Last Updated: June 14, 2025

This Privacy Notice and Terms of Use (“Privacy Policy”, “policy”) describes how the websites and applications ivycyber.com, privacysafe.app, whistlepost.com, refreshview.com, certmagi.com, privacysafe.live, and privacysafe.courses — collectively owned and operated by Ivy Cyber Education LLC (“Ivy Cyber”, “we”, “our”, “us”) — collect, protect, and handle the information you may provide through these sites or their APIs (“website”, “site”, “app”, “application”, “software”).

This policy also governs the use of Ivy Cyber’s specific web applications, including PrivacySafe Link privacysafe.link, PrivacySafe Locker privacysafe.locker, PrivacySafe Bot privacysafe.bot, PrivacySafe Search privacysafe.is, and StickTock at sticktock.com, with distinct information about these sites and applications in the “Specific Web Applications” section below (all of the previous listed websites, applications, sites, APIs, and URLs are referred to hereafter as “website”, “site”, “app”, “application”, “software”).

This policy does not apply to PrivacySafe Social privacysafe.social, which operates under a separate notice available at https://privacysafe.social/privacy-policy. This policy also does not cover the practices of companies Ivy Cyber does not own or control, or individuals Ivy Cyber does not employ or manage.

Note: For terms governing customer use of purchased products as well as product warranties, refunds or returns, and conduct guidelines, please see our Terms & Conditions.

Our Commitment To Privacy

At Ivy Cyber, we actively avoid collecting personal data unless it is absolutely necessary for secure transactions or technical operations. Our design principles emphasize privacy by default and data minimization. We proudly rely on Free and Open Source Software (FOSS) to provide verifiable transparency in our platform and services. This ensures our users benefit from privacy-respecting tools that are community-vetted and ethically developed.

We do not sell or study your personal information. We collect what data is minimally necessary to conduct normal operations in the course of our business and for proper operation, diagnostics, and maintenance of our websites and applications. If you would like to submit a request for data erasure or deletion, please contact us at privacy@ivycyber.com

GDPR Legitimate Interests Assessment

Ivy Cyber is committed to complying with all data protection laws including but not limited to the GDPR and CCPA. We have conducted a LIA (Legitimate Interests Assessment) pursuant to the GDPR and determined that a DPIA (Data Protection Impact Assessment) is unnecessary as the data we process is not likely to result in a high risk to individuals. Our LIA is published and signed by company leadership at the end of this document. We believe transparency fosters trust. Publishing this assessment demonstrates our commitment to data minimization, privacy by design, and ethical software development.

We understand our responsibility to protect the individual’s interests. We have verified that the processing is necessary and there is no less intrusive way to achieve the same result. We have performed a balancing test and are confident that the individual parties’ interests do not override our legitimate interest. All data is used in ways that the individuals would reasonably expect and would not find intrusive. We review our LIA periodically and update it whenever circumstances change.

COPPA (Children’s Online Privacy Protection Act) Statement

Ivy Cyber does not knowingly solicit or collect personal information from minors under the age of eighteen. If you have reason to believe a minor has disclosed personal information to Ivy Cyber, please notify privacy@ivycyber.com immediately. Users under the age of 13 must NOT use the site (per US COPPA requirements).

Your Rights

Depending on your location and applicable data protection laws, you may have the following rights regarding your personal data:

• Right of access – You may request a copy of the personal data we hold about you.

• Right to rectification – You may request correction of inaccurate or incomplete data.

• Right to erasure – You may request deletion of your data under certain circumstances.

• Right to restriction – You may request limitation of processing in specific situations.

• Right to object – You may object to our processing of your data based on our legitimate interests.

• Right to data portability – You may request to receive your data in a commonly used, machine-readable format.

• Right to withdraw consent – Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@ivycyber.com. We will respond in accordance with applicable data protection laws.

If you are a California resident, you may also have the right to request disclosures about data collection, request deletion, and opt out of the sale or sharing of personal data under the California Consumer Privacy Act (CCPA). Ivy Cyber does not sell personal data.

How do we secure data?

All information transmitted to IvyCyber.com is encrypted using cryptographic protocols and tools. User information is subject to a network of internal controls. Staff are required to undergo training on the handling and processing of data. We perform audits on a consistent basis and review our security measures in response to changes in the industry and new legal requirements.

