CIFER Privacy Policy
Google Play and Apple App Store User Privacy Policy Compliance. See below.
# CIFER Privacy Policy
**Last Updated**: November 4, 2025
**Effective Date**: November 4, 2025
---
## Introduction
Respice Adspice Prospice Consulting LLC ("we," "us," or "our") operates the CIFER - Cybersecurity Impact & Financial Estimation of Risk application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services.
Please read this Privacy Policy carefully. By using CIFER, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use our App.
---
## 1. Information We Collect
We collect several types of information from and about users of our App:
### 1.1 Personal Information
**Information You Provide Directly:**
- **Name** (first and last name) - Required for account creation and personalized reports
- **Email Address** - Required for account authentication, password reset, and service communications
- **Phone Number** - Required for account recovery and two-factor authentication (2FA)
- **Company/Organization Name** - Required for risk assessment context
- **Industry Information** - Required for accurate risk calculations
- **Payment Information** - Collected and processed by Stripe for subscription management (we do not store full credit card details)
**Risk Assessment Data:**
- Risk factor selections and evidence choices
- Compliance framework preferences (NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, GLBA)
- Assessment results and financial projections
- Custom notes and comments
### 1.2 Automatically Collected Information
**App Activity Data:**
- Feature usage patterns
- Button clicks and navigation paths
- Time spent in app
- Assessment completion rates
- Report generation frequency
**Device Information:**
- Device type and model
- Operating system version
- Unique device identifiers (for security and fraud prevention)
- IP address
- Browser type and version (for web app)
- Mobile network information
**Technical Data:**
- App performance metrics
- Error logs and crash reports
- Session duration
- Login timestamps
### 1.3 Information from Third Parties
- **Stripe**: Payment processing and subscription status
- **SendGrid**: Email delivery confirmation
---
## 2. How We Use Your Information
We use the information we collect for the following purposes:
### 2.1 App Functionality
- Create and manage your account
- Authenticate your identity and secure your account
- Process risk assessments using our proprietary algorithm
- Generate personalized PDF and Excel reports
- Manage subscription access and billing
- Provide customer support
### 2.2 Service Improvement
- Analyze app usage patterns to improve features
- Monitor app performance and fix bugs
- Develop new features based on user needs
- Conduct internal research and analytics
### 2.3 Security and Fraud Prevention
- Detect and prevent fraudulent accounts
- Identify suspicious activity patterns
- Protect against unauthorized access
- Monitor for security threats
- Enforce our Terms of Service
### 2.4 Communication
- Send transactional emails (account verification, password reset)
- Deliver subscription renewal notifications
- Provide important service updates
- Respond to support inquiries
### 2.5 Legal Compliance
- Comply with legal obligations
- Respond to legal requests and prevent harm
- Enforce our agreements and policies
---
## 3. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:
### 3.1 Service Providers
We share data with trusted third-party service providers who assist us in operating our App:
**Stripe** (Payment Processing)
- **Data Shared**: Email address, payment information, billing address
- **Purpose**: Process subscription payments and manage billing
- **Privacy Policy**: https://stripe.com/privacy
**SendGrid** (Email Delivery)
- **Data Shared**: Email address, name
- **Purpose**: Deliver transactional emails (verification, notifications)
- **Privacy Policy**: https://www.twilio.com/legal/privacy
**Replit** (Hosting Infrastructure)
- **Data Shared**: App data, user accounts (encrypted)
- **Purpose**: Host application and database
- **Certification**: SOC 2 Type 2 certified infrastructure
- **Privacy Policy**: https://replit.com/privacy
### 3.2 Legal Requirements
We may disclose your information if required by law or in response to:
- Court orders or subpoenas
- Government requests
- Legal proceedings
- Protection of our rights, property, or safety
- Prevention of fraud or illegal activity
### 3.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
### 3.4 With Your Consent
We may share your information for any other purpose with your explicit consent.
---
## 4. Data Security
We implement enterprise-grade security measures to protect your information:
### 4.1 Technical Safeguards
- **Encryption in Transit**: All data transmission uses HTTPS/TLS 1.2 or higher
- **Encryption at Rest**: Database encryption for stored data
- **Secure Authentication**: Password hashing using industry-standard algorithms
- **Two-Factor Authentication**: Optional 2FA for enhanced account security
- **Session Management**: Secure session tokens with automatic expiration
### 4.2 Organizational Safeguards
- Limited employee access to personal data
- Security training for team members
- Regular security audits
- Incident response procedures
- Automated backup systems
### 4.3 Application Security
- Input validation and sanitization
- SQL injection prevention
- Cross-site scripting (XSS) protection
- Rate limiting to prevent abuse
- Bot detection and CAPTCHA protection
- Security headers (CSP, HSTS, X-Frame-Options)
**Note**: No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.
---
## 5. Data Retention
We retain your information for as long as necessary to provide our services and comply with legal obligations:
### 5.1 Account Data
- **Active Accounts**: Retained while your account is active
- **Inactive Accounts**: Deleted after 2 years of inactivity (with prior notification)
- **Deleted Accounts**: Permanently removed within 30 days of deletion request
### 5.2 Assessment Data
- Risk assessments and reports: Retained for 3 years for historical analysis
- Can be deleted upon request
### 5.3 Legal and Compliance Data
- Transaction records: Retained for 7 years for tax and audit purposes
- Security logs: Retained for 1 year
- Backup data: Retained for 90 days
### 5.4 Anonymized Data
We may retain anonymized, aggregated data indefinitely for analytics and research purposes. This data cannot identify you personally.
