Privacy Policy
Last updated: March 29, 2026
Introduction
Operation Cyber Aware ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites at operationcyberaware.com and intel.operationcyberaware.com (collectively, the "Site"). Please read this policy carefully.
Operation Cyber Aware is the data controller responsible for your personal data. You can contact us at privacy@operationcyberaware.com for any privacy-related inquiries.
Personal Data We Collect
Information you provide directly:
- Email address when subscribing to threat intelligence briefings or our mailing list
- Name, email, and message content when submitting contact or signup forms
- Account credentials (name, email, profile data) when creating an account on our threat intelligence platform via Clerk
- Billing information when purchasing a subscription (processed by Stripe; we do not store your full payment card details)
Information collected automatically:
- IP address, browser type and version, operating system, and device information
- Pages visited, referring URLs, and browsing behavior
- Approximate geographic location derived from IP address
- Cookie identifiers and analytics data (via Google Analytics, only with your consent)
- Aggregated, non-personal page view data (via Plausible Analytics on the threat intelligence platform; Plausible does not use cookies and does not collect personal data)
Information from third-party services:
- Authentication data from Clerk (e.g., email, name, session tokens) when you sign in
- Transaction and subscription status data from Stripe when you make a purchase
How We Use Your Information
We process your personal data for the following purposes:
- Send you threat intelligence briefings, breach alerts, and other email communications you have requested
- Process form submissions through our website
- Manage your account and authenticate your access to the threat intelligence platform
- Process payments and manage subscriptions
- Customize and improve our services and communications
- Analyze website usage and performance (via Google Analytics with your consent, and Plausible Analytics)
- Prevent fraud and ensure the security of our website
- Comply with legal obligations
Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:
- Consent — For analytics cookies (Google Analytics), marketing emails, and newsletter subscriptions. You may withdraw consent at any time.
- Performance of a contract — For managing your account, processing payments, and delivering subscription services you have purchased.
- Legitimate interests — For improving our website and services, preventing fraud, and ensuring security. We balance these interests against your rights and freedoms.
- Legal obligation — For retaining records required by tax, accounting, or other applicable laws, and for responding to lawful requests from authorities.
Data Sharing and Third-Party Services
Your personal data will be treated as strictly confidential. We do not sell, rent, or trade your personal information to third parties. We may share information with the following categories of service providers who assist in operating our website:
- Formspree — We use Formspree to process form submissions on our website. When you submit a form, your data (such as your email address and any information you provide) is transmitted through Formspree's servers. Formspree processes this data on our behalf and is contractually obligated to protect it. For details, see Formspree's Privacy Policy.
- Google Analytics — We use Google Analytics to understand how visitors interact with our website. Analytics cookies are only loaded after you provide explicit consent via our cookie banner. See the "Google Analytics" section below for full details.
- Plausible Analytics — Our threat intelligence platform at intel.operationcyberaware.com uses Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. For details, see Plausible's Data Policy.
- Clerk — We use Clerk for authentication and account management on our threat intelligence platform. Clerk processes your name, email address, and session data. For details, see Clerk's Privacy Policy.
- Stripe — We use Stripe to process payments and manage subscriptions. Stripe acts as an independent data controller for payment card data. We receive only transaction identifiers, subscription status, and billing email from Stripe. For details, see Stripe's Privacy Policy.
- Email service providers — We use third-party email infrastructure to deliver threat briefings and other communications you have subscribed to. These providers process your email address on our behalf solely to deliver messages.
We may also share information with government agencies when legally required to do so.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:
- Account data — Retained while your account is active, plus 30 days after account deletion to allow for recovery
- Payment and transaction records — Retained for 7 years as required by tax and accounting regulations
- Email subscription data — Retained until you unsubscribe, plus 30 days to process the request
- Form submissions — Retained for 12 months, then deleted
- Analytics data — Google Analytics data is aggregated and does not personally identify you after collection; we have configured a 14-month data retention period in Google Analytics
- Server logs — Retained for 90 days for security and troubleshooting purposes
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate or incomplete personal data
- Erasure — Request deletion of your personal data, subject to legal retention requirements
- Restriction of processing — Request that we limit how we use your data in certain circumstances
- Data portability — Request a copy of your data in a structured, machine-readable format
- Object to processing — Object to processing based on legitimate interests, including direct marketing
- Withdraw consent — Withdraw consent for any processing based on consent at any time, without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, contact us at privacy@operationcyberaware.com. We will respond within 30 days of receiving your request.