Cookies

Cookies on this site are essential for software functionality and are not advertising or tracking cookies. Functions include logging your browser into a registered account and saving your preferences for future visits. The use of these essential cookies complies with EU General Data Protection Regulation (GDPR).

Account Information

If you register on Ivy Cyber platforms (such as privacysafe.live or privacysafe.courses), you will be asked to enter:

• A username
• An email address
• A password

Your information is transmitted with TLS encryption. Your username is used to identify your account and may be visible within class rosters or discussion areas. Your password is not known to administrators and is stored in a secure cryptographic form. Your email address is used for functionality such as password resets, enrollment confirmation, and class notifications, but is not shared without your consent.

You may also provide optional profile information including a name, image, or biography within the learning environment. We recommend avoiding any sensitive personal information in these fields.

IP Logging and Session Metadata

We record the IP address and browser application used during login. Logged-in sessions are available for your review and revocation in your account settings. The latest IP address is stored for up to 12 months. Server logs, including IP addresses of every request, may also be retained.

Moderation

We may compare IP addresses to detect ban evasion or other violations of our policies. Moderation actions may be taken to protect the integrity of our learning environments and community standards.

Communication

The email address you provide may be used to send notifications about class interactions, account activity, or administrative updates. Your email may also be used to respond to inquiries or requests related to your enrollment or account.

Email Inquiries and Retention

If you choose to contact us via email or support form, the contents of your message may be stored as long as necessary to fulfill your request, resolve disputes, or meet legal requirements. We never sell or disclose your messages. Once your inquiry is addressed, we retain only what is essential for compliance or audit purposes. You may request deletion of any correspondence at any time by emailing privacy@ivycyber.com.

Network Information and Retention

We make a good faith effort to:

• Retain server logs containing IP addresses for no more than 90 days.
• Retain IP addresses associated with registered users for no more than 12 months.

Geographic Information

We use the static and open source MaxMind GeoLite geographic IP database to perform regional lookups for shopping cart functionality, service diagnostics, and high-level metrics. This data is never used to identify individual users and is aggregated, optimized for privacy, and widely used across open source projects. GeoLite is utilized by our self-hosted Plausible instance privacysafe.click and further anonymized as described in “Website Metrics” below.

Hosting Providers

Ivy Cyber sites and software are securely hosted in the European Union. Hosting is selected to ensure compliance with EU General Data Protection Regulation (GDPR) and maintain high standards of privacy and reliability. We may use trusted subprocessors to help us operate our services. These processors are contractually bound to adhere to data protection requirements equivalent to those in this policy.

The promotional sales websites ivycyber.com and privacysafe.app are hosted in the United States and mirrored in Canada. These sites connect to payment processors through our online shopping cart and operate under the legal jurisdiction of Connecticut, United States, where Ivy Cyber Education LLC is incorporated.

Learning Platforms

We do not use third-party learning platforms to deliver educational content. All live classes and events are conducted via our own self-hosted, open source BigBlueButton conferencing server at privacysafe.live. Course materials and asynchronous class activities are hosted on our self-hosted, open source Canvas server at privacysafe.courses. These systems are maintained by Ivy Cyber and are not subject to third-party vendor analytics.

Conduct on Learning Platforms

By enrolling in courses or participating in workshops and live events through Ivy Cyber, users agree to maintain respectful, lawful, and ethical conduct within our learning environments. These environments include all sessions held via our BigBlueButton platform (privacysafe.live) and all interactions on our Canvas platform (privacysafe.courses).

• Engage in discussions and coursework with courtesy and professionalism.
• Respect the privacy and intellectual property of instructors and fellow students.
• Refrain from any form of harassment, abuse, discriminatory language, or disruptive behavior.
• Not share access credentials or distribute course content without permission.
• No doxxing or sharing of identity and/or personal and/or demographic information about other users without permission.

Violation of this code of conduct may result in removal from sessions, revocation of course access, ban from future participation without refund, or other punitive and/or legal action. Ivy Cyber reserves the right to take appropriate action in the interest of maintaining a safe and respectful learning environment.

