Cyberange

Legal · Effective 2026-06-01 · Last updated 2026-06-01

Privacy Policy

This page explains what personal data Cyberange collects when you use this website or engage with us professionally, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over it. Built around India's Digital Personal Data Protection Act 2023 (DPDP Act) with additional protections for visitors covered by the EU General Data Protection Regulation (GDPR).

In short

  • · Fresh start as of 1 June 2026: prior personal data on the old site has been deleted; nothing carries forward.
  • · We only collect personal data when you contact us, enrol in a programme, or use one of our products under a separate engagement.
  • · The site uses cookieless analytics (Plausible). We do not run advertising trackers or behavioural-profiling tools.
  • · We share data only with named processors who help us deliver our service (hosting, email, file storage) — we don't sell or rent data.
  • · You can ask us what we hold about you, correct it, or have us delete it, at any time.
  • · If you have a complaint we couldn't resolve, you can escalate it to your local data-protection authority.

1. Who we are

This website is operated by Tactical Cyberange Simulations Pvt Ltd. ("Cyberange", "we", "us"), with its registered office at A 319, Logix Technova, Sector 132, Noida, Uttar Pradesh, 201304, India.

For the purposes of the DPDP Act, Cyberange acts as a Data Fiduciary. For the purposes of the GDPR, Cyberange acts as a Data Controller in respect of personal data collected through this website and through direct professional engagement. Where Cyberange processes personal data on behalf of customers — for example, as part of a DFIR engagement, a consulting brief, or a managed Virtual-Labs tenant — Cyberange acts as a Data Processor on the terms of the relevant engagement contract.

2. What personal data we collect

We only collect personal data when you interact with us intentionally. We do not assemble visitor profiles, build advertising audiences, or share data with brokers.

2.1 When you contact us

Through the form at /contact or by email: the name you provide, the work email address, the role and organisation you optionally name, and the content of your message. Submitted only when you click "Send".

2.2 When you subscribe to Insights

Your email address, plus an opt-in record (date, time, source page). Used only to deliver the digest you subscribed to. Unsubscribe in one click.

2.3 When you enrol in a training cohort

Name, contact details, employer or sponsoring institution, relevant qualifications, and cohort-specific data (attendance, graded submissions, certification status). Where a corporate or academic sponsor pays, sponsor contact data is also collected.

2.4 When you use a Cyberange product or engagement

For Virtual Labs, AttackWiz, and TAW: account identifiers, tenant identifiers, telemetry generated during your use of the product. For consulting engagements (Adaptive Red Team, DFIR, Threat Hunting), processing is governed by the engagement contract; this policy is supplemented by that contract for engagement-specific data.

2.5 Technical data we collect automatically

Server logs record the IP address from which a request originated, the user-agent string, the page requested, and the timestamp. Used for security monitoring, fraud and abuse prevention, and performance debugging. We do not link server-log IPs to identified visitors unless they have separately submitted personal data (e.g., via the contact form) and the linkage is required for security investigation.

2.6 Analytics

We use Plausible Analytics, a privacy-friendly analytics service. Plausible does not set cookies, does not collect personal data, does not track visitors across sites, and does not require a consent banner under GDPR or the ePrivacy Directive. The metrics it produces (page views, referrer, top pages, country of visitor at country-granularity) are aggregate and anonymous. See Plausible's data policy for full details.

2.7 What we don't collect

We do not collect special-category data (religion, ethnicity, health, biometric, sexual orientation) through this website. Children's data is not collected through the public site; for Cyberbay school deployments, all student-level data is handled under a separate agreement with the deploying school as Data Fiduciary.

3. Why we collect it (lawful basis)

Under the DPDP Act, we process personal data on the basis of your consent or where the processing is for a "legitimate use" recognised by the Act. Under the GDPR, our lawful bases are:

Consent

Insights digest subscription; cohort marketing communications you opt into.

Performance of a contract

Delivery of products, consulting engagements, and training programmes you have signed up for.

Legitimate interests

Replying to your enquiry, security monitoring, fraud prevention, and aggregate analytics. Balanced against your rights and freedoms; we have completed an internal balancing assessment.

Legal obligation

Statutory reporting (e.g., CERT-In incident-reporting where applicable), tax and audit record-keeping, response to lawful requests.

4. Who we share data with

We use a small number of carefully chosen processors to deliver this site and our services. Each is bound by a written processing agreement consistent with DPDP §8 and GDPR Article 28. We do not sell, rent, or trade personal data.

DigitalOcean (App Platform + Spaces)

Hosting the website, application infrastructure, and media storage. Data may transit / reside in their global data-centres.

Brevo (formerly Sendinblue)

Transactional email delivery (contact-form replies, Insights digest, account notifications). Operated from the European Economic Area; sender domains are SPF / DKIM / DMARC authenticated.

Plausible Analytics

Cookieless, aggregated site analytics. No personal data leaves the visitor's browser as identified personal data.

Google Fonts (self-hosted)

Web fonts. Fonts are served from our domain, so Google does not see visitor requests directly. If your build self-hosts via Astro Fonts API, this is fully internal.

