XyberIQ Privacy Policy

TL;DR: We collect the minimum data needed to run training, prove compliance, and improve the platform. We don’t sell personal data. You control your data where applicable under laws like GDPR and CCPA. This page explains how.

This policy is informational and not legal advice. If there’s a conflict between this policy and a signed Data Processing Agreement (DPA), the DPA controls.

Who we are

XyberIQ, LLC (“XyberIQ”, “we”, “us”) provides a compliance-training SaaS platform. Contact: privacy@xyberiq.io. Mailing: [Add company address].

What we collect

Account data: name, email, company, role, authentication identifiers.
Training records: enrollments, progress, scores, certifications, timestamps, IPs related to exam integrity.
Operational telemetry: app logs, device/browser info, performance metrics, feature usage.
Support data: messages, attachments, ticket metadata.
Billing data (if applicable): billing contact, transaction tokens via our PCI-compliant processor (we do not store full card PANs).

How we use data

Provide and secure the service, including identity, access, auditability, and fraud prevention.
Deliver training, record completions, and generate evidence for audits.
Improve features, content relevance, and platform reliability (aggregate analytics).
Comply with law and enforce our Terms.
Communicate about updates, security notices, and service changes.

Legal bases (GDPR/UK GDPR)

Contract: to provide the service to your organization.
Legitimate interests: security, product improvement (balanced against your rights).
Consent: where required (e.g., certain cookies/marketing).
Legal obligation: recordkeeping and compliance with applicable laws.

Cookies & similar tech

We use strictly necessary cookies for login/session integrity, and optional analytics cookies to improve the product. You can manage preferences via browser settings and any in-app cookie controls.

Analytics

We may use privacy-respecting analytics to understand feature usage and reliability in aggregate. IP addresses may be truncated or hashed where feasible.

Payments

Transactions are processed by a third-party PCI-DSS validated provider. We receive limited billing metadata and tokenized references, not full card details.

AI features

If AI-assisted features are enabled, we may process inputs (e.g., policy text, quiz answers) to generate outputs (e.g., tailored training or insights). We configure providers to avoid training on your data where available and subject to our DPA/subprocessor terms.

Security

Transport encryption (TLS) and data-at-rest encryption.
Role-based access control (RBAC), MFA support, and least-privilege principles.
Segregated environments and continuous monitoring.

No system is impenetrable. We notify customers of notifiable incidents consistent with law and contract.

Data retention

We retain data for the duration of your subscription and a limited period thereafter to meet audit, legal, and accounting needs. Customer admins can request deletion of user records where applicable.

Sharing & subprocessors

We use vetted providers (hosting, email delivery, analytics, payments, support). We require appropriate data protection commitments. A current list of material subprocessors is available upon request at privacy@xyberiq.io.

International transfers

Where data is transferred internationally, we rely on appropriate safeguards (e.g., SCCs) and conduct transfer risk assessments where required.

Your rights

GDPR/UK GDPR: access, rectify, erase, restrict, port, object. Contact: privacy@xyberiq.io.
CCPA/CPRA (California): right to know, delete, correct, and limit use of sensitive personal information; non-discrimination. Do not sell/share my personal information (we do not sell personal data).

HIPAA, CMMC, SOC 2, SOX context

XyberIQ is a training and compliance-enablement platform. We are not a covered entity or auditor. Customers are responsible for configuring training, retaining evidence, and meeting their own regulatory obligations. If a Business Associate Agreement (BAA) or DPA is required, contact us.

Children’s privacy

Our service is for organizations and adult learners. We do not knowingly collect data from children under 16.

Your admin’s control

Your employer/customer admin may control your account, training assignments, and retention according to corporate policy.

How to contact us

Email: privacy@xyberiq.io • Security: security@xyberiq.io • Support: support@xyberiq.io

Policy changes

We’ll post updates here and adjust the “Last updated” date. Material changes will be communicated to admins.

Do Not Sell/Share My Personal Information (CCPA)

We do not sell personal information. California residents may still contact privacy@xyberiq.io for CCPA requests.