EPCYBER LLC Privacy Statement

---

Last updated: April 2026

This Privacy Statement explains how EPCYBER LLC ("EPCYBER") collects, uses, and protects personal data when you visit our website, contact us, subscribe to our blog, purchase or attend training, or engage with us as a client, partner, or candidate.

EPCYBER acts as an independent data controller for the activities it operates. Where we process personal data jointly with affiliated entities, we identify ourselves as joint controllers and explain what that means for you.

This Statement is written to be read in plain language. It does not replace contractual terms that may apply to specific services (for example, training enrollment terms). Where those terms address data handling, they take precedence over this Statement for the activities they cover.

Who we are

EPCYBER LLC Miami, Florida, USA Privacy contact: privacy@epcyber.com

EPCYBER operates the epcyber.com website and provides training and professional services to government, defense, and corporate clients.

Regional privacy contacts

To help us route your inquiry quickly, you can reach us at the following addresses depending on where you are:

• Individuals in the European Economic Area or Switzerland: eu-privacy@epcyber.com
• Individuals in the United Kingdom: uk-privacy@epcyber.com
• Individuals in Israel, the United States, or elsewhere: privacy@epcyber.com

What this Statement covers

This Statement covers personal data we process about:

• Visitors to epcyber.com
• People who subscribe to the EPCYBER blog or other EPCYBER mailing lists
• People who purchase, register for, or attend EPCYBER training
• People who contact us by email, web form, or other channels
• Personnel of our clients, prospective clients, partners, and suppliers
• Attendees at events we host or co-host
• Job applicants and candidates
• People referenced in publicly available sources we use for business development

Personal data we collect, and why

We collect different categories of personal data depending on how you interact with us. The lists below describe each category, the purpose for which we use it, and our lawful basis under the GDPR / UK GDPR. Lawful bases under the Israeli Privacy Protection Law and US state laws are addressed in Sections 13–15.

Website visitors (epcyber.com)

Data collected: Device and browser identifiers, pages visited, referral URL, approximate location derived from IP, and cookie identifiers. See Section 17 (Cookies) for detail.

Purpose: To operate, secure, and improve our website; to analyze traffic patterns; to detect abuse; to improve your user experience.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in operating a secure, functional website and understanding how it is used. Where required by law, we obtain your consent before placing non-essential cookies.

Blog subscribers (EPCYBER blog)

Controller: EPCYBER.

Data collected: Email address, any name or organization-associated data (such as the domain of your email). We also record subscription date, and engagement data such as whether emails were opened or links clicked.

Purpose: To send you the blog content you subscribed to, related EPCYBER training updates, and occasional notices about EPCYBER offerings that may be relevant to your professional role. To measure engagement and improve content.

Lawful basis (GDPR/UK GDPR): Your consent, given when you subscribed. You may withdraw consent at any time using the unsubscribe link in any email or by writing to privacy@epcyber.com. We do not sell or rent subscriber lists, and we do not share email addresses with advertising networks or any third parties.

Training purchasers, registrants, and attendees

Controller: EPCYBER.

Data collected (where and when available):

• Identification and contact data: name, email, country of residence, professional title and employer.
• Enrollment data: courses purchased or enrolled in.
• Payment data: billing name, telephone, billing address, country of residence, buyer email, and payment identifiers. Full payment card details are collected and processed only and directly by our payment processor (currently PayPal); EPCYBER does not have visibility to any financial PII and does not store any.
• Communications: correspondence between you and EPCYBER about your training, questions, requests, access, support.

Purpose: To enroll you, deliver the training, issue certificates, process payment, comply with our tax and accounting obligations, and respond to your questions.

Lawful basis (GDPR/UK GDPR):

• Performance of a contract with you (or steps taken at your request prior to entering one), agreeing to terms on epcyber.com/terms where you purchase or enroll in training directly.
• Our legitimate interest in delivering training that has been arranged through your employer or a sponsoring organization, where the contractual relationship is between us and that organization.
• Compliance with legal obligations (tax, accounting, anti-fraud, export control where applicable).
• Your explicit consent for any processing of special-category data such as security clearance information.

