Privacy Policy
This policy explains what personal data EtcSec collects, how we use it, how long we retain it, and which rights you can exercise when using our identity security platform.
Data Controller
EtcSec is the data controller for personal data collected through etcsec.com and the related platform services.
For any privacy or data processing request, contact: [email protected]
Information We Collect
Account data
- Email address and name provided during registration
- Organization name and workspace details
- Authentication credentials stored in hashed form
Audit data
Security audit results submitted through ETC Collector for Active Directory and Microsoft Entra ID environments.
ETC Collector runs on your infrastructure. In standalone mode, collected data stays local. In SaaS mode, processed findings are transmitted to EtcSec over encrypted TLS connections with scoped authentication tokens.
Usage data
- Browser type, IP address, and visited pages
- Product usage analytics used to improve reliability and usability
How We Use Your Information
- Provide and maintain the identity security audit service
- Generate security findings, MITRE ATT&CK mappings, and remediation guidance
- Send service communications such as security alerts and important product notices
- Improve platform reliability, detection coverage, and customer support
- Comply with legal and regulatory obligations
Data Storage and Security
- Data is hosted within the European Union
- Encryption at rest and encryption in transit are enabled
- Scoped authentication tokens are used instead of long-lived shared secrets
- Access controls and audit logging protect administrative actions
- Security monitoring and internal reviews are performed on the production environment
Data Sharing
We do not sell your data. We do not disclose personal data to third parties for advertising or unrelated marketing purposes.
- Infrastructure providers required to operate the service, such as hosting and content delivery vendors
- Competent authorities when disclosure is required by law or legal process
We do not transfer personal data outside the European Union without appropriate safeguards required under applicable law.
Your Rights Under GDPR
If GDPR applies to your data, you can exercise the following rights:
Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Ask us to correct inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data when applicable.
Right to restrict processing
Ask us to limit how we use your data in specific cases.
Right to data portability
Receive your data in a portable format when applicable.
Right to object
Object to certain processing activities where the law allows it.
To exercise these rights, contact [email protected].
Cookies
We use essential cookies for authentication, session continuity and interface preferences, a preference cookie that records your consent choices, and — only when you accept — analytics or marketing cookies (Google Tag Manager, Ahrefs). Umami itself is cookieless.
| Cookie | Purpose | Duration |
|---|---|---|
| etcsec_access_token | Authentication session | 24 hours |
| etcsec_refresh_token | Session renewal | 7 days |
| etcsec_theme | Interface theme preference | Persistent |
| etcsec_cookie_consent | Stores your cookie preferences (all / essential / custom) | 1 year |
| etcsec_locale | Remembers your language preference | 1 year |
| NEXT_LOCALE | Next.js locale sync (httpOnly) | 1 year |
Data Retention
- Account data: retained while your account is active and for a limited period after deletion when required for support, security, or legal reasons.
- Audit data: retained according to your subscription plan and workspace configuration.
- Usage logs: kept for a limited period necessary for security monitoring, troubleshooting, and abuse prevention.
Policy Changes and Contact
We may update this privacy policy from time to time. When changes materially affect how we process personal data, we will update the date above and, when appropriate, notify customers through the platform or by email.
If you have any question about this privacy policy, contact [email protected] or visit our contact page.