Auditors, legal counsel, regulators

Where lawful, on the basis of legal obligation or legitimate interest. Disclosed under the minimum necessary principle.

Full and current sub-processor list available on request to [email protected].

5. International data transfers

Some of our processors operate infrastructure outside India and outside the European Economic Area. Where personal data is transferred to such jurisdictions:

  • · Under the GDPR, transfers rely on the Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by transfer impact assessments where required.
  • · Under the DPDP Act, transfers occur to jurisdictions not specifically restricted by notification from the Central Government under §16 of the Act.
  • · We do not transfer personal data to any country that is currently subject to a public restriction by the Government of India.

6. How long we keep data

We keep personal data only as long as we need to fulfil the purpose for which it was collected, or to meet a legal obligation. Typical retention periods are:

Contact-form submissions

24 months from last interaction

Insights subscriber data

Until you unsubscribe + 12 months audit retention

Training cohort records

Up to 7 years for certification verification + statutory audit

Engagement records (consulting, DFIR)

As required by contract, statute, and limitation periods

Server access logs

90 days, then aggregated for trend analysis

Plausible analytics

Aggregated indefinitely; no personal data retained

7. Your rights

You have the following rights over the personal data we hold about you. We respond to all requests within 30 days, and usually faster.

7.1 Rights under the DPDP Act 2023

  • · Right to access information — to know what personal data we hold and how it is processed (§11).
  • · Right to correction and erasure — to ask us to correct inaccurate data or erase data that is no longer needed (§12).
  • · Right to grievance redressal — to raise a grievance with our Grievance Officer (§13).
  • · Right of nomination — to nominate another individual to exercise your rights in case of death or incapacity (§14).
  • · Right to withdraw consent — at any time, with effect from the date of withdrawal (§6).

7.2 Rights under the GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the following rights (GDPR Chapter III):

  • · Right of access (Article 15).
  • · Right to rectification (Article 16).
  • · Right to erasure ("right to be forgotten", Article 17).
  • · Right to restriction of processing (Article 18).
  • · Right to data portability (Article 20).
  • · Right to object to processing based on legitimate interest (Article 21).
  • · Right not to be subject to a decision based solely on automated processing, including profiling (Article 22). Cyberange does not currently take any decisions about visitors based on solely automated processing.
  • · Right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence (Article 77).

7.3 How to exercise your rights

Send the request to [email protected]. Include enough information to identify you and the data you are asking about; we may need to verify your identity before acting. There is no fee unless the request is manifestly unfounded or excessive, in which case we will explain why before charging.

8. How we keep data secure

Cyberange is a cyber-security company. We take security obligations for our own data as seriously as we take them for our customers'. Measures include encryption in transit and at rest, access control on a least-privilege basis, regular vulnerability testing and penetration testing, separation of production and non-production environments, audit logging of access to personal data, and a documented incident-response process aligned to CERT-In Directions 20(3)/2022 reporting requirements and (where applicable) GDPR Article 33 breach-notification timelines.

9. Cookies

This site uses only the cookies strictly necessary to deliver the page you requested — for example, security tokens preventing cross-site request forgery on form submission. We do not use advertising cookies, behavioural-tracking cookies, or cross-site retargeting cookies.

Our analytics provider (Plausible) is cookieless by design and does not store any identifier on your device.

Because we set only essential cookies, no consent banner is required under the GDPR/ePrivacy Directive or the DPDP Act's deemed-consent provisions.

10. Children's data

This website is not directed at children under the age of 18 and we do not knowingly collect personal data from children through it. Where Cyberange's Cyberbay product is deployed in a school setting, the deploying school acts as the Data Fiduciary in respect of student data; Cyberange acts as a Data Processor under a separate deployment agreement that contains the necessary child-data safeguards.

11. Changes to this policy

We update this policy when our processing changes or when the law changes. The "Last updated" date at the top of this page is authoritative. Material changes will be notified by email to active subscribers and engagement contacts at least 14 days before they take effect.

12. Contacting us

Data Protection Officer (GDPR)

Not currently appointed

Send rights requests to either mailbox below — both are monitored by the privacy team:

For data-subject rights requests, GDPR-related queries, and supervisory-authority correspondence.

Grievance Officer (DPDP §13)

Not currently appointed

Send DPDP grievances to either mailbox below — both are monitored by the privacy team:

For unresolved grievances under the DPDP Act. We respond within the timelines prescribed by the Act.

If your grievance remains unresolved, you may escalate it to the Data Protection Board of India under the DPDP Act, or to the supervisory authority for data protection in your country of residence if you are an EU/EEA, UK, or Swiss resident.

13. Governing law & jurisdiction

This policy is governed by the laws of India and any dispute arising out of or in connection with this policy shall be subject to the exclusive jurisdiction of the competent courts in the registered jurisdiction of Tactical Cyberange Simulations Pvt Ltd., without prejudice to any mandatory consumer-protection or data-protection rights applicable in your country of residence.

This page provides general information about our personal data practices. It is not legal advice. If you are reviewing this policy for compliance purposes, please consult qualified counsel in your own jurisdiction.