Home  /  Privacy Policy
● Legal

Privacy Policy

Last updated: 17 July 2026  ·  Version 1.0

Port Cyber Defense is a cybersecurity company. We hold ourselves to the standards we assess our clients against, and that includes how we handle personal data. This policy explains what we collect when you use port-cyber-defense.com, why we collect it, how long we keep it, and the rights you have over it.

This policy is written to satisfy Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the French Loi Informatique et Libertés. It applies to this website only. It does not cover the GHOST RED platform, which is governed by the separate data processing agreement executed with each client.

1. Who is responsible for your data

The data controller for personal data collected through this website is:

Entity
Port Cyber Defense
Registration
Registered in France — SIREN 923 724 181
Contact
[email protected]
Privacy queries
[email protected] — subject line “GDPR Request”

We have not appointed a Data Protection Officer. Under Article 37 GDPR this is not required, as our core activities do not consist of large-scale systematic monitoring of individuals or large-scale processing of special category data. Privacy enquiries are handled directly at the address above.

2. What we collect, and why

We collect the minimum necessary. We do not run analytics or behavioural tracking on this site, we do not build advertising profiles, and we do not sell personal data to anyone.

2.1 Information you give us

DataWhere fromWhyLegal basis
Name, email, company, service interest, messageAssessment request and contact formsTo answer your enquiry and, where relevant, take steps prior to entering into a contractArt. 6(1)(b) — pre-contractual steps
Art. 6(1)(f) — legitimate interest in responding to business enquiries
Name, email, companyTechnical Brief download formTo deliver the requested document and identify who is evaluating our platformArt. 6(1)(f) — legitimate interest in qualifying commercial interest

2.2 Information collected automatically

DataWhyLegal basis
IP address, browser type, referring page, timestampsServer logs, kept for security monitoring, abuse detection, and diagnosing faultsArt. 6(1)(f) — legitimate interest in network and information security
Security cookies set by our CDN and WAF providerTo distinguish legitimate visitors from automated attacks and to protect the site against denial-of-service trafficArt. 6(1)(f) — legitimate interest in security; strictly necessary under the ePrivacy Directive and therefore exempt from consent
Advertising cookies and identifiers set by GoogleTo display advertising on our Blog and Education pagesArt. 6(1)(a) — your consent, collected before any advertising cookie is set

3. Cookies and advertising

We use two categories of cookie, and they are not treated the same way.

Strictly necessary cookies are set by our content delivery and web application firewall provider to keep the site available and to block malicious traffic. These are required for the site to function securely and are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive. They do not track you across other websites.

Advertising cookies are set by Google as part of Google AdSense, which we operate on our Blog and Education pages only. Our commercial pages carry no advertising. Google may use cookies, device identifiers, and IP address to serve and measure ads, and, where you consent, to personalise them.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you will be shown a consent notice before any advertising cookie is placed. You may accept, refuse, or configure your choices, and you may change your decision at any time through that same notice. Refusing does not restrict your access to any part of this website. Where you refuse consent for personalisation, Google may still serve non-personalised or limited advertising, which relies only on contextual information and what is strictly necessary to deliver and count the ad.

You can review and adjust Google's use of your data at myadcenter.google.com, and read how Google processes data from partner sites at policies.google.com/technologies/partner-sites. Most browsers also allow you to block or delete cookies directly.

4. Who else processes your data

We keep the list short deliberately. Every organisation below acts either as our processor under a data processing agreement, or as an independent controller for its own defined purpose.

RecipientRolePurpose
Form processing providerProcessorReceives and relays submissions from our contact and download forms to our inbox
Hosting providerProcessorOperates the servers on which this website runs and generates server logs
CDN and security providerProcessorDelivers the site, filters malicious traffic, and mitigates denial-of-service attacks
Google Ireland LimitedIndependent controllerServes advertising on our Blog and Education pages, subject to your consent

We do not share your personal data with anyone else. We do not sell it, rent it, or trade it. If we are ever legally compelled to disclose data — for example under a valid court order — we will do so only to the extent required, and will notify you unless legally prohibited from doing so.

5. Transfers outside the European Economic Area

Some of the providers listed above are established in, or operate infrastructure in, the United States. Where personal data is transferred outside the EEA, that transfer is protected by one or both of the following safeguards under Chapter V GDPR:

You may request further detail on the safeguards applying to a specific transfer by contacting us.

6. How long we keep it

DataRetention
Contact and assessment enquiries24 months from last contact, then deleted
Technical Brief download records24 months from download, then deleted
Server and security logs12 months maximum, in line with CNIL guidance
Records required for accounting or legal defenceAs required by French law, typically 10 years
Advertising cookiesAs set by Google — see Google's own retention disclosures

7. Your rights

Under the GDPR you have the following rights over your personal data. They are free to exercise, and we will respond within one month of receiving your request.

To exercise any of these, email [email protected] with the subject line “GDPR Request”. We may ask you to verify your identity before we act, to make sure we are not disclosing your data to someone else.

Right to complain. If you believe we have handled your data unlawfully, you may lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr/en/plaintes — or with the supervisory authority in your country of residence. We would rather you came to us first, but that right is yours regardless.

8. How we protect it

We apply the controls we would expect of any organisation we assess:

No system is perfect, and we will not claim otherwise. In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the CNIL within 72 hours in accordance with Article 33, and notify you directly where Article 34 requires it.

9. Children

This website is directed at security professionals and organisations. It is not intended for children, and we do not knowingly collect personal data from anyone under 15 — the age of digital consent in France under Article 8 GDPR as implemented in French law. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Automated decision-making

We do not carry out automated decision-making or profiling that produces legal effects concerning you, within the meaning of Article 22 GDPR.

11. Changes to this policy

We will update this policy when our processing changes. The version number and date at the top of this page always reflect the current text. Where a change materially affects your rights, we will make that clear rather than quietly amending the page.

12. Contact

Questions about this policy, or about how we handle your data, go to [email protected].

If you have identified a security issue in this website or in the GHOST RED platform, we operate a responsible disclosure programme — please use the same address and we will acknowledge within 24 hours.