← Back to Cyber Command Center

Privacy Policy

Last updated: May 22, 2026

What We Collect

Cyber Command Center collects the minimum data needed to provide synced training progress:

• Account data: email address, display name, and optional Google login identifier.
• Progress data: task completion status, study notes, timer sessions, and simulation-risk event metadata.
• Authentication data: hashed passwords for email login, hashed session tokens, CSRF token hashes, password-reset token hashes, and authenticator MFA state when enabled.
• Security telemetry: CSP violation reports, user agent, and a hashed IP value for abuse triage.

If you use guest mode, no account data is collected. Guest progress, notes, sessions, and simulation events stay in your browser.

How We Use It

Your data is used to save and sync your training progress across devices, authenticate your account, support MFA and password reset, and investigate security issues. We do not sell, share, or use your data for advertising.

Third-Party Services

• Google OAuth: optional sign-in (their privacy policy).
• Netlify: static frontend hosting (their privacy policy).
• Cloudflare: DNS and tunnel routing for the backend API (their privacy policy).
• Email provider: password reset delivery when SMTP is configured.

Data Storage

Signed-in account data is stored in a self-hosted PostgreSQL database in Docker. PostgreSQL is private to the backend network and is not exposed directly to the public internet.

Data Lifecycle

• Guest mode: progress, notes, study sessions, and simulation events stay in browser local storage until you clear site data or use the Privacy Controls panel.
• Signed-in mode: account, progress, notes, session data, and simulation-risk events stay in PostgreSQL until you delete them through the Privacy Controls panel or request manual removal.
• Backups: deleted account data may remain in backups for the configured backup retention window.

Do not store passwords, API keys, client-private data, payment details, or live incident evidence in task notes or simulation-event labels.

Data Deletion and Export

The dashboard includes a Privacy Controls panel:

• Export My Data: downloads a JSON snapshot of your profile, task progress, notes, study sessions, and simulation events. In guest mode it dumps the corresponding local-storage keys instead.
• Delete My Account: behind a "type DELETE to confirm" guard, and an MFA code when enabled, calls the backend deletion route, removes your account and user-scoped app data, clears local guest keys defensively, signs you out, and reloads.

Security

Security controls, known gaps, and reporting steps are documented in the Security Policy.

Contact

For privacy or deletion requests, email [email protected]. For security issues, use the subject "Security report: Cyber Command Center".