---
## 6. Your Privacy Rights
Depending on your location, you may have the following rights:
### 6.1 Access and Portability
- **Right to Access**: Request a copy of your personal data
- **Data Portability**: Receive your data in a structured, machine-readable format
- **How to Request**: Email support@rapconsultingllc.com with subject "Data Access Request"
### 6.2 Correction and Updates
- **Right to Correction**: Update inaccurate or incomplete information
- **How to Update**: Log into your account and edit your profile, or contact support
### 6.3 Deletion
- **Right to Deletion**: Request deletion of your personal data
- **How to Request**: Email support@rapconsultingllc.com with subject "Data Deletion Request"
- **Timeline**: Deletion completed within 30 days
- **Important**: Active subscriptions must be cancelled before deletion; deleted accounts cannot be recovered
### 6.4 Objection and Restriction
- **Right to Object**: Object to processing of your data
- **Right to Restrict**: Request limitation of processing
- **How to Exercise**: Contact support@rapconsultingllc.com
### 6.5 Withdraw Consent
- You may withdraw consent for data processing at any time
- Note: Withdrawal may limit your ability to use certain features
### 6.6 Response Timeline
We will respond to your privacy rights requests within:
- **7 business days**: Acknowledgment of request
- **30 days**: Complete response (may extend to 60 days for complex requests)
---
## 7. Children's Privacy
CIFER is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@rapconsultingllc.com. We will delete such information from our systems within 24 hours.
---
## 8. International Data Transfers
CIFER is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to and processed in the United States.
By using our App, you consent to the transfer of your information to the United States and processing in accordance with this Privacy Policy.
**For European Union Users**: We comply with applicable data protection laws, including GDPR, when transferring data internationally.
---
## 9. State-Specific Privacy Rights
### 9.1 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
**Right to Know**: Request disclosure of personal information we collect, use, and share
**Right to Delete**: Request deletion of personal information we have collected
**Right to Opt-Out**: Opt-out of sale of personal information (Note: We do NOT sell personal information)
**Right to Non-Discrimination**: You will not receive discriminatory treatment for exercising your privacy rights
**How to Exercise**: Email privacy@rapconsultingllc.com or call (888) 555-CIFER
**Verification**: We may request additional information to verify your identity
### 9.2 Nevada Residents
Nevada residents may opt-out of the sale of personal information. We do not sell personal information as defined under Nevada law.
### 9.3 Other States
We extend similar privacy rights to residents of all U.S. states.
---
## 10. Cookies and Tracking Technologies
### 10.1 What We Use
**Session Cookies**: Essential for app functionality (authentication, session management)
**Analytics Cookies**: Track app usage patterns to improve our services
**Security Cookies**: Detect fraudulent activity and protect your account
### 10.2 Third-Party Analytics
We may use third-party analytics services (e.g., Google Analytics) to understand how users interact with our App. These services may use cookies and similar technologies.
### 10.3 Your Choices
- **Browser Settings**: Most browsers allow you to refuse cookies or alert you when cookies are being sent
- **Impact**: Blocking essential cookies may prevent you from using certain features
---
## 11. Do Not Track Signals
Some browsers have "Do Not Track" features. Currently, there is no industry standard for how to respond to these signals. We do not currently respond to Do Not Track browser signals.
---
## 12. Third-Party Links
Our App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.
---
## 13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.
**Notification of Changes**:
- **Material Changes**: We will notify you via email and/or in-app notification at least 30 days before changes take effect
- **Minor Changes**: Posted on this page with updated "Last Updated" date
**Your Continued Use**: Continued use of CIFER after changes take effect constitutes acceptance of the updated Privacy Policy.
**Review Regularly**: We encourage you to review this Privacy Policy periodically.
---
## 14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
**Respice Adspice Prospice Consulting LLC**
**Email**: info@rapconsultingllc.com
**Support**: info@rapconsultingllc.com
**Phone**: 410-340-9816
**Mailing Address**:
Respice Adspice Prospice Consulting LLC
Privacy Department
1621 Central Ave
Cheyenne, WY 82001
United States
**Response Time**: We aim to respond to all privacy inquiries within 7 business days.
---
## 15. Data Protection Officer
For privacy matters, you may contact our Data Protection Officer:
**Email**: info@rapconsultingllc.com
---
## 16. Complaints and Disputes
If you believe we have not complied with this Privacy Policy or applicable data protection laws, you have the right to:
1. **Contact Us**: Reach out to info@rapconsultingllc.com to resolve the issue
2. **File a Complaint**: Contact your local data protection authority
3. **Legal Action**: Pursue legal remedies available under applicable law
**For EU Residents**: You have the right to lodge a complaint with a supervisory authority in your country.
---
## 17. Additional Disclosures
### 17.1 No Advertising
CIFER does not display advertisements. We do not share your data with advertisers.
### 17.2 No Sale of Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
### 17.3 Business Customers
If your employer or organization provided you access to CIFER, they may have access to your assessment data and usage statistics as part of their enterprise agreement.
### 17.4 Research and Analytics
We may use anonymized, aggregated data for:
- Industry research and benchmarking
- Product development
- Statistical analysis
- Public reporting
This data cannot identify you personally.
---
## Summary of Key Points
- **What We Collect**: Name, email, phone, payment info, assessment data, device info
- **Why We Collect**: App functionality, security, service improvement
- **Who We Share With**: Stripe (payments), SendGrid (emails), Replit (hosting) - We do NOT sell your data
- **Your Rights**: Access, correction, deletion, portability
- **Security**: HTTPS/TLS encryption, secure authentication, enterprise-grade infrastructure
- **Retention**: Active accounts retained; deleted within 30 days upon request
- **Children**: Not intended for users under 18
- **Contact**: privacy@rapconsultingllc.com
---
## Consent
By using CIFER, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.
---
**© 2025 Respice Adspice Prospice Consulting LLC. All rights reserved.**