By accessing our Ivy Cyber platforms, you acknowledge and accept these conditions as part of our overall Privacy Policy.

Payments and Third-Party Processing

Ivy Cyber utilizes the open source WooCommerce shopping cart, which facilitates your order payments through third-party Stripe (including Link By Stripe) and PayPal payment gateways. We go to great lengths to preserve your privacy but must process your payments through a provider, except in the case of cryptocurrency. For cryptocurrency information please see the “Cryptocurrency Payments” section below.

The Stripe and PayPal payment gateways provide a wide variety of international payment methods including credit and debit cards, ACH, Google Pay, Apple Pay, Venmo, WeChat, Cash App, and Klarna. If you ordered from Ivy Cyber in person at an event or conference, your payment was processed by Square. When making a payment, your financial information is transmitted securely using strong encryption to your chosen payment providers and banking networks which handle the payment processing.

Ivy Cyber does not directly store or process credit, debit, or bank account numbers or payment credentials. Your financial information is processed via encrypted transit to the secure payment provider gateways. By completing a transaction, you acknowledge that your information is being shared directly with the payment processor(s) and network(s) you select. These payment processor(s) and network(s) are responsible for handling any requests under GDPR and other applicable data protection regulations regarding your payment data. You can find more about their privacy practices and request data changes or deletions through the following links:

• Stripe Privacy Policy and Stripe GDPR Info
• PayPal Privacy Policy and PayPal GDPR Info
• Square Privacy Policy and Square GDPR Info

Cryptocurrency Payments

As an alternative to traditional payment methods, Ivy Cyber also accepts cryptocurrency payments in Bitcoin (BTC), Bitcoin Cash (BCH), Dogecoin (DOGE), Ethereum (ETH), Litecoin (LTC), Monero (XMR), Solana (SOL), Tether (USDT), and USD Coin (USDC).

We also support Bitcoin over the Lightning Network, Cardano (ADA), Ripple (XRP), Zcash (ZEC), and Tari (XTM) by request.

To honor the decentralized ethos of cryptocurrency and protect the privacy of our customers, we do not automatically forward payment or customer information to exchanges or third-party processors. All cryptocurrency transactions are handled manually to ensure accuracy and confidentiality. We recommend and prioritize Monero (XMR) transactions whenever possible.

If you would like to arrange a cryptocurrency payment, please review the information at https://ivycyber.com/crypto or email orders@ivycyber.com. Cryptocurrency transactions are handled manually to ensure privacy and payment accuracy. Do not send payment until you have received confirmation and instructions. Cryptocurrency payments are final. You are responsible for ensuring correct wallet address and network selection. Ivy Cyber is not responsible for funds lost due to user error or incompatible transactions.

Transactional Data Retention

Ivy Cyber uses the open source WooCommerce shopping cart, which provides granular control over data retention. We retain transactional data for only as long as it is necessary to fulfill orders, comply with legal obligations, and support basic operational needs.

Data associated with orders and accounts is removed or obfuscated when it is no longer needed for processing. These are our current retention periods:

• Inactive accounts: Retained for 12 months. Accounts that have not logged in or placed an order during this time are deleted. Related orders are anonymized as guest orders.
• Pending orders: Retained for 1 week. These unpaid orders are considered abandoned and will be automatically removed.
• Failed orders: Retained for 1 week. These are orders that failed payment and will be deleted after this duration.
• Cancelled orders: Retained for 1 month before being deleted.
• Refunded orders: Retained for 12 months. Personally identifying information is obfuscated after this period.
• Completed orders: Retained for 12 months. Personally identifying information is obfuscated after this period.
• Ended subscriptions: Retained for 12 months. Personally identifying information is obfuscated after this period.
• Stripe metadata: Retained for 12 months. This includes metadata such as Stripe customer and source IDs.

We do not store credit card numbers, bank account numbers, or full payment credentials on our servers. These are transmitted securely to payment gateways via encrypted protocols and processed externally by trusted providers.

Our security practices align with the NIST Cybersecurity Framework (CSF), including data retention and protection controls. Data retention policies are designed to comply with legal obligations (such as those under the GDPR and CCPA) and business-critical needs. In all cases, Ivy Cyber retains personal data only for the shortest feasible duration necessary to meet those obligations and requirements. If you have a data removal or access request, please contact us at privacy@ivycyber.com.

