Privacy Policy
This policy explains what personal data SC-CPE collects, why, how long it is kept, and what rights you have over it. We aim to be direct and specific — if anything is unclear, contact us.
Last updated: 2026-04-14 | Version: v1
1. Who We Are
SC-CPE is operated by Simply Cyber LLC, a US-based limited liability company. We act as the data controller for the personal data described in this policy.
When we provide this service to residents of the European Economic Area (EEA) or the United Kingdom, we are subject to the EU General Data Protection Regulation (GDPR) by virtue of Article 3(2) — we process data of individuals in those regions and monitor their behaviour in connection with an online service directed at them.
2. What We Collect and Why
We collect only the data needed to operate the service. The table below describes each category.
- Legal name
- Collected at registration. Used to populate your CPE certificates. This must match the name on your professional certifications — you attest to this at registration.
- Email address
- Collected at registration. Used to deliver certificate download links and service notifications (e.g., material changes to these policies).
- YouTube channel ID
- Collected when you verify your account by posting your verification code in live chat. This is the stable, unique identifier YouTube assigns to your channel. Used to match your chat messages to your SC-CPE account during attendance polling.
- YouTube display name (most recent)
- Collected as a side-effect of attendance polling. We store the most recently seen display name associated with your channel ID as a human-readable audit reference. Display names can change on YouTube; we retain only the most recent one.
- Chat messages
-
We query the YouTube Live Chat API during each Daily Threat Briefing broadcast. This means we temporarily receive all chat messages posted in the Simply Cyber live chat, regardless of whether the sender is a registered SC-CPE user. We process these in memory to identify qualifying messages from registered users.
What we persist long-term per message (for registered users only): message ID, channel ID, timestamp, and a SHA-256 hash of the message text. The hash lets us detect duplicate submissions without retaining the original text.
Raw chat data (full message text, JSON payloads from the YouTube API) is written to Cloudflare R2 object storage in JSONL format for operational debugging. This raw data is automatically deleted after 7 days via R2 lifecycle policy. We do not retain or index chat messages from users who are not registered with SC-CPE.
- IP address
- Not stored in raw form. When your browser or API request reaches our service, we derive a one-way SHA-256 hash of your IP address for abuse-rate-limiting and fraud-detection purposes. The hash cannot be reversed to obtain your original IP address.
- (ISC)² member number (optional)
- Optionally provided at registration or profile update. If provided, it may be included on certificates to assist with (ISC)² CPE submission. You are not required to provide this.
3. Legal Basis for Processing (GDPR)
Where the GDPR applies, we rely on the following legal bases under Article 6:
- Legitimate interests (Art. 6(1)(f)): Providing the CPE certificate service, detecting and preventing abuse, maintaining audit records for certificate integrity. Our legitimate interest in operating a trustworthy CPE programme is balanced against your privacy interests; the data collected is the minimum necessary for these purposes.
- Consent (Art. 6(1)(a)): Where we ask you to agree at registration (e.g., legal name attestation, acceptance of these policies). You may withdraw consent at any time by requesting account deletion, though this will end your ability to use the service.
4. Retention Periods
| Data | Retention period | Reason |
|---|---|---|
| Raw chat JSONL in R2 | 7 days, then auto-deleted | Operational debugging only |
| Attendance records (message hash, timestamp, channel ID) | 7 years | Supports post-audit defensibility if a cert is challenged |
| Certificate records | 7 years | Certificate verification and audit trail |
| Audit log | 7 years | Fraud investigation, abuse detection, legal compliance |
| Account / profile data | Until deletion request, then purged within 30 days | Service operation |
When you request account deletion, we perform a soft-delete of your profile and personal identifiers. Audit log entries referencing your account are retained for 7 years but are not used for any purpose other than integrity and fraud review. A hard-delete of all personal identifiers is completed within 30 days of a verified request, except where retention is required by law.
5. Who We Share Data With
We do not sell your personal data. We share data only with the following sub-processors, who act on our instructions:
- Cloudflare, Inc. — Provides DNS, CDN, Pages (web hosting), D1 (database), R2 (object storage), Workers (serverless compute), and Turnstile (CAPTCHA). Data may be processed on Cloudflare's global network. Cloudflare acts as a data processor under its Data Processing Addendum.
- Resend, Inc. — Provides transactional email delivery (certificate links, notifications). We transmit your email address and certificate-related content to Resend for delivery.
We also query the YouTube Data API v3 (operated by Google LLC) to retrieve live chat messages and stream metadata. This is a read-only query — we do not transmit your personal data to Google. YouTube's own privacy policy governs data Google holds about you as a YouTube user.
6. Your Rights (GDPR)
If you are located in the EEA or UK, you have the following rights over your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data (e.g., a misspelled legal name).
- Erasure: Request deletion of your personal data ("right to be forgotten"), subject to retention obligations described above.
- Data portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Complaint: Lodge a complaint with your local supervisory authority (e.g., your national data protection authority) if you believe we have not handled your data in accordance with the GDPR.
To exercise any of these rights, contact us at privacy@simplycyber.io. We will respond within 30 days (or as required by applicable law).
7. CCPA — Do Not Sell or Share My Personal Information
For California residents: Simply Cyber LLC does not sell your personal information, and does not share your personal information with third parties for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA) and its amendments. You have the right to know what personal information we collect, request deletion, and opt out of any future sale — though we have no such sale to opt out of.
8. Cookies and Tracking
We do not use analytics cookies or any third-party tracking pixels.
Cloudflare cookies: Cloudflare may set a cookie named __cf_bm (and similar) on your device for bot management and security purposes. This is set by Cloudflare's infrastructure, not by our application code, and is necessary for the service to function. See Cloudflare's privacy policy for details.
Certificate verification: The certificate verification portal sets Cache-Control: no-store to prevent caching of certificate status information in browsers or intermediate proxies.
We set no first-party analytics or tracking cookies.
9. International Data Transfers
Simply Cyber LLC is based in the United States. When you use SC-CPE, your data may be processed on Cloudflare's global network infrastructure, which operates data centres across multiple countries. Cloudflare provides Standard Contractual Clauses (SCCs) as a transfer mechanism for personal data transferred from the EEA and UK to third countries. By using the service, you acknowledge that your data may be transferred internationally in accordance with these safeguards.
10. Children
This service is not directed at children. You must be at least 13 years old to register. We do not knowingly collect personal data from individuals under 13. If you believe a child under 13 has registered, please contact us at privacy@simplycyber.io and we will delete the account promptly.
11. Security
We take reasonable technical measures to protect your personal data:
- All traffic between your browser and the service is encrypted with TLS.
- Data stored in Cloudflare D1 is encrypted at rest.
- Registration and dashboard pages are protected with Cloudflare Turnstile CAPTCHA to prevent automated account creation.
- PDF certificates are digitally signed using the PAdES (PDF Advanced Electronic Signatures) standard to prevent tampering.
- IP addresses are hashed on receipt and never stored in raw form.
No security measure is perfect. If you discover a vulnerability, please disclose it responsibly to privacy@simplycyber.io.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Each version is identified by a version number and effective date at the top of this page. We will notify registered users of material changes by email. Continued use of the service after a new version takes effect constitutes acknowledgement of the updated policy.
13. Contact
For privacy-related questions, requests, or concerns, contact us at privacy@simplycyber.io.