Privacy Policy

1. Who We Are

Data Defenders, LLC ("Data Defenders," "we," "our," or "us") is a Delaware-based cybersecurity and AI risk consulting firm. Our website is located at data-defendersllc.com. For privacy-related inquiries, contact us at admin-support@data-defendersllc.com.

This Privacy Policy explains how we collect, use, store, and protect personal information submitted through our website and AI Readiness Snapshot tool, and describes your rights regarding that information.

2. Information We Collect

We collect information you voluntarily provide through our contact forms and AI Readiness Snapshot tool, including:

• Name, corporate email address, company name, and phone number
• Contact preferences (preferred contact method, timezone)
• Self-assessment responses from the AI Readiness Snapshot tool (maturity scores across 9 domains)
• Any notes or context you choose to include in the optional "Anything else you'd like us to know" field
• Marketing opt-in preference

We do not collect payment information, government identification numbers, health data, or any other sensitive personal data through our website.

3. Lawful Basis for Processing (GDPR)

For individuals located in the European Union or United Kingdom, we process your personal data on the following legal bases under GDPR Article 6:

• Contract performance — Processing necessary to respond to your inquiry or deliver the AI Readiness Snapshot PDF you requested.
• Legitimate interests — Processing necessary for our legitimate interest in managing client relationships, improving our services, and understanding prospective client needs. We have balanced these interests against your rights and determined they do not override your fundamental rights.
• Consent — Marketing email communications are sent only where you have explicitly opted in. You may withdraw this consent at any time.

4. How We Use Your Information

Information you submit is used solely to:

• Respond to your inquiry or consultation request
• Deliver your AI Readiness Snapshot scorecard (PDF)
• Send occasional cybersecurity and AI governance insights, if you have opted in
• Improve our services and understand the needs of our prospective clients

5. Email Communications

If you opt in to receive insights from Data Defenders, you may receive occasional email updates on AI governance, cybersecurity, and related topics. Every marketing email will include an unsubscribe link. You may also opt out at any time by contacting us at admin-support@data-defendersllc.com.

Transactional emails (such as your AI Readiness Snapshot PDF) are sent as fulfillment of a requested service and are not subject to marketing opt-out.

6. Data Storage, Security & Retention

Your information is stored in a secured PostgreSQL database hosted by Railway (a US-based cloud infrastructure provider). Railway encrypts all customer data at rest at the storage level and applies envelope encryption to environment variables containing access credentials. All data transmitted between your browser and our servers is encrypted in transit via SSL/TLS.

We apply additional controls including parameterized database queries (to prevent SQL injection), rate limiting, input sanitization, and access controls to protect your data at the application layer.

Retention policy: We retain your contact and assessment data indefinitely for the purpose of managing our client and prospective client relationships, unless you request removal. We will not retain data beyond what is necessary for the purposes described in this policy.

3-year notification: Approximately three (3) years from the date your information was collected, we will send you a notification advising that we hold your information and providing you with the option to request removal. If you wish to be removed from our records, you must click the opt-out link in that notification. If you do not respond, your information will be retained and you will receive a subsequent notification at your next 3-year interval.

Transactional SMS: If your email address becomes unreachable (e.g., a delivery bounce), and you have provided a mobile phone number, we may send a single transactional SMS to notify you of the delivery failure and provide you with the option to update your email address or request removal of your record. This message is not marketing and will not be repeated unless your contact information changes.

7. International Data Transfers

Data Defenders is based in the United States. If you are located in the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your personal information will be transferred to and processed in the United States.

The United States has not received an adequacy decision from the European Commission. We rely on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism for transfers of personal data from the EU/UK to the US, and we ensure that our service providers (Railway, SendGrid) operate under equivalent protections. By submitting information through our website, you acknowledge this transfer.

If you have questions about our transfer mechanisms, contact us at admin-support@data-defendersllc.com.

8. Your Rights

Depending on your location, you have the following rights regarding your personal information:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data ("right to be forgotten"). You may exercise this right by responding to our 3-year retention notification, or by contacting us directly at admin-support@data-defendersllc.com
• Right to restriction — Request that we restrict processing of your data in certain circumstances.
• Right to data portability — Request your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting lawfulness of prior processing.

To exercise any of these rights, contact us at:

We will respond to all requests within 30 days. We may need to verify your identity before processing your request.

9. California Residents — CCPA / CPRA Rights

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to delete — Request deletion of personal information we have collected, subject to certain exceptions. Deletion requests may be submitted by responding to our 3-year retention notification or by contacting us at admin-support@data-defendersllc.com
• Right to opt-out of sale — We do not sell personal information. No opt-out is required, but this right is acknowledged.
• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.
• Right to correct — Request correction of inaccurate personal information.
• Right to limit use of sensitive personal information — We do not collect sensitive personal information as defined by the CPRA.

To submit a CCPA request, contact us at admin-support@data-defendersllc.com or call +1 720-739-1583. We will verify your identity and respond within 45 days.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we are committed to the following:

• We will notify affected individuals without undue delay and within the timeframes required by applicable law (72 hours under GDPR; promptly under Colorado HB 18-1128 and applicable US state laws).
• Notification will include a description of the nature of the breach, the categories of data affected, and the steps we are taking to address it.
• Where required, we will notify the relevant supervisory authority (for GDPR) or state attorney general (for applicable US states).

Given the nature of data we collect (name, corporate email, phone, and self-assessment responses), a breach would not expose financial account numbers, government IDs, or health information. We maintain this commitment regardless.

11. GDPR — Supervisory Authority

If you are located in the European Union or United Kingdom and believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is the data protection authority (DPA) in your member state. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first so we can address your concern directly.

12. Third-Party Services

We use the following third-party processors. Each processes your data only as instructed and only to the extent necessary for the stated purpose:

• SendGrid (a Twilio company) — Transactional and marketing email delivery. Processes email addresses for delivery purposes only. SendGrid Privacy Policy
• Railway — Cloud infrastructure and database hosting. Stores all submitted data in encrypted, US-based servers. Railway Privacy Policy

We do not share your data with any other third parties.

13. Cookies & Tracking

Our website does not use tracking cookies, third-party analytics services, advertising cookies, or cross-site tracking of any kind. We do not use Google Analytics, Meta Pixel, or similar tools. The only browser storage we use is a single localStorage value to remember your ADA visual preference setting — this contains no personal information and never leaves your device.

14. Children's Privacy

Our services are intended for business professionals and organizations. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the version number and "Last updated" date at the top of this page. We will make reasonable efforts to notify users of material changes via a notice on our website. Continued use of our website after changes are posted constitutes acceptance of the updated policy.