Draft — pre-launch review required

Privacy notice

Last updated: before launch. This text is a working draft and must be reviewed by counsel before publication.

1. Who we are

CyberRunner is built and operated by Equa ApS ("EQUA", "we"), a Danish company registered in Copenhagen at Bredgade 30, 1260 Copenhagen K, Denmark. Reach our privacy team at privacy@equa.dk; reach our security team at security@equa.dk.

2. What we collect when you visit this site

• Strictly necessary cookies — session, CSRF, auth. Always on; required to operate the service. No tracking purpose.
• Analytics cookies — only with your explicit consent. If you reject the consent banner, no analytics fire and no analytics cookies are set.
• Sign-up information — your work email, organisation name, contact name, chosen edition, chosen region. Used to provision your instance, communicate with you, and bill you. Stored in the EU.
• Payment information — handled entirely by Stripe under their own privacy policy. We see the last 4 digits of the card and the billing country; we never see the full card number or CVC.

3. What we collect when you use the service

• The alerts you submit — processed to produce a verdict. Stored within your own isolated instance, encrypted at rest. We don't pool alerts across customers. We don't use your alerts to train models that benefit other customers.
• Investigations and verdicts — the full trace of what each agent did, what tool calls were made, what evidence was gathered, what verdict was returned. Retained per your instance's retention setting (default 90 days; configurable).
• Usage metrics — number of investigations, depth mode, LLM tokens consumed. Used for billing and for capacity planning. Aggregated metrics may be retained beyond the alert retention window.
• Account and audit metadata — who did what, when. Retained for security and compliance reasons (typically 1 year minimum).

4. Legal bases for processing

We rely on the following GDPR Article 6 legal bases:

• Contract — processing necessary to provide the service you've signed up for (alert triage, billing, the customer console).
• Legitimate interests — security monitoring of our own platform, fraud prevention, and audit logging. Balanced against your rights.
• Consent — analytics cookies (strictly opt-in via the banner), and any marketing communications you sign up for separately.
• Legal obligation — retention of certain records for tax, accounting, and regulatory compliance.

5. Where data lives

Your instance is provisioned in the region you select at sign-up — by default Azure West Europe (Amsterdam) or Hetzner Germany. Backups and logs stay in the same region. Stripe processes payment data under their own GDPR-compliant terms (Stripe Payments Europe Ltd., Dublin). You can request our full list of sub-processors at any time; we notify you 30 days before any change.

6. International transfers

No transfers outside the EEA by default. If you choose a non-EU LLM provider as your backend, that becomes an explicit opt-in, covered by Standard Contractual Clauses and disclosed in writing.

7. Your rights under GDPR

You have the right to access, rectify, erase, restrict processing, data portability, and to object. Technical means to exercise all of these are exposed in the customer console; or you can email privacy@equa.dk and we'll process the request within 30 days.

You can also lodge complaints with the Danish DPA (Datatilsynet) or your local supervisory authority. We don't think you'll need to, but you have the right.

8. Retention

• Alert data & investigations — per your instance's retention setting; default 90 days.
• Account & billing records — retained for the duration of the contract plus 5 years for accounting purposes (Danish bookkeeping law).
• Audit logs — minimum 1 year, configurable per instance.
• Marketing contact data — until you unsubscribe, with periodic re-confirmation.

9. Cookies — full list

[Pre-launch task: enumerate exact cookies once analytics and feature-flag tooling are wired. Today the site sets only strictly-necessary cookies (cr_consent_v1 to remember your banner choice, and session cookies on the signup/console flows).]

10. Children

CyberRunner is a B2B security product. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided data to us, email privacy@equa.dk and we'll delete it.

11. Changes to this notice

We post material changes on this page and notify active customers by email at least 30 days before the change takes effect. The "last updated" line above is the canonical version stamp.