We retain training records as described in Section 9.

People who contact us

Controller: EPCYBER.

Data collected: Name, email address, employer, role, and the contents of your message and any attachments. If you request information about a course or program, we may also collect information about your organization's role, mission, jurisdiction, and intended use case.

Purpose: To respond to your inquiry, evaluate fit, and (where applicable) progress a procurement, partnership, or media engagement.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in responding to inquiries and developing business relationships, and steps taken at your request prior to entering a contract.

We may keep your contact information on file after the initial exchange so we can resume the conversation if you re-engage. If you would prefer we delete your details, write to privacy@epcyber.com.

Clients and their personnel

Controller: EPCYBER.

Data collected: Names, contact details, professional roles, and correspondence of individuals at our client organizations who interact with us as users, project leads, procurement contacts, legal counsel, or otherwise. Contract documentation, invoices, and account records.

Purpose: To establish and manage the contractual relationship; to deliver the training or services; to issue invoices and process payments; to provide support; to comply with legal and regulatory obligations including export control screening; to enforce our agreements; and to maintain account records.

Lawful basis (GDPR/UK GDPR): Performance of a contract; legitimate interest in managing a commercial relationship; compliance with legal obligations.

Prospective clients identified through publicly available information

Controller: EPCYBER.

Data collected: Name, professional role, employer, public professional contact information (LinkedIn URL, business email where publicly listed), and notes on relevance to our work.

Purpose: To identify organizations and individuals to whom our offering may be relevant and to make initial outreach.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in business development. Where required by applicable law, we limit such outreach to recipients in their professional capacity at organizations whose mission aligns with ours. You can object to this processing at any time by writing to privacy@epcyber.com.

Event and webinar attendees

Controller: EPCYBER.

Data collected: Registration details, attendance, and (where applicable) recordings. We will tell you in advance if a session is being recorded.

Purpose: To deliver the event, follow up afterward, take notes, and improve future events for attendees.

Lawful basis (GDPR/UK GDPR): Performance of a contract (your registration), our legitimate interest in operating educational events, and consent for any optional uses such as inclusion in promotional material.

How we collect personal data

We collect personal data:

• Directly from you, when you visit our site, fill in a form, write to us, subscribe to the blog, register for training, attend an event, or apply for a role or any similar direct or indirect form of engagement with us, our digital assets or infrastructure.
• Automatically, through cookies and similar technologies on our website (see Section 17).
• From your employer or sponsoring organization, when training is purchased or arranged by yourself or on your behalf.
• From service providers and partners who help us run our business (for example, payment processors, training delivery platforms, identity verification providers or others involved in any business operations or maintenance process).
• From public sources, including company websites, professional networks, regulatory filings, and other publicly available material, in connection with business development and client/partner due diligence.

How we use personal data — summary

We use personal data to:

• Operate, secure, and improve our website for you.
• Send blog content, training updates, and other communications people have asked to receive.
• Deliver training, issue certifications, and process related payments.
• Respond to inquiries and progress potential client, partner, and media relationships.
• Manage contractual relationships with clients, suppliers, and partners, potential leads, and prospects.
• Identify prospective clients and make initial business outreach.
• Operate events.
• Recruit and assess job candidates.
• Comply with legal, regulatory, tax, accounting, anti-fraud, and export-control obligations.
• Establish, exercise, and defend legal claims, and enforce our agreements.
• Protect the rights, property, and safety of EPCYBER, our personnel, our clients, and others.

We do not use personal data to train any third-party AI or large language model. We do not sell personal data. We do not engage in cross-context behavioral advertising. We do not share personal data with advertising networks for targeting purposes.