Embedded Content

We avoid loading third-party content unless necessary. Where feasible, we embed videos using self-hosted players or privacy-respecting frontends such as Invidious for YouTube. In cases where this is not technically feasible or would significantly hinder accessibility or user experience, we may embed third-party content (e.g., YouTube, Vimeo) directly. When doing so, we make a good faith effort to minimize privacy impact and inform users when external content may subject them to third-party data collection.

Specific Web Applications

PrivacySafe Link, PrivacySafe Locker, PrivacySafe Bot, and StickTock.com

PrivacySafe Link privacysafe.link, PrivacySafe Locker privacysafe.locker, PrivacySafe Bot privacysafe.bot, and StickTock at sticktock.com are privacy-first applications built to operate within your web browser using client-side cryptographic tools. These platforms are designed so that your data is not stored on Ivy Cyber owned servers to the greatest extent possible. Whether you’re sharing a secure link, sharing a file privately, generating strong passwords, or viewing TikTok videos safely, these apps attempt to know as little about you as possible and put cryptographic keys in the control of your local web browser.

These tools do not utilize cookies and are intentionally designed to remove tracking and external dependencies. High-level IP logging may occur strictly for abuse prevention and server performance diagnostics. When logged, this data is subject to the “IP Logging and Session Metadata” standards outlined above. High-level traffic statistics are collected through our website via a self-hosted instance of the privacy-oriented Plausible.io at the domain privacysafe.click. Plausible counts users without cookies. Plausible is GDPR-compliant and goes to great lengths for anonymity of HTTP requests, as outlined in “Website Metrics” below.

Each application is Free and Open Source Software (FOSS) and independently verifiable. You can inspect the code or contribute via the following repositories:

• PrivacySafe Link

• PrivacySafe Locker

• PrivacySafe Bot

• StickTock

In addition, each tool is available via a Tor .onion hidden service for enhanced anonymity. You can find the Tor service links in the footer of each respective web application.

PrivacySafe Search

PrivacySafe Search privacysafe.is is a privacy-respecting metasearch engine built on the open source SearXNG platform. It allows users to query multiple search providers simultaneously without being tracked across the web, stripping personal identifiers from requests and returning results anonymously. Our implementation is self-hosted and designed to protect search privacy with strict privacy settings while offering a familiar user experience.

PrivacySafe Search does utilize cookies, but only for essential session functionality. These cookies enable query submission and allow users to save preferences such as language and safe search filters. They are not used for tracking, advertising, or analytics. The use of these essential cookies is governed by the “Cookies” section of this privacy policy and complies with the EU General Data Protection Regulation (GDPR). High-level IP logging may occur strictly for abuse prevention and server performance diagnostics. When logged, this data is subject to the “IP Logging and Session Metadata” standards outlined above.

PrivacySafe Social

PrivacySafe Social privacysafe.social is a privacy-respecting social media platform based on the open source Mastodon software. As a federated platform, it allows users to communicate across other compatible networks while maintaining strong user data protections. Our implementation is independently hosted at privacysafe.social, with additional safeguards tailored to align with the broader Ivy Cyber mission of digital sovereignty and minimal data retention.

Because PrivacySafe Social is a distinct service with its own technical and legal considerations, it operates under a separate privacy policy, available at https://privacysafe.social/privacy-policy. For details on how your information is processed when using the social platform, please review that dedicated privacy policy. It outlines how metadata, posts and content data, and user data are handled specifically on thePrivacySafe Social platform, in accordance with both GDPR principles and user-controlled data practices.

Website Metrics

High-level traffic statistics are collected through our website via a self-hosted instance of the privacy-oriented Plausible.io at the domain privacysafe.click. Plausible counts users without cookies. Plausible is GDPR-compliant and goes to great lengths for anonymity of HTTP requests:

“Every single HTTP request sends the IP address and the User-Agent to the server so that’s what we use. We generate a daily changing identifier using the visitor’s IP address and User-Agent. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.

hash(daily_salt + website_domain + ip_address + user_agent)

This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. The raw data IP address and User-Agent are never stored in our logs, databases or anywhere on disk at all.