If you are in the European Economic Area or United Kingdom, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.
Security Measures
We employ encryption, firewalls, and authentication controls to protect your personal information. Our staff use secure credentials to access and protect your data. While we strive to protect your information, no method of electronic transmission or storage is 100% secure.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification will be provided via email and, where appropriate, a prominent notice on our website. The notification will describe the nature of the breach, the likely consequences, and the measures we are taking to address it.
International Data Transfers
Operation Cyber Aware is based in the United States. If you access our Site from outside the United States, your personal data may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
Our third-party service providers (Formspree, Google, Clerk, Stripe) are also based in the United States. Where required by GDPR, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms, to ensure that your personal data receives an adequate level of protection when transferred outside the European Economic Area or United Kingdom.
California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know — You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to delete — You may request deletion of your personal information, subject to legal exceptions.
- Right to correct — You may request correction of inaccurate personal information.
- Right to opt-out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required.
- Right to limit use of sensitive personal information — We do not use sensitive personal information beyond what is necessary to provide our services.
- Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of personal information collected in the preceding 12 months:
- Identifiers — Name, email address, IP address, account credentials
- Internet or other electronic network activity — Browsing history, pages visited, interaction with our website
- Commercial information — Subscription and transaction history
- Geolocation data — Approximate location derived from IP address
We have not sold personal information in the preceding 12 months. To exercise your California privacy rights, contact us at privacy@operationcyberaware.com. You may also designate an authorized agent to submit requests on your behalf with written permission.
Email Communications
When you subscribe to our mailing list or threat intelligence briefings, we collect your email address to send you the communications you requested. We may also send you occasional updates about new resources, security alerts, or changes to our services. We do not sell or rent our email lists to third parties.
Every email we send includes a clear unsubscribe link and identifies Operation Cyber Aware as the sender. You can opt out of any or all email communications at any time by clicking the unsubscribe link or by contacting us at privacy@operationcyberaware.com. We will process your unsubscribe request within 10 business days as required by the CAN-SPAM Act and will not send further marketing emails after your request is processed.
Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC, to analyze how visitors use our website. Google Analytics cookies are only loaded after you provide explicit consent via our cookie consent banner. If you decline analytics cookies, Google Analytics will not be activated and no data will be collected.
When enabled, Google Analytics collects information such as how often users visit the site, what pages they view, and what other sites they visited before arriving. We have enabled IP anonymization so that your full IP address is not stored. We use this data solely to improve our website and content. We do not combine Google Analytics data with other data we hold about you.
For more information on how Google collects and processes data, visit Google's Privacy Policy. You can also prevent Google Analytics from collecting your data by installing the Google Analytics opt-out browser add-on, adjusting your cookie preferences via our cookie settings, or declining analytics cookies when prompted.
Cookies
Our website uses cookies and similar technologies. We ask for your consent before setting any non-essential cookies. You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of any page.
The cookies we use include:
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| oca_cookie_consent | Operation Cyber Aware | Stores your cookie consent preferences | Essential | Persistent (localStorage) |
| _ga | Google Analytics | Distinguishes unique visitors | Analytics | 2 years |
| _gid | Google Analytics | Distinguishes unique visitors | Analytics | 24 hours |
| _gat | Google Analytics | Throttles request rate | Analytics | 1 minute |
Analytics cookies are only set after you provide explicit consent via our cookie banner. You can change your preferences at any time by clicking Cookie Settings or through your browser settings.
Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Our website does not currently respond to DNT signals in a standardized way, as there is no industry-wide standard for how websites should respond to these signals. However, you can manage tracking preferences through our cookie consent banner and by using the Google Analytics opt-out browser add-on.
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you, as described in GDPR Article 22.
Children's Privacy
Our Site is not directed at children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@operationcyberaware.com.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this policy periodically to stay informed about how we protect your information.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@operationcyberaware.com.