establishing a formal business address and contact email. Until then, please contact us via [placeholder for temporary contact method, e.g., the website contact form].

2. Information We Collect

We collect information to provide and improve our phishing simulation services. The types of information we may collect include:

2.1 Personal Information from Clients

  • Contact details: Name, email address, phone number, and company information provided during account registration or subscription.

  • Billing information: Payment details (processed securely via third-party payment processors; we do not store full credit card information).

  • Usage data: Details about how Clients configure simulations, such as target lists and campaign settings.

2.2 Information from End Users (Employees)

  • Interaction data: Responses to simulated phishing emails, including clicks, opens, and reporting actions. This may include IP addresses, device information, and timestamps.

  • Identifiable data: Email addresses and names provided by the Client for simulation purposes. We do not collect additional personal details unless necessary for the simulation.

2.3 Automatically Collected Information

  • Log data: Browser type, operating system, pages visited, time and date of visits, and other system data when you access our website or Service.

  • Cookies and similar technologies: We use cookies to track session information, improve user experience, and analyze usage patterns. You can manage cookie preferences through your browser settings.

We only collect data that is necessary for delivering our services. For End Users, data collection is typically authorized by your employer (our Client) as part of their security training program.

3. How We Use Your Information

We use the collected information for the following purposes:

  • To provide and maintain our Service: Including running phishing simulations, generating reports for Clients, and analyzing employee performance to help improve security awareness.

  • To communicate: Sending service-related emails, such as simulation notifications (for End Users) or account updates (for Clients).

  • To process payments: Handling subscriptions and billing for Clients.

  • To improve our Service: Analyzing aggregated and anonymized data to enhance simulation effectiveness and user experience.

  • To comply with legal obligations: Such as responding to lawful requests from authorities.

  • For security: Detecting and preventing fraud, abuse, or technical issues.

We do not use your data for marketing purposes without explicit consent. All data processing is limited to what is necessary for our white-hat phishing simulation services.

4. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

  • With service providers: Third-party vendors who assist us in operating the Service, such as cloud hosting providers, analytics tools, or payment processors. These providers are contractually obligated to protect your data and use it only for the services they provide to us.

  • With Clients: For End Users, we share simulation results (e.g., interaction data) with your employer to generate reports and insights.

  • For legal reasons: If required by law, such as in response to a subpoena, court order, or regulatory request.

  • In business transfers: If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to continued privacy protections.

We ensure that any shared data is protected through appropriate safeguards, such as data processing agreements.

5. Data Security

We take data security seriously and implement reasonable administrative, technical, and physical measures to protect your information from unauthorized access, loss, misuse, or alteration. This includes encryption in transit and at rest, access controls, and regular security audits.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Data is stored privately on secure servers located in [insert location, e.g., the United States or EU]. We retain data only as long as necessary for the purposes outlined in this Policy, or as required by law. For example, simulation data may be retained for the duration of the Client's subscription plus a reasonable period for reporting.

6. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information, such as under GDPR (for EU residents) or CCPA (for California residents). These may include:

  • Access: Request a copy of your personal data.

  • Correction: Update inaccurate or incomplete data.

  • Deletion: Request removal of your data, subject to legal obligations.

  • Objection: Object to processing in certain circumstances.

  • Portability: Receive your data in a structured, machine-readable format.

  • Withdraw consent: Where processing is based on consent.

To exercise these rights, contact us at [placeholder for contact email]. We will respond within a reasonable timeframe (e.g., 30 days). For End Users, some requests may need to be directed through your employer.

We do not engage in automated decision-making that produces legal effects on you.

7. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware of such collection, we will take steps to delete it.

8. International Data Transfers

If you are located outside the United States, your data may be transferred to and processed in the US or other countries. We ensure such transfers comply with applicable laws, using mechanisms like Standard Contractual Clauses where required.

9. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated Policy on our website and updating the effective date. Your continued use of the Service after changes constitutes acceptance.