Old salts are deleted every 24 hours to avoid the possibility of linking visitor information from one day to the next. Forgetting used salts also removes the possibility of the original IP addresses being revealed in a brute-force attack. The raw IP address and User-Agent are rendered completely inaccessible to anyone, including ourselves.”

Link Shortening Service

Ivy Cyber and our PrivacySafe websites and web applications utilize a self-hosted, privacy-respecting URL shortener at psafe.ly, which is based on the open source Kutt.it. This service is intentionally configured to eliminate tracking mechanisms and external dependencies, aligning with our broader commitment to user privacy. Click rate and visitor metrics may be retained in aggregate form, but no identity or demographic information about users is collected.

While the platform avoids collecting personal data, high-level IP logging may occur solely for the purposes of abuse prevention and server diagnostics. High-level IP logging may occur strictly for abuse prevention and server performance diagnostics. When logged, this data is subject to the “IP Logging and Session Metadata” standards outlined above.

Information Sharing

We do not share information resulting from the use of our products and services unless we have a legally valid reason to do so.

We reserve the right to disclose information that we believe, in good faith, is appropriate or necessary to: (1) protect ourselves against liability, fraudulent, abusive, or unlawful activity, (2) investigate and defend ourselves against substantive legal claims or allegations, (3) protect the integrity of our facilities or equipment used to produce or provide our products or services, or (4) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.

Data Breach Notification

We take security seriously and have implemented measures to prevent unauthorized access or disclosure of personal data. In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and relevant authorities in accordance with applicable data protection laws, including the GDPR and CCPA.

Disclaimer of Warranty

THERE IS NO WARRANTY FOR SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE SOFTWARE “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Limitation of Liability

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY PARTY BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SITE OR SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Governing Law and Dispute Resolution

These Terms are governed by the laws of the State of Connecticut, United States, without regard to its conflict of laws principles. If a dispute arises between you and Ivy Cyber relating to these Terms, the use of our Services or Products, or any related issue, we aim to resolve it fairly and efficiently. Most concerns can be resolved informally by contacting our team at legal@ivycyber.com.

If informal resolution is not possible, you may choose to resolve the dispute through final and binding arbitration or by pursuing a claim in a court of competent jurisdiction located in New Haven County, Connecticut. Arbitration, if selected, will be conducted by a mutually agreed provider using procedures designed to minimize cost and complexity.

Nothing in this section prevents either party from seeking injunctive or equitable relief in court when appropriate, especially in matters involving intellectual property or misuse of services. We do not require users to waive their rights to participate in a class action or collective proceeding. However, we ask that individual disputes be attempted in good faith before collective legal action is considered.

Changes To This Policy

We reserve the right, at our discretion, to change, modify, add, or remove portions of this policy at any time by posting updates here. You should review this policy regularly. If we plan to use personal data in a new way, we will provide you the opportunity to opt out of such differing uses. Notice of significant changes may also be made via social media channels:

• Mastodon: https://privacysafe.social/@IvyCyber
• Twitter X: https://x.com/@IvyCyberEd
• Bluesky: https://bsky.app/profile/ivycyber.com

Contact Information

Business Address:
Ivy Cyber Education LLC
1204 Main St Num 1197
Branford, CT 06405-3787
+1 (929) 748-7233
privacy@ivycyber.com

 

---

Legitimate Interests Assessment (LIA)

Assessment Date: June 14, 2025
Next Review Date: December 14, 2025

Why We Publish This

At Ivy Cyber, we treat privacy as a core principle, not just a legal obligation. While the General Data Protection Regulation (GDPR) allows companies to conduct Legitimate Interests Assessments (LIAs) privately, we publish ours to ensure that our users, partners, and regulators understand how and why we process personal data.

We believe transparency fosters trust. Publishing this assessment demonstrates our commitment to data minimization, privacy by design, and ethical software development. It outlines our rationale, safeguards, and intent as we carry out necessary operations across our educational, media, and privacy technology platforms.

1. Purpose Test

What is the purpose of the processing?

