Privacy Policy

1. Who We Are

BESTcyberIQ is operated by BESTulaba LLC, a Massachusetts limited liability company. Contact: william@bestcyberiq.com, Natick, MA 01760

2. Information We Collect

Information you provide:

• Account registration: email address and password
• Company profile: company name
• Assessment responses: your answers to the 98 NIST CSF 2.0 assessment questions
• Payment information: processed directly by Stripe — we never store or access card numbers

Information collected automatically:

• Usage data and logs (page views, feature usage, access times)
• Device and browser information

3. How We Use Your Information

We use your information to:

• Provide and operate the Service
• Generate your assessment scores, reports, and recommendations
• Send transactional emails (assessment summaries, account notifications, trial reminders)
• Process payments via Stripe
• Comply with legal obligations
• Improve the Service through anonymized, aggregated analysis

We do not sell your personal information or assessment data to third parties. We do not share your data with advertisers.

4. Data Role Clarification

BESTulaba LLC acts as the data controller for account and profile information you provide. Your assessment responses are processed solely to deliver the Service to you. We do not access your assessment data for any purpose other than providing the Service, unless you have specifically requested we do so.

5. Data Storage and Security

Your data is stored in Supabase (PostgreSQL) hosted on AWS infrastructure. Data is encrypted at rest and in transit using TLS 1.2 or higher. Access is restricted by Row Level Security policies — each user can only access their own data. We implement reasonable technical and organizational measures to protect your information, though no method of transmission or storage is 100% secure.

6. Third-Party Service Providers

We share data with the following providers solely to operate the Service:

• Supabase — database and authentication (supabase.com)
• Stripe — payment processing (stripe.com)
• Resend — transactional email delivery (resend.com)
• Vercel — hosting and infrastructure (vercel.com)
• Railway — PDF generation service (railway.app)

Each provider has their own privacy policy and data protection obligations. We do not authorize these providers to use your data for their own purposes.

7. Legal Disclosures

We may disclose your information when we believe disclosure is necessary to: (a) comply with applicable law or legal process; (b) respond to requests from government or law enforcement authorities; (c) protect the rights, property, or safety of BESTulaba LLC, our users, or the public; or (d) enforce our Terms of Service.

8. Business Transfers

In the event of a merger, acquisition, sale of assets, or financing involving BESTulaba LLC, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service of any change in ownership or use of your personal information.

9. Your Rights

Depending on your location, you may have rights under GDPR, CCPA, Massachusetts data protection law, or other applicable regulations, including:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Request your assessment data in a portable format
• Opt-out: Opt out of any non-essential communications

To exercise these rights, email william@bestcyberiq.com. We will respond within 30 days.

10. Data Retention

We retain your data based on: (a) the duration of your account and our relationship; (b) legal, tax, and regulatory requirements; (c) security and fraud prevention needs; and (d) the nature and sensitivity of the information. Active account data is retained while your account is active. When you request account deletion, we process that request and complete removal of your personal data within 30 days. Within those same 30 days, you may email william@bestcyberiq.com to ask that your account be restored; after 30 days, your data cannot be recovered. Anonymized, aggregated data may be retained for product improvement.

11. Cookies

We use session cookies strictly for authentication. We do not use advertising, tracking, or third-party analytics cookies.

12. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from minors.

13. Changes to This Policy

We will notify you of material changes by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

BESTulaba LLC · william@bestcyberiq.com · Natick, MA 01760