Who we share personal data with

We share personal data only where necessary, and only with recipients who are bound by appropriate confidentiality and data protection obligations. Recipients fall into the following categories:

• Service providers (processors) who act on our instructions: hosting and infrastructure, email delivery, blog and CRM platforms, training delivery platforms, payment processors, identity verification, accounting and tax advisors, professional services firms, and similar. A current list of material sub-processors is available on request from privacy@epcyber.com.
• Professional advisors, including lawyers, auditors, and insurers, where needed.
• Government and regulatory authorities, where we are required by law to disclose information, including in response to lawful court orders, regulatory inquiries, tax reporting, and export-control screening.
• A successor entity, in the event of a merger, acquisition, investment, financing, restructuring, or sale of all or part of our business. We will inform affected individuals where required by law.
• Other parties at your direction or with your consent, including (for training) your employer or sponsoring organization where they have purchased or arranged your training.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

International data transfers

EPCYBER is established in Miami, Florida, USA. Our service providers are located in the EU, UK, US, and Israel. As a result, your personal data may be transferred to, stored in, and processed in countries other than the one in which you live (storage servers, cloud providers, third party hosting infrastructure, applications, platforms).

When we transfer personal data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we put in place appropriate safeguards. These typically include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss equivalents, supplemented where necessary by additional technical and organizational measures.

If you are an EPCYBER client, you may request a copy of the safeguards we use by writing to privacy@epcyber.com.

How we protect personal data

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, exposure, leakage or destruction. These include access controls based on least privilege, encryption in transit and (where appropriate) at rest, infrastructure hardening, logging and monitoring, employee confidentiality obligations, vendor due diligence, and an incident response process.

However, since we rely on third party products for communication, delivery of training, and other functions relevant for business operations, we cannot directly or indirectly control those third party vendors (e.g., cloud providers, site hosting, data storage and others) from being breached, compromised, or targeted (that includes your data). No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your information, we will notify the relevant supervisory authorities and affected individuals where required by applicable law and within the timeframes those laws specify.

How long we keep personal data

We keep personal data only as long as we need it for the purposes described in this Statement, plus any additional period required to:

• Comply with legal, tax, accounting, and regulatory obligations.
• Establish, exercise, or defend legal claims.
• Honor our internal record-keeping and audit requirements.

Indicative retention periods (the numbers are approximate):

• Blog subscriber data: Until you unsubscribe, then deleted within 60 days, except for a suppression record retained to ensure we do not contact you again.
• Inquiry contacts: Up to 24 months from the last interaction, unless you re-engage or show interest to re-engage directly or indirectly.
• Training records (enrollment, attendance, assessments, certifications): up to 7 years from the date of the training, to support certification verification and comply with tax and accounting requirements.
• Payment and billing records: up to 7 years, to comply with tax law.
• Client contractual records: Term of the contract plus up to 7 years.
• Job applicant data (unsuccessful candidates): 12-24 months, then deleted unless you ask us to keep it on file longer.
• Event recordings: 12-24 months unless retained as part of a course or program.
• Website analytics and security logs: 12-24 months.

These periods are indicative and may be longer where required by law or shorter where the purpose has been fulfilled. Specific retention is documented in our internal data retention schedule, which is available to supervisory authorities on request.

Your rights

Depending on where you live and which laws apply, you may have rights in relation to your personal data, including:

• The right to access your personal data and obtain information about how it is processed.
• The right to correct inaccurate or incomplete personal data.
• The right to delete your personal data, subject to legal exceptions.
• The right to restrict or object to certain processing, including processing for direct marketing.
• The right to data portability, where it applies.
• The right to withdraw consent at any time, only where processing is based on consent.

You can exercise these rights by writing to privacy@epcyber.com. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request, and we may decline or limit a request where the law allows us to do so — for example, where granting it would conflict with the rights of others, expose confidential information, or undermine an active legal claim.

Information for individuals in the European Economic Area, the United Kingdom, and Switzerland

This section supplements the rest of the Statement for individuals protected by the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection.

Lawful bases. The lawful bases on which we rely are identified in Section 3 for each processing activity.

Right to object to processing based on legitimate interests. You may object to processing of your personal data that we carry out on the basis of our legitimate interests. Where you object, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is needed to establish, exercise, or defend legal claims.

Right to object to direct marketing. You can object to direct marketing at any time, and we will stop. Unsubscribe links are included in every marketing email.

