EPCYBER LLC Privacy Statement

---

Last updated: May 2026

This Privacy Statement explains how EPCYBER LLC ("EPCYBER") collects, uses, and protects personal data when you visit our website, contact us, subscribe to our blog, purchase or attend training, access the EPCYBER Training Platform, or engage with us as a client, partner, or candidate. EPCYBER is the data controller for the activities it operates. This Statement is written in plain language and does not replace contractual terms applying to specific services. Where those terms address data handling, they take precedence for the activities they cover. EPCYBER LLC, Miami, Florida, USA Privacy contact: privacy@epcyber.com EPCYBER operates the epcyber.com website, the EPCYBER Training Platform, and provides training and professional services to government, defense, and corporate clients. For any privacy and data related requests we aim to respond within 30 days. 

This Statement covers personal data we process about:

• Visitors to epcyber.com
• Blog and mailing list subscribers
• People who purchase, register for, or attend EPCYBER training
• Users of the EPCYBER Training Platform
• People who contact us
• Personnel of our clients, prospective clients, partners, and suppliers
• Event attendees
• Job applicants
• People referenced in publicly available sources we use for business development

Data: Device and browser identifiers, pages visited, referral URL, approximate location derived from IP, cookie identifiers (see Cookies section). Purpose: Operate, secure, and improve our website; analyze traffic; detect abuse. Basis:Legitimate interest. Consent for non-essential cookies where required.

Data: Email address, subscription date, engagement data (opens, clicks), and any organization-associated data (such as email domain). Purpose: Send subscribed content, training updates, and relevant EPCYBER notices; measure engagement. Basis: Your consent. 

Data:

• Identification and contact: name, email, country, professional title, employer.
• Enrollment: courses purchased, enrollment date, access period, expiration, certificate issuance events.
• Payment: billing name, address, country, buyer email, and payment identifiers. Card details are collected and processed only by our payment processor (currently PayPal); EPCYBER never sees or stores them.
• Verification: corporate email and professional affiliation provided for eligibility verification.
• Platform account: unique username, hashed password, account creation date, course assignment, access period, account status, and state changes (suspension, termination, reinstatement).
• Authentication and session: login and logout timestamps, session duration, IP addresses, geographic information derived from IPs, browser type and version, operating system, device characteristics, screen resolution, language, time zone, and other technical attributes communicated by your browser.
• Content access and interaction: which modules, lessons, and materials you accessed, when, for how long, in what sequence, progress status, exam attempts and results.
• Behavioral signals: clicks, navigation paths, scroll behavior, time on content, repeat views, and similar in-platform activity.
• Platform integrity and IP protection signals: evidence of attempts to download, save, print, screenshot, screen-record, photograph, copy, reproduce, redistribute, transcribe, or extract content; evidence of attempts to inspect, modify, or reverse-engineer the platform (browser developer tools, source code inspection, front-end code modification, script injection); evidence of API request manipulation, response tampering, replay attacks, or authentication bypass; evidence of network-level interception, proxying, or man-in-the-middle techniques; evidence of automated access, scraping, or bot-driven behavior; session anomalies such as concurrent sessions from different geographies, sessions from distinct IP addresses or devices within short time windows, or other patterns consistent with credential sharing; and any other technical signal indicative of an attempt to circumvent platform protections or violate the Terms & Conditions.
• Support and communications: support tickets opened in-platform (content, resolution path, exchanges) and other correspondence about your training, access, or account.

Purpose: Enroll you; deliver training; authenticate sessions; track progress; issue certificates; process payment; provide support; protect our intellectual property; detect and respond to credential sharing, unauthorized access, automated access, reverse-engineering, and other violations; enforce the Terms & Conditions; investigate suspected misuse and defend legal claims; produce internal analytics; comply with tax, accounting, and other legal obligations. Basis: Performance of a contract with you (or with your employer / sponsoring organization). Our legitimate interest in protecting our intellectual property, enforcing our terms, maintaining platform security, and improving the training experience. Compliance with legal obligations. Your explicit consent for any processing of special-category data. By using the EPCYBER Training Platform, you acknowledge and consent to this monitoring as set out here and in the Terms & Conditions.

Data: Name, email, employer, role, message contents, attachments, and (where relevant) information about your organization's role, mission, jurisdiction, and intended use case. Purpose: Respond to your inquiry; evaluate fit; progress a procurement, partnership, or media engagement. Basis: Legitimate interest in responding to inquiries and developing business relationships. We may keep your contact information on file in case you re-engage. 

Data: Names, contact details, professional roles, correspondence; contract documentation, invoices, account records.Purpose: Establish and manage the contractual relationship; deliver training and services; process invoices and payments; comply with legal and regulatory obligations including export-control screening; enforce our agreements. Basis:Performance of a contract; legitimate interest; legal obligations.

Data: Name, professional role, employer, public professional contact information, notes on relevance. Purpose: Identify organizations and individuals to whom our offering may be relevant; make initial outreach. Basis: Legitimate interest in business development.

Data: Registration details, attendance, and recordings where applicable (we tell you in advance if a session is being recorded). Purpose: Deliver the event; follow up afterward; improve future events. Basis: Performance of a contract; legitimate interest; consent for optional uses such as promotional inclusion.

• Directly from you (forms, emails, blog subscription, training registration, platform login, events, applications).
• Automatically through cookies and platform logging, monitoring, and security tooling.
• From your employer or sponsoring organization where training is arranged on your behalf.
• From service providers (payment processors, training infrastructure, identity verification, security tooling).
• From public sources (company sites, professional networks, regulatory filings) for business development and due diligence.

