Privacy Policy

Effective date: March 12, 2025

INTRODUCTION

This Privacy Policy (“Privacy Policy”) provides information about how Cyber Protection Insurance Services Inc. (f/k/a Cyber Protection Inc.) ("NordProtect," "we," "us," or "our") collect, use, disclose, and safeguard your information when you visit our website [www.nordprotect.com] ("Website") and use our Services (“Services”). This Privacy Policy also describes your rights under applicable U.S. state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA).

By visiting our Website, by submitting your personal information to us, and by accessing or using our Services, you confirm that you have read this Privacy Policy and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy or any provisions hereof, please do not use our Services and Website.

Notice at Collection: NordProtect is a comprehensive suite of Identity Theft Protection and Cyber Protection Services designed to monitor personal information, alert individuals to potential threats, and provide assistance in the event of identity theft. In providing these services, we collect personal information as detailed in this Privacy Policy.

Additional information on your personal information may also be indicated in contractual terms, supplemental privacy statements, or notices.

PERSONAL INFORMATION WE COLLECT AND WHY

This section describes the various types of personal information we collect from and about you, and it may vary depending on the Services you use.

We collect personal information when you:

Purchase the Services from NordProtect. When you purchase our Services, we collect and process the information necessary to complete your purchase, manage your subscription, and provide access to the Services. This includes your email address, the subscription plan you have chosen, subscription term, subscription ID, subscription frequency, amount, currency, status, auto-renewal status, and details about enabled or disabled features, such as multi-factor authentication (MFA). Additionally, we collect payment-related information to facilitate transactions.
We collect basic payment information from you through our third party payment processor. This is necessary for processing payments and handling refund requests. This includes details such as the date of purchase, payer’s IP address, postal (ZIP) code, the credit card owner’s full name, credit card number, and expiration date. This information is collected to manage recurring payments, process transactions you initiate, and ensure secure payment handling. Additionally, it helps us comply with legal requirements, such as fraud prevention, and maintain accurate financial records.
Purchase the Services as Part of a Bundled Subscription. When you subscribe to our Services as part of a bundled offering through an Authorized Reseller, we collect information necessary to verify your eligibility. This may include details such as your subscription status, account identifiers, or payment validation shared by the partner. We use this information to confirm your eligibility, activate your access to the Services, and ensure compliance with the terms of the bundled offering.
Create an Account. In the course of creating your account, we will collect your personal identifier (email address), billing information (if necessary), country, address, status of multifactor authentication (“MFA”), and other information necessary for account creation. We use this information to create and manage your account.
Enable NordProtect Features. When you enroll in certain features available on the Service, such as Credit Monitoring Services or Dark Web Monitoring, we may collect additional personal information. For example, for Credit Monitoring Services, we collect your full name, date of birth, address, Social Security number (“SSN”), and phone number to verify your identity and provide you with the Services. We also receive your credit information from a credit reporting agency to notify you of any changes to your credit file.
For Dark Web Monitoring, we collect personal information that you want to monitor, such as your email address, phone number, and SSN. If we detect a breach involving your personal information or credentials, we’ll send you a security alert with steps to take to protect them. You can manage (add or remove) your monitored personal information in your NordProtect account at any time.
Verifying Your Identity. Some of our Services, such as Credit Monitoring, require identity verification to enroll. For this purpose, we collect your full name, address, date of birth, SSN and email address.
Interact with Our Services. We gather information about how you use our Services, such as which features you enroll in and how often you use them. We also automatically collect data like your IP address, location, time zone, and device details. This information is used to prevent fraud and keep our Services secure. Additionally, we collect some analytical data to better understand how our Services are used to improve the Services and your experience using them.
Submit a Customer Support Inquiry. When you submit a customer support inquiry, we collect any information that you share with our customer support team that is necessary to resolve the query. This may include details required for verification, operating system information, device details, and more.
Respond to Surveys or Provide Feedback: We collect data when you fill out online forms, respond to surveys, provide feedback, post comments, participate in promotions, or engage in forums or social networks. This information helps us improve our Services and better understand users' preferences and experiences.
Interact with the Website. In addition to the personal information you provide directly to us, we collect certain information on our Website through cookies, pixels, web beacons, and similar tracking technologies. This includes, but is not limited to, essential, performance, marketing, and analytics cookies to collect your usage, device, and location information when you interact with the Website. We use this information to: (i) track you within the Website; (ii) enhance user experience; (iii) conduct analytics to improve the Website; (iv) prevent fraudulent use of the Website and, in cases of abuse, track and mitigate the abuse; (v) troubleshoot and fixing Website errors. You can control the use of cookies at the browser level or using the “Cookie Preferences” link in our Website footer. More information about cookies and their usage can be found in our Cookie Policy.