Automated decision-making. We do not make decisions producing legal or similarly significant effects on you based solely on automated processing.

Information for individuals in Israel

This section supplements the rest of the Statement for individuals protected by the Israeli Privacy Protection Law, 5741-1981 ("PPL") and the regulations issued under it.

Identity of the database owner. EPCYBER LLC is the owner of the databases containing the personal data it controls.

Provision of data. You are not under a legal obligation to provide your personal data to us. However, in some cases (for example, completing a training enrollment, processing a payment, or entering into a contract), we will not be able to provide the relevant service if you do not provide the fundamental data required for it.

Your rights under the PPL. You have the right to access the personal data we hold about you, to request correction or deletion, and to object to the use of your data for direct marketing. Requests should be sent to privacy@epcyber.com.

Direct marketing. Where we send direct marketing under Section 30A of the Communications Law (Bezeq and Broadcasts), 1982, we will identify the message clearly, provide an opt-out, and honor opt-out requests promptly.

Information for residents of US states with comprehensive privacy laws

This section applies to individuals who are residents of US states whose comprehensive consumer privacy laws apply to EPCYBER, including (as applicable) California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.

Categories of personal information we collect. As described in Section 3. In the categories used by the California Consumer Privacy Act:

• Identifiers (e.g., name, email, country / city of residence based on IP address)
• Customer records information (e.g., billing address, payment identifiers)
• Commercial information (e.g., training purchased)
• Internet or network activity (e.g., website interactions)
• Professional or employment information
• Education information (training and certification records)
• Audio and visual information (e.g., event recordings, Zoom sessions where applicable)
• Inferences drawn from the above
• Sensitive personal information, limited to government identifiers used solely for identity verification where required for specific training programs (domain names, corporate email addresses).

Sources, purposes, and recipients. As described in Sections 3, 5, and 6.

Sale and sharing. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California and other US state privacy laws. We do not knowingly sell or share the personal information of consumers under 16.

Your rights. Subject to verification and statutory exceptions, you have the right to:

• Know what personal information we have collected, used, disclosed, and (if applicable) sold or shared.
• Request a copy of your personal information in a portable format.
• Request correction of inaccurate personal information.
• Request deletion of your personal information.
• Opt out of any sale or sharing for cross-context behavioral advertising (not applicable to us, but the right is available).
• Limit the use and disclosure of sensitive personal information (California).
• Appeal a denial of a rights request (Colorado, Connecticut, Virginia, and others).
• Not be discriminated against for exercising any of these rights.

How to exercise rights. Email privacy@epcyber.com with the subject line "US Privacy Request" and identify the right you wish to exercise. We may ask you for information necessary to verify your identity. You may use an authorized agent; we may require proof of authorization.

General — limits on data subject requests

Our records about clients, prospects, and individuals identified through public sources may include information whose disclosure would compromise legal claims, contractual confidentiality, security, or the rights and freedoms of third parties. 

Where applicable law allows us to do so, we may redact or withhold information from a response on these grounds, and we will explain the reason. Requests will not be denied on these grounds where the law does not permit it.

Cookies and similar technologies

Our website uses cookies and similar technologies for the following purposes:

• Strictly necessary cookies, which are required for the site to function (for example, to remember a cookie preference).
• Analytics cookies, which help us understand how people use our site. Where required by law, these are set only with your consent.

We do not use advertising or cross-site tracking cookies.

You can control cookies through your browser settings and through the cookie banner on our site. A more detailed Cookies Notice is available at epcyber.com.

Changes to this Statement

We may update this Statement from time to time. The "Last updated" date at the top of the page shows when the most recent change was made. Where a change materially affects how we process your personal data, we will notify you in advance by email or by a notice on our website, where required by law. 

How to contact us

For any questions about this Statement, or to exercise a right:

EPCYBER LLC Privacy: privacy@epcyber.com Miami, Florida, USA

We aim to respond to privacy inquiries within 30 days. If you are not satisfied with our response, you may contact your local supervisory authority — see Sections 12 and 13 for guidance.