We share personal data only where necessary, and only with recipients bound by appropriate confidentiality and data protection obligations:

• Service providers acting on our instructions: hosting and infrastructure, email delivery, blog and CRM platforms, training platform infrastructure, payment processors, identity verification, security and abuse detection, accounting and tax advisors, and similar. A current list of material sub-processors is available on request.
• Professional advisors: lawyers, auditors, insurers.
• Government and regulatory authorities where required by law (court orders, regulatory inquiries, tax reporting, export-control screening).
• A successor entity in the event of a merger, acquisition, investment, restructuring, or sale. We will inform affected individuals where required by law.
• Other parties at your direction or with your consent, including your employer or sponsoring organization where they purchased or arranged your training.

We do not share personal data with third parties for their own marketing purposes.

Our service providers are located in the US. Your personal data may be transferred to, stored, and processed in countries other than the one in which you live. For transfers outside the EEA, UK, or Switzerland to a country without an adequacy decision, we put in place appropriate safeguards, typically the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss equivalents — supplemented where needed by additional technical and organizational measures.  

We implement technical and organizational measures: access controls based on least privilege, encryption in transit and (where appropriate) at rest, infrastructure hardening, logging and monitoring, employee confidentiality obligations, vendor due diligence, and an incident response process. The EPCYBER Training Platform applies additional content-protection measures: technical controls against download, copy, print, screenshot, screen-record, and extraction; integrity monitoring for tampering, source-code inspection, and API or session manipulation; and behavioral anomaly detection for credential sharing, unauthorized access, and automated access. Because we rely on third-party infrastructure (cloud providers, hosting, data storage) for operations, we cannot control those vendors against breach or compromise. No system is perfectly secure. If we become aware of a breach affecting your information, we will notify the relevant supervisory authorities and affected individuals where and within the timeframes applicable law requires.

We keep personal data only as long as needed for the purposes above, plus any additional period required for legal, tax, accounting, regulatory, audit, certificate verification, or legal-claim purposes.

Indicative retention periods (approximate):

• Blog subscriber data: Until you unsubscribe, then deleted within 60 days (a suppression record is kept so we do not re-contact you).
• Inquiry contacts: Up to 24 months from last interaction.
• Training and certification records: Up to 7 years from the date of training, to support certificate verification and meet tax and accounting requirements.
• Platform account data: Duration of active access plus up to 7 years thereafter.
• Platform usage and behavioral data: Up to 48 months for ordinary usage; longer where required for an active investigation or legal claim.
• Platform security and integrity logs (tampering, credential sharing, and other violations): Up to 7 years, given their relevance to potential legal claims.
• Payment and billing records: Up to 7 years (tax law).
• Client contractual records: Term of contract plus up to 7 years.
• Event recordings: 12–24 months unless retained as course material.
• Website analytics and security logs: 12–24 months.

Specific retention is documented in our internal schedule, available to supervisory authorities on request.

Depending on where you live and which laws apply, you may have the right to:

• Access your personal data and information about how it is processed.
• Correct inaccurate or incomplete data.
• Delete your personal data, subject to legal exceptions.
• Restrict or object to certain processing, including direct marketing.
• Data portability, where it applies.
• Withdraw consent at any time, where processing is based on consent.

To exercise any right, email us. We will respond within the timeframes required by applicable law. We may need to verify your identity, and we may decline or limit a request where the law allows — for example, where granting it would conflict with the rights of others, expose confidential information, or undermine an active legal claim, investigation, or enforcement action concerning platform misuse.

Applicable to residents of states including (as applicable) California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.

Categories of personal information we collect (CCPA categories):

• Identifiers (name, email, account username, country/city based on IP)
• Customer records information (billing address, payment identifiers)
• Commercial information (training purchased, courses accessed)
• Internet or network activity (website interactions, platform login data, content access logs, behavioral and integrity signals)
• Geolocation (approximate, derived from IP)
• Professional or employment information
• Education information (training, certifications, exam results, progress)
• Audio and visual information (event recordings, Zoom sessions where applicable)
• Inferences drawn from the above
• Sensitive personal information, limited to identifiers used for eligibility verification (corporate email domains)

Sale and sharing. We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not use personal data to train any third-party AI.

Your rights:

• Know what personal information we have collected, used, disclosed, or shared.
• Request a copy in a portable format.
• Request correction or deletion.
• Opt out of any sale or cross-context behavioral advertising (not applicable to us, but the right exists).
• Limit the use and disclosure of sensitive personal information (California).
• Appeal a denial of a rights request (Colorado, Connecticut, Virginia, and others).
• Not be discriminated against for exercising any of these rights.

To exercise rights: Email us with subject line "US Privacy Request" and identify the right. We may require verification. Authorized agents are accepted with proof of authorization.

Our records about clients, prospects, individuals identified through public sources, and platform users may include information whose disclosure would compromise legal claims, contractual confidentiality, security, ongoing investigations of platform misuse, or the rights of third parties. Where the law allows, we may redact or withhold information on these grounds, and we will explain why. Requests will not be denied on these grounds where the law does not permit it.

Our website uses:

• Strictly necessary cookies — required for the site and platform to function (e.g., maintaining your authenticated platform session).
• Analytics cookies — to understand how people use our site. Set only with your consent where required.

We do not use advertising or cross-site tracking cookies. You can control cookies through your browser and through the cookie banner on our site. A more detailed Cookies Notice is available at epcyber.com.

We may update this Statement from time to time. The "Last updated" date at the top shows the most recent change. Where a change materially affects how we process your personal data, we will notify you in advance by email or by a notice on our website, where required by law.