Ivy Cyber processes minimal personal data to operate, maintain, and secure its services. This includes:

• User authentication and login security
• Administrative communication (e.g., account and enrollment notifications)
• Abuse prevention and moderation enforcement
• Collection of high-level, privacy-respecting metrics via a self-hosted instance of Plausible
• Order and subscription processing
• Security diagnostics and fraud detection

Is there a legitimate interest behind the processing?

Yes. Our legitimate interests include:

• Delivering and securing educational and software services
• Fulfilling purchase and subscription orders
• Ensuring lawful and respectful participation in learning environments
• Preventing abuse, spam, and service degradation
• Meeting obligations under GDPR, CCPA, and other applicable regulations

2. Necessity Test

Is the processing necessary for the intended purpose?

Yes. The processing we perform is essential to the secure and functional operation of our systems. Specifically:

• IP addresses are logged briefly to support login, session management, and abuse prevention
• Cookies are used solely for session persistence and interface preferences
• No behavioral profiling, fingerprinting, or advertising trackers are used
• User data is never sold or shared for marketing purposes

We avoid third-party scripts and tracking mechanisms wherever possible. However, there are two limited exceptions:

1. Order Fulfillment: When users complete purchases or donations, third-party scripts are embedded to securely connect to Stripe and PayPal. These are necessary for payment authorization and fraud prevention. Ivy Cyber does not store or process full payment credentials.
2. Embedded Content: Where possible, we embed videos using self-hosted players or privacy-respecting frontends (e.g., Invidious for YouTube). In some cases, embedded third-party content (e.g., YouTube or Vimeo) is used when self-hosting is not feasible or would negatively affect accessibility, compatibility, or user experience. We make a good faith effort to inform users when external content may impact their privacy.

Can less intrusive means be used to achieve the purpose?

We have already implemented the least intrusive methods available. These include:

• Use of open source, self-hosted infrastructure for core services (e.g., BigBlueButton, Canvas, Plausible)
• No use of third-party analytics platforms, CDN-based trackers, or advertising beacons
• Cryptographic data handling and minimal storage durations
• Manual cryptocurrency processing to avoid third-party disclosure

3. Balancing Test

Would individuals reasonably expect this data to be processed?

Yes. We make our data processing practices clear in our publicly available Privacy Policy (https://ivycyber.com/privacy) and Terms & Conditions (https://ivycyber.com/terms). Users interact with Ivy Cyber in contexts (e.g., education, privacy software, media) where secure processing of minimal data is reasonable and expected.

What is the nature of the data being processed?

We process only:

• Basic account information (e.g., email, username)
• Session metadata (e.g., IP address, browser user-agent)
• Order-related details (e.g., purchased item, payment method via Stripe or PayPal)
• Aggregated geographic data (used for currency selection, regional pricing, and high-level metrics)

We use the static and open source MaxMind GeoLite geographic IP database to perform regional lookups for shopping cart functionality, service diagnostics, and high-level metrics. This data is never used to identify individual users and is aggregated, optimized for privacy, and widely used across open source projects. We do not collect sensitive categories of data (e.g., health, biometrics, racial/ethnic identity) unless explicitly required for user-submitted inquiries, and only then with purpose-limited retention.

Could the processing cause unwarranted harm or intrusion?

Unlikely. Ivy Cyber designs all services with minimalism and cryptographic protections in mind. We do not track behavior, profile users, or engage in targeted advertising. Payment and embedded content are handled transparently, and optional where possible.

Are safeguards in place?

Yes. Ivy Cyber has implemented:

• TLS encryption across all services
• Role-based access control for internal systems
• Self-hosted software infrastructure whenever feasible
• Data minimization in design and operation
• Anonymized metrics collection
• Limited use of external scripts only at payment or explicit user request
• Staff training and periodic audits

Conclusion

Ivy Cyber’s processing of personal data under the GDPR legitimate interest basis is narrowly scoped, proportionate, and reasonable. We avoid unnecessary data collection, implement strong safeguards, and review these practices regularly. Publishing this assessment is part of our broader mission to develop and promote privacy-respecting digital infrastructure.

Signed by:
Sean O’Brien
Chief Executive Officer
Ivy Cyber Education LLC
privacy@ivycyber.com