BESTcyberIQ

Last Updated: May 25, 2026

Privacy Policy

1. Who We Are

BESTcyberIQ is operated by BESTulaba LLC, a Massachusetts limited liability company. Contact: william@bestcyberiq.com, Natick, MA 01760

2. Information We Collect

Information you provide:

  • Account registration: email address and password
  • Company profile: company name, industry, employee count, state, website, contact name, contact title, and company logo (stored in Supabase Storage)
  • Personal profile: first name, last name, job title, phone number
  • Recovery email address and verification status (optional — set by user for account offboarding)
  • Badge display name preference
  • Support and feedback messages submitted through the in-app Feedback form
  • Assessment responses: your answers to the 98 NIST CSF 2.0 assessment questions
  • Payment information: processed directly by Stripe — we never store or access card numbers

Information collected automatically:

  • Usage data and logs (page views, feature usage, access times, and platform activity events such as completing assessments, downloading reports, and managing account settings — collected for operational support, security monitoring, and service improvement)
  • IP address and approximate location derived from IP
  • Authentication events: login timestamps, MFA enrollment and verification events, SSO domain configuration
  • Share link activity: when a public badge link is generated, viewed, or revoked
  • Assessment metadata: completion timestamps, question response history, score history
  • Device and browser information

3. How We Use Your Information

We use your information to:

  • Provide and operate the Service
  • Generate your assessment scores, reports, and recommendations
  • Send transactional emails (assessment summaries, account notifications, trial reminders)
  • Process payments via Stripe
  • Comply with legal obligations
  • Improve the Service through anonymized, aggregated analysis

We do not sell your personal information or assessment data to third parties. We do not share your data with advertisers.

4. Data Role Clarification

BESTulaba LLC acts as the data controller for account and profile information you provide. Your assessment responses are processed solely to deliver the Service to you. We do not access your assessment data for any purpose other than providing the Service, unless you have specifically requested we do so.

5. Data Storage and Security

Your data is stored in Supabase (PostgreSQL) hosted on AWS infrastructure. Data is encrypted at rest and in transit using TLS 1.2 or higher. Access is restricted by Row Level Security policies — each user can only access their own data. We implement reasonable technical and organizational measures to protect your information, though no method of transmission or storage is 100% secure.

6. Third-Party Service Providers

We share data with the following providers solely to operate the Service:

  • Supabase — database and authentication (supabase.com)
  • Stripe — payment processing (stripe.com)
  • Resend — transactional email delivery (resend.com)
  • Vercel — hosting and infrastructure (vercel.com)
  • Railway — PDF generation service (railway.app)
  • GitHub — source code hosting and dependency security scanning (github.com)
  • Sentry — production error monitoring and alerting (sentry.io)

Each provider has their own privacy policy and data protection obligations. We do not authorize these providers to use your data for their own purposes.

7. Legal Disclosures

We may disclose your information when we believe disclosure is necessary to: (a) comply with applicable law or legal process; (b) respond to requests from government or law enforcement authorities; (c) protect the rights, property, or safety of BESTulaba LLC, our users, or the public; or (d) enforce our Terms of Service.

8. Business Transfers

In the event of a merger, acquisition, sale of assets, or financing involving BESTulaba LLC, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service of any change in ownership or use of your personal information.

9. Your Rights

Depending on your location, you may have rights under GDPR, CCPA, Massachusetts data protection law, or other applicable regulations, including:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and all associated data
  • Portability: Request your assessment data in a portable format
  • Opt-out: Opt out of any non-essential communications

To exercise these rights, email william@bestcyberiq.com. We will respond within 30 days.

10. Data Retention

We retain your data as follows:

  • Active account data: retained while your account is active.
  • Assessment responses and scores: retained for the life of your account. Assessment history drives your score trend chart and benchmark comparisons.
  • Audit and activity logs: retained based on your subscription tier —
    • Free: 30 days
    • Report: 30 days
    • Pro: 90 days
    • Team: 1 year
    • Enterprise: 1 year (extendable to 3 years with the Log Retention add-on)
  • PDF reports: retained for the life of your account or the duration of your Report tier access (1 year from purchase), whichever is longer.
  • Support and feedback messages: retained for up to 2 years for quality and legal purposes.
  • Backups:database backups are retained per Supabase's standard backup policy. Backups may persist for a short period after account deletion as part of the normal backup rotation cycle.
  • Account deletion: when you request account deletion, we process the request and complete removal of your personal data within 30 days. Within those 30 days, you may email william@bestcyberiq.com to request restoration. After 30 days, your data cannot be recovered. Anonymized, aggregated data (such as industry benchmark scores) may be retained indefinitely.

To request data export or deletion, email william@bestcyberiq.com. We will respond within 30 days.

11. Cookies

We use session cookies strictly for authentication. We do not use advertising, tracking, or third-party analytics cookies.

12. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from minors.

13. Changes to This Policy

We will notify you of material changes by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

BESTulaba LLC · william@bestcyberiq.com · Natick, MA 01760

Also read our Terms of Service

Feedback