SC-CPE — Privacy Policy
This policy explains what personal data SC-CPE collects, why, how long it is kept, and what rights you have over it. We aim to be direct and specific — if anything is unclear, contact us.
Last updated: 2026-04-14 | Version: v1
1. Who We Are
SC-CPE is operated by Simply Cyber LLC, a US-based limited liability company. We act as the data controller for the personal data described in this policy.
When we provide this service to residents of the European Economic Area (EEA) or the United Kingdom, we are subject to the EU General Data Protection Regulation (GDPR) by virtue of Article 3(2) — we process data of individuals in those regions and monitor their behaviour in connection with an online service directed at them. See §13 for controller contact details.
2. What We Collect and Why
We collect only the data needed to operate the service. The table below describes each category.
- Legal name
- Collected at registration. Used to populate your CPE certificates. This must match the name on your professional certifications — you attest to this at registration.
- Email address
- Collected at registration. Used to deliver certificate download links and service notifications (e.g., material changes to these policies).
- YouTube channel ID
- Collected when you verify your account by posting your verification code in live chat. This is the stable, unique identifier YouTube assigns to your channel. Used to match your chat messages to your SC-CPE account during attendance polling.
- YouTube display name (most recent)
- Collected as a side-effect of attendance polling. We store the most recently seen display name associated with your channel ID as a human-readable audit reference. Display names can change on YouTube; we retain only the most recent one.
- Chat messages
-
We query the YouTube Live Chat API during each Daily Threat Briefing broadcast. This means we temporarily receive all chat messages posted in the Simply Cyber live chat, regardless of whether the sender is a registered SC-CPE user. We process these in memory to identify qualifying messages from registered users.
What we persist long-term per message (for registered users only): message ID, channel ID, timestamp, and a SHA-256 hash of the message text. The hash lets us detect duplicate submissions without retaining the original text.
Raw chat data (full message text, JSON payloads from the YouTube API) is written to Cloudflare R2 object storage in JSONL format for operational debugging. This raw data is automatically deleted after 7 days via R2 lifecycle policy. We do not retain or index chat messages from users who are not registered with SC-CPE.
- IP address
- Not stored in raw form. When your browser or API request reaches our service, we derive a one-way SHA-256 hash of your IP address for abuse-rate-limiting and fraud-detection purposes. The hash cannot be reversed to obtain your original IP address.
We do not collect certification-body identifiers (e.g., (ISC)² member number, ISACA member ID, CompTIA CE ID). Those are attached to your submission when you upload the certificate to your CE portal, not to the certificate itself.
3. Legal Basis for Processing (GDPR)
Where the GDPR applies, we rely on the following legal bases under Article 6:
- Legitimate interests (Art. 6(1)(f)): Providing the CPE certificate service, detecting and preventing abuse, maintaining audit records for certificate integrity. Our legitimate interest in operating a trustworthy CPE programme is balanced against your privacy interests; the data collected is the minimum necessary for these purposes.
- Consent (Art. 6(1)(a)): Where we ask you to agree at registration (e.g., legal name attestation, acceptance of these policies). You may withdraw consent at any time by requesting account deletion, though this will end your ability to use the service.
4. Retention Periods
| Data | Retention period | Reason |
|---|---|---|
| Raw chat JSONL in R2 | 7 days, then auto-deleted | Operational debugging only |
| Attendance records (message hash, timestamp, channel ID) | 7 years | Supports post-audit defensibility if a cert is challenged |
| Certificate records (including the recipient name snapshot that appears on each issued certificate) | Retained indefinitely, even after account deletion | Evidentiary artefact — third parties (certification bodies like (ISC)² / ISACA / CompTIA during CPE audit; employers or compliance reviewers requesting continuing-education records) rely on these to verify CPE submissions years after issuance. Retained under GDPR Art. 17(3)(e) for the establishment, exercise or defence of legal claims. |
| Audit log | 7 years | Fraud investigation, abuse detection, legal compliance |
| Account / profile data | Until deletion request, then purged within 30 days | Service operation |
When you request account deletion, we scrub your profile-level personal identifiers (email, legal name, YouTube channel ID, most-recent display name) and rotate your dashboard access token so the account becomes inaccessible. Audit log entries referencing your account are retained for 7 years but are not used for any purpose other than integrity and fraud review. Profile scrubbing is completed immediately on request; a hard-delete of residual identifiers is completed within 30 days.
Evidentiary carve-out for issued certificates. Each certificate we issue contains a recipient name snapshot fixed at the moment of issuance. That snapshot, together with the certificate's hash and signature, is an evidentiary record relied upon by third parties (certification bodies such as (ISC)², ISACA, and CompTIA during CPE audit cycles; employers or compliance reviewers requesting continuing-education records) to verify CPE attendance — often years later. If we erased or modified those records on account deletion, every certificate you had previously been issued would become unverifiable and we would lose the ability to defend the integrity of the programme. We therefore retain issued certificate records, including the recipient name snapshot, indefinitely under GDPR Art. 17(3)(e) ("establishment, exercise or defence of legal claims") even after you delete your account. The snapshot does not update to reflect your deletion; it reflects the name that was on the certificate at issuance.
