Privacy Policy

Effective 2026-05-02 · governs Cybool's direct relationship with end-users of the Platform. The Data Processing Addendumgoverns Cybool's processing of Customer Personal Data on behalf of Partners + Clients.

1. Who we are

SymbioLab Ltd. ("Cybool"), an Israeli company, operates the Cybool Platform.

• Privacy contact: dpo@cybool.com
• General contact: hello@cybool.com
• EU representative (Article 27): pending appointment via counsel

2. Personal data we process directly

• Account data: email, name, role, partner / client membership.
• Authentication data: magic-link tokens, session timestamps, IP address at sign-in.
• Usage data: per-tenant access log, audit log of actions performed.
• Support correspondence: emails to security@, dpo@, hello@.

3. Personal data we process on a customer's behalf

Tenant content (findings, alerts, evidence files, AI Copilot chat history, vendor PII, etc.) is stored per-tenant under Row-Level Security and processed only as a processor under the DPA. We do not use tenant content to train AI models. Anthropic and Mistral sub-processors are contractually bound not to retain or train on Cybool customer data.

4. Lawful bases (GDPR Art. 6)

• Performance of contract (Art. 6(1)(b)) — to provide the Platform you signed up to use.
• Legitimate interest (Art. 6(1)(f)) — security monitoring of the Platform itself (audit log, abuse detection) and improving service quality. We balance against your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — billing records, NIS2 incident-reporting where applicable.
• Consent (Art. 6(1)(a)) — only for optional analytics or marketing communications, which you can withdraw at any time.

5. Your rights

Subject to applicable law you have the right to:

• Access the Personal Data we hold about you.
• Rectification of inaccurate data.
• Erasure ("right to be forgotten") where one of the GDPR Art. 17 grounds applies.
• Restriction of processing.
• Data portability for data you provided.
• Object to processing based on legitimate interest.
• Withdraw consent for consent-based processing.
• Lodge a complaint with your local supervisory authority. The Israeli Privacy Protection Authority oversees Cybool's home jurisdiction; the Irish Data Protection Commission is our lead supervisory authority for EU operations once we appoint our Article 27 representative.

To exercise any right email dpo@cybool.com.

6. Retention

• Audit log: minimum 12 months; some categories retained 7 years for legal-hold purposes per /trust §6.2a.
• Account + auth data: while your account is active + 90 days after closure.
• Backups: overwritten on the next rotation cycle (max 12 months).

7. International transfers

Personal Data is stored in the EU. Where transfers to third countries occur (e.g. for vendor support), they are covered by EU Standard Contractual Clauses and supplementary measures as documented in the DPA.

8. Security

See /trustfor the platform's security posture (encryption, RLS, MFA, audit-log integrity, backup + DR, annual penetration testing, incident-response process).

9. Cookies

The Platform uses strictly-necessary cookies for session management. We do not use third-party advertising cookies. Optional analytics, if enabled, are documented in the cookie banner.

10. Children

The Platform is not directed to individuals under 16. We do not knowingly collect data from children.

11. Changes

We may update this Privacy Policy. Material changes are notified at least 30 days in advance via in-app banner and email to the account-owner contact.

Privacy contact: dpo@cybool.com · Effective date: 2026-05-02.