BehaventBehavent
...

Privacy Policy

Last updated: 2025-02-19

1. Introduction

Behavent ("we", "us", "our") is committed to protecting your privacy. We collect only what is necessary, encrypt data with per-user keys, and never sell your data. This policy explains how we collect, use, store, and protect your information.

2. Data We Collect

We collect:

  • Account data: Email, name (if provided), and authentication credentials managed via our identity provider (FusionAuth).
  • Profile & onboarding: Technical competency level, region, age range, and preferences you choose during signup or in settings.
  • Activity & usage: Login events, assessment responses, learning progress, and tool usage to personalise your experience and improve our Services.
  • Optional consents: If you opt in, we may use identifiers for exposure checks (e.g. breach lookups), personalise simulations, or aggregate anonymised data for research—see our Community & BRX page for details on anonymised data use.

3. How We Use Your Data

We use your data to:

  • Provide and improve the Services
  • Compute risk scores and recommendations
  • Personalise training and assessments
  • Send essential notifications (e.g. score updates, learning completion)
  • Comply with legal obligations and enforce our Terms
  • Support you when you contact us

We process data within strict trust boundaries. Raw personal identifiers stay in our PII Vault; other systems use pseudonymous references (BIF) only. Our AI and analytics planes never receive raw PII.

4. Data Storage & Security

All sensitive data is encrypted at rest and in transit. We use per-user encryption keys (DEK) and AWS KMS. DynamoDB and S3 are encrypted. We follow least-privilege access, audit logging, and never store secrets in code or logs.

5. Sharing & Third Parties

We do not sell your data. We share data only with:

  • Service providers: AWS (hosting), FusionAuth (identity), Cloudflare (edge/DNS), and email delivery—under strict contracts.
  • Exposure checks: If you consent, we may query third-party APIs (e.g. Have I Been Pwned) using hashed identifiers; we do not send raw PII.
  • Legal: When required by law or to protect our rights and safety.

6. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete data in your profile
  • Deletion: Request account and data deletion (GDPR right to be forgotten; we cascade deletion across systems)
  • Portability: Receive your data in a machine-readable format
  • Revoke consent: Withdraw optional consents at any time in settings

Contact privacy@behavent.com to exercise these rights. We will respond within applicable time limits (e.g. 30 days under GDPR).

7. Retention & Deletion

We retain data only as long as needed for the stated purposes. User deletion requests trigger cascade deletion across our systems. Backups follow controlled purge schedules. Deletion events are audited.

8. Cookies & Tracking

We use essential cookies for authentication and session management. We may use analytics cookies (anonymised) to improve the platform. See our Cookie Policy for details.

9. Children & Age

Behavent is not intended for users under 13. Users aged 13–15 may require parental consent. Minor accounts have restricted access to certain tools (e.g. OSINT) and reduced analytics/marketing. We do not knowingly collect data from children under 13.

10. International Transfer

Data is processed primarily in AWS regions you select or as configured. If we transfer data outside the EEA, we use appropriate safeguards (e.g. SCCs).

11. Changes

We may update this policy from time to time. Material changes will be communicated via email or in-app notice. Continued use after changes constitutes acceptance.

12. Contact

For privacy questions or to exercise your rights: privacy@behavent.com. For security concerns, see our Security page.