C8
Cipher8

Privacy Policy

Last updated: May 16, 2026

This Privacy Notice describes how Cipher8 ("we", "us", "our") collects, uses and shares your personal data when you use the Cipher8 website and the Cipher8 CISSP training application (the "Service"). Cipher8 is the data controller for the personal data described below.

1. Personal data we collect

  • Account data: email address, display name, hashed password, OAuth identifiers (e.g. Google account ID).
  • Profile data: avatar URL and any optional display name you provide.
  • Usage data: answers, confidence ratings, study sessions, FSRS scheduling data, mistake-journal entries and other product telemetry.
  • Subscription data: subscription status, billing period, plan, and the Paddle customer / subscription identifiers used to reconcile your access.
  • Support data: any information you provide when contacting us.
  • Technical data: IP address, device and browser information, log data and similar identifiers collected automatically when you use the Service.

Payment-card data is collected and processed directly by Paddle, our Merchant of Record. We do not see or store full payment-card information.

2. How we use personal data

  • To create and operate your account and provide the Service (legal basis: performance of a contract).
  • To deliver, schedule and personalize study content (legal basis: performance of a contract).
  • To process subscriptions and grant Pro access based on subscription status (legal basis: performance of a contract).
  • To prevent fraud, abuse and security incidents (legal basis: legitimate interests).
  • To improve product quality and reliability (legal basis: legitimate interests).
  • To respond to support requests (legal basis: legitimate interests).
  • To comply with legal obligations (legal basis: legal obligation).

3. Who we share personal data with

  • Paddle.com Market Ltd. ("Paddle") — our Merchant of Record for all online sales, handling checkout, payments, tax compliance, invoicing, refunds and subscription management.
  • Authentication and hosting providers — used to operate the Service (authentication, database, file storage, application hosting).
  • Email providers — used to send transactional emails such as confirmations and password resets.
  • Professional advisers — legal, accounting and similar advisers when reasonably necessary.
  • Authorities — when we are required to disclose data to comply with law, regulation, legal process or a governmental request.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

4. International transfers

Cipher8 may process personal data outside your country of residence, including in jurisdictions whose data-protection laws differ from yours. Where transfers occur from the UK or EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or applicable adequacy decisions.

5. Retention

We retain personal data for as long as your account is active and for a reasonable period afterwards to operate the Service, comply with legal obligations, resolve disputes and enforce our agreements. Subscription and billing records are retained as required by applicable tax and accounting law. When data is no longer needed, we delete or anonymize it.

6. Your rights

Subject to your local law, you may have rights to access, rectify, erase, restrict or port your personal data, to object to processing based on legitimate interests, and to withdraw consent where processing relies on consent. To exercise these rights, contact us at privacy@cipher8.app. You also have the right to lodge a complaint with your local supervisory authority.

7. Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, least-privilege service credentials and Row-Level Security on user-scoped data. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8. Cookies

We use strictly necessary cookies and local storage to keep you signed in and to persist study state. We do not use third-party advertising cookies. If we introduce analytics cookies in the future we will update this notice and surface a cookie preference control.

9. Children

Cipher8 is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated in-app or by email.

11. Contact

Cipher8 — privacy enquiries: privacy@cipher8.app.