5. Who We Share Data With
We do not sell your personal data. We share data only with the following sub-processors, who act on our instructions:
- Cloudflare, Inc. — Provides DNS, CDN, Pages (web hosting), D1 (database), R2 (object storage), Workers (serverless compute), and Turnstile (CAPTCHA). Data may be processed on Cloudflare's global network. Cloudflare acts as a data processor under its Data Processing Addendum.
- Resend, Inc. — Provides transactional email delivery (certificate links, notifications). We transmit your email address and certificate-related content to Resend for delivery.
We also query the YouTube Data API v3 (operated by Google LLC) to retrieve live chat messages and stream metadata. This is a read-only query — we do not transmit your personal data to Google. YouTube's own privacy policy governs data Google holds about you as a YouTube user.
6. Your Rights (GDPR)
If you are located in the EEA or UK, you have the following rights over your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data (e.g., a misspelled legal name).
- Erasure: Request deletion of your personal data ("right to be forgotten"), subject to retention obligations described above. Note: previously issued certificates, including the recipient name snapshot they carry, are retained under the Art. 17(3)(e) evidentiary carve-out described in §4.
- Data portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Complaint: Lodge a complaint with your local supervisory authority (e.g., your national data protection authority) if you believe we have not handled your data in accordance with the GDPR.
To exercise any of these rights, contact us at certs@signalplane.co with subject [PRIVACY]. We will respond within 30 days (or as required by applicable law).
7. CCPA — Do Not Sell or Share My Personal Information
For California residents: Simply Cyber LLC does not sell your personal information, and does not share your personal information with third parties for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA) and its amendments. You have the right to know what personal information we collect, request deletion, and opt out of any future sale — though we have no such sale to opt out of.
8. Cookies and Tracking
We do not use analytics cookies or any third-party tracking pixels.
Cloudflare cookies: Cloudflare may set a cookie named __cf_bm (and similar) on your device for bot management and security purposes. This is set by Cloudflare's infrastructure, not by our application code, and is necessary for the service to function. See Cloudflare's privacy policy for details.
Certificate verification: The certificate verification portal sets Cache-Control: no-store to prevent caching of certificate status information in browsers or intermediate proxies.
Local storage: If you choose "Remember this device" on your dashboard, we store your dashboard session token in your browser's localStorage. This data never leaves your device — it is not transmitted to our servers or any third party. The stored session expires automatically after 30 days. You can clear it at any time by clicking "Forget this device" on your dashboard, or by clearing your browser data.
We set no first-party analytics or tracking cookies.
9. International Data Transfers
Simply Cyber LLC is based in the United States. When you use SC-CPE, your data may be processed on Cloudflare's global network infrastructure, which operates data centres across multiple countries. Cloudflare provides Standard Contractual Clauses (SCCs) as a transfer mechanism for personal data transferred from the EEA and UK to third countries. By using the service, you acknowledge that your data may be transferred internationally in accordance with these safeguards.
10. Children
This service is not directed at children. You must be at least 13 years old to register. We do not knowingly collect personal data from individuals under 13. If you believe a child under 13 has registered, please contact us at certs@signalplane.co with subject [PRIVACY] and we will delete the account promptly.
11. Security
We take reasonable technical measures to protect your personal data:
- All traffic between your browser and the service is encrypted with TLS.
- Data stored in Cloudflare D1 is encrypted at rest.
- Registration and dashboard pages are protected with Cloudflare Turnstile CAPTCHA to prevent automated account creation.
- PDF certificates are digitally signed using the PAdES (PDF Advanced Electronic Signatures) standard so tampering is detectable on verification — any modification to the PDF after issuance invalidates the signature.
- IP addresses are hashed on receipt and never stored in raw form.
No security measure is perfect. If you discover a vulnerability, please disclose it responsibly to certs@signalplane.co with subject [SECURITY]. See our security.txt for full disclosure guidance and our expected response window.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Each version is identified by a version number and effective date at the top of this page. We will notify registered users of material changes by email. Continued use of the service after a new version takes effect constitutes acknowledgement of the updated policy.
13. Contact
Data controller: Simply Cyber LLC (United States).
All inbound email goes to one address: certs@signalplane.co. Use a subject-line prefix so the filter routes your message correctly:
[PRIVACY]— GDPR rights requests, data-subject access, deletion questions. Response within 30 days.[SECURITY]— vulnerability disclosure (see also security.txt). 3-day acknowledgement SLA.[ACCOUNT]— general account or service questions.[CERT]— specific certificate disputes, revocation requests, issuance errors.
One mailbox is a deliberate choice at launch — a single address is easier to monitor and harder to overlook than a forest of aliases. Untagged messages still get read; the prefix just speeds triage.