Last updated: March 6, 2026

Privacy Policy

This policy explains what personal data EtcSec collects, how we use it, how long we retain it, and which rights you can exercise when using our identity security platform.

Data Controller

EtcSec is the data controller for personal data collected through etcsec.com and the related platform services.

For any privacy or data processing request, contact: [email protected]

Information We Collect

Account data

Email address and name provided during registration
Organization name and workspace details
Authentication credentials stored in hashed form

Audit data

Security audit results submitted through ETC Collector for Active Directory and Microsoft Entra ID environments.

Self-hosted collection model

ETC Collector runs on your infrastructure. In standalone mode, collected data stays local. In SaaS mode, processed findings are transmitted to EtcSec over encrypted TLS connections with scoped authentication tokens.

Usage data

Browser type, IP address, and visited pages
Product usage analytics used to improve reliability and usability

How We Use Your Information

Provide and maintain the identity security audit service
Generate security findings, MITRE ATT&CK mappings, and remediation guidance
Send service communications such as security alerts and important product notices
Improve platform reliability, detection coverage, and customer support
Comply with legal and regulatory obligations

Data Storage and Security

Data is hosted within the European Union
Encryption at rest and encryption in transit are enabled
Scoped authentication tokens are used instead of long-lived shared secrets
Access controls and audit logging protect administrative actions
Security monitoring and internal reviews are performed on the production environment

Data Sharing

We do not sell your data. We do not disclose personal data to third parties for advertising or unrelated marketing purposes.

Infrastructure providers required to operate the service, such as hosting and content delivery vendors
Competent authorities when disclosure is required by law or legal process

We do not transfer personal data outside the European Union without appropriate safeguards required under applicable law.

Your Rights Under GDPR

If GDPR applies to your data, you can exercise the following rights:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data when applicable.

Right to restrict processing

Ask us to limit how we use your data in specific cases.

Right to data portability

Receive your data in a portable format when applicable.

Right to object

Object to certain processing activities where the law allows it.

To exercise these rights, contact [email protected].

Cookies

We use only essential cookies required for authentication, session continuity, and interface preferences. We do not use third-party advertising cookies.

Cookie	Purpose	Duration
etcsec_access_token	Authentication session	24 hours
etcsec_refresh_token	Session renewal	7 days
etcsec_theme	Interface theme preference	Persistent

Data Retention

Account data: retained while your account is active and for a limited period after deletion when required for support, security, or legal reasons.
Audit data: retained according to your subscription plan and workspace configuration.
Usage logs: kept for a limited period necessary for security monitoring, troubleshooting, and abuse prevention.

Policy Changes and Contact

We may update this privacy policy from time to time. When changes materially affect how we process personal data, we will update the date above and, when appropriate, notify customers through the platform or by email.

If you have any question about this privacy policy, contact [email protected] or visit our contact page.