Legal
Privacy Policy
Last updated: July 2026
Introduction
CyberScore is a free cybersecurity assessment tool operated by CyberSecurity NonProfit (CSNP), a 501(c)(3) non-profit organization. This Privacy Policy describes how we collect, use, store, and protect your information when you use CyberScore.
By using CyberScore, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the service.
Data We Collect
We collect the minimum data necessary to provide the CyberScore service. Where possible, we anonymize data at the point of collection:
- Account information: Name, email address, and organization name provided during registration.
- Email addresses submitted for scanning: Personal email addresses you submit to check against known data breaches. Email addresses are stored in masked form (e.g., j***@example.com) and looked up using one-way cryptographic hashes (SHA-256). We do not retain your full plaintext email address in scan records.
- Domain names: Business domains you submit for security analysis, including DNS, TLS, and email security configuration checks.
- Employee email breach data: For verified business domains, the domain owner may provide employee email addresses to check against known breach databases. These addresses are stored while the domain claim remains active, because monitoring requires the actual address. They are removed when the claim is removed, and unverified claims have their employee lists deleted automatically after 30 days of inactivity.
- Scan results: Security assessment results generated from your submitted data.
- Usage data: Error logs and performance data collected through our error monitoring service to maintain service reliability.
How We Use Your Data
- To perform cybersecurity assessments and generate your CyberScore.
- To provide personalized security recommendations and action plans.
- To send notifications about new breaches affecting your monitored accounts (if opted in).
- To maintain and improve the CyberScore service.
- To generate anonymized, aggregated statistics for CSNP impact reporting to donors and grant providers. These reports contain no personally identifiable information.
What We Do Not Do
- We do not sell, rent, or trade your personal data to any third party.
- We do not use your data for advertising or marketing purposes.
- We do not share individual scan results with any third party without your explicit consent.
Third-Party Services
CyberScore integrates with the following third-party services to provide its functionality. Each service processes only the minimum data required for its specific purpose:
| Service | Purpose | Data Shared |
|---|---|---|
| Have I Been Pwned | Breach data lookup | Email addresses (via k-anonymity API) |
| Supabase | Authentication and database | Account data, scan results |
| SendGrid | Transactional email delivery | Email address, notification content |
| Sentry | Error monitoring | Error logs, performance data (no PII) |
| Upstash Redis | Rate limiting | Hashed request identifiers |
| Google Custom Search | Exposure checks | Search queries related to submitted data |
Each third-party service is governed by its own privacy policy. We encourage you to review their policies independently.
Data Retention
- Personal scan data: Personal breach scan results are automatically and permanently deleted after 6 months. This deletion is performed daily by an automated process and cannot be reversed.
- Business scan data: Business domain scan results are retained to provide historical comparison and trend analysis for your account. Employee email details inside scan results older than 6 months are removed automatically; the scores and counts are kept. You may delete your entire account at any time.
- Employee breach data: Cached employee breach lookup results are deleted after 90 days. Employee email lists on unverified business claims are deleted automatically after 30 days of inactivity.
- Account data: Account data is retained for as long as your account remains active.
- Account deletion: You may delete your account at any time through the Settings page. Upon deletion, all associated personal data and scan results are permanently removed.
- Anonymized data: Anonymized, aggregated data used for impact reporting may be retained after account deletion, as it contains no personally identifiable information.
Data Security
We implement technical and organizational measures to protect your data, including:
- Email addresses in scan records are masked at the point of storage and looked up using irreversible cryptographic hashes (SHA-256), so plaintext email addresses are not retained in our database.
- Automated data retention enforcement permanently deletes personal scan data older than 6 months.
- Row-level security policies ensure users can only access their own data.
- All API endpoints are rate-limited to prevent abuse.
For detailed information about our security practices, please see our Security page.
Your Rights
You have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Delete your account and all associated data through the Settings page.
- Export your scan results and data.
- Opt out of non-essential communications at any time.
Children's Privacy
CyberScore is not directed at individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of CyberScore after changes constitutes acceptance of the revised policy.
Contact
For questions or concerns about this Privacy Policy or your data, contact us at privacy@csnp.org.