We also process personal information for the following purposes:

To Fulfill Our Contractual Obligations. We use your personal information to fulfill our contractual obligations to you, such as creating and managing your account, implementing access controls, verifying your identity to access our Services or features, managing your subscription, keeping you updated on the status of your Services, sending you alerts about incidents detected on the Dark Web or about critical changes on your credit report and providing you with technical and customer support.
To Advertise Our Services. We use your personal information to communicate with you about our Services, including sending you information about additional Services, features, or promotions that may interest you. You can unsubscribe from these communications at any time through your NordProtect account settings.
To Improve and Optimize Our Services. Where applicable, we have a legitimate interest in using personal information for measurement, research, and analytics, including to plan for and develop new Services. For example, we may analyze certain usage information to understand how users interact with our services and identify areas for improvement. Additionally, we may use users' feedback to determine what new services they may be interested in.
For Security and Fraud Prevention. We may use information for security purposes (such as to investigate security issues or to monitor and prevent fraud) and to prevent abuse. We may do this to comply with our legal obligations, to protect an individual’s vital interests, or because we have a legitimate interest in preventing harm or liability to us and our users. For example, we may use account, usage, and device information to determine if a user is engaging in abusive or unauthorized activity in connection with our Services.
For Legal Compliance. We may use personal information as required by applicable laws and regulations and to prevent harm to our business. We are obliged to comply with legal requirements, tax and accounting obligations, and other regulatory requirements. We also have an interest in protecting our legal rights, resolving disputes, and defending ourselves against legal claims.
Aggregate and Anonymize Data. We aggregate and anonymize the data we collect for benchmarking purposes and for internal analytics. We maintain and use this data in de-identified form.

DATA RETENTION

We retain your personal information for as long as it is necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, or as required or permitted by applicable law. The duration of retention may vary based on the type of information, the nature of our relationship with you, and legal or regulatory obligations.

Specifically, we may retain personal information for the following reasons:

Provision of Services. To maintain your account and provide ongoing Services or features, such as Credit Monitoring, Dark Web Monitoring, and Identity Protection Benefits.
Legal Compliance. To comply with legal and regulatory requirements, including retaining records for audit purposes, compliance with tax laws, or responding to lawful requests from governmental authorities. For example, when you exercise your rights to access, correct, or delete your information, we maintain records of these actions for 24 months in accordance with U.S. regulations, such as the CCPA.
Security and Fraud Prevention. To detect, investigate, and prevent fraudulent, malicious, or illegal activities, including identity theft and cyber threats. For example, some personal information will be retained after the expiration of your agreement, such as records indicating your use of our Services and the completion of the verification process.
Dispute Resolution. To resolve disputes, enforce our agreement, or as required by law to preserve information for legal proceedings.
Business Operations. For internal purposes such as data analysis, testing, research, and Services improvement, in a manner compliant with applicable privacy laws.

Once personal information is no longer needed for these purposes, we will securely delete, anonymize, or otherwise dispose of it in accordance with our data retention and destruction policies. In some instances, information may be retained in backups or archives for a limited period to ensure business continuity or disaster recovery.

If you have questions about our data retention practices or would like more specific information about the retention periods for particular types of personal information, please contact us at [email protected].

DISCLOSING OF PERSONAL INFORMATION

We may disclose your personal information to third parties when it is necessary to provide the Services that you have subscribed to or to support certain business activities on our behalf. Additionally, we may disclose your information when we are required to do so by law.

A list of Services that require us to share your personal information with our third-party service providers is provided below:

Credit Monitoring Services. For the provision of Credit Monitoring Services, you must enroll in the feature and pass identity verification/authentication. This involves sharing your personal information with our third-party service provider and their vendors to verify your identity, enroll you in the Services, and provide you with the credit scores and alerts.
Dark Web Monitoring Services. When you enroll in the feature and add your personal information to be monitored on the dark web, we will provide it to our third-party service provider for incident detection and alerting. You have an option to add or remove any of your personal information from the list of monitored assets and/or deactivate the feature at any time.
Identity Protection Benefits. We will provide certain personal information about you to the insuring company of our Group Policy to evidence your membership in the insured program and to verify your eligibility to receive the benefits and/or coverage.

We may also engage other third-party service providers to help us with various operations, such as payment processing, customer support. These activities may include, but are not limited to:

For Bundled Subscriptions. When you subscribe to a Bundled Subscription that includes Third-Party Services acquired through NordProtect, you agree that certain purchase information (e.g., your email address, subscription term, payment amount, and subscription ID) will be shared with the respective Third-Party Services provider. This information is used to activate and administer the subscribed Services, enhance your experience, and communicate with you about the Bundled Subscription and the Third-Party Services. When you use these Third-Party Services, your personal information is processed by the respective provider in accordance with its own procedures and privacy policies.
Payments processing. If you purchase our Services, a third-party payment processor may be used to process your payment. These processors are fully regulated and authorized to manage your payment information securely.
Marketing and Advertising. We may engage marketing partners to assist us in promoting our Services. In these cases, your contact information or other necessary data may be shared to facilitate campaigns.
Customer Support. If you engage with our customer support, we will provide your personal information and other details associated with your inquiry to provide you with the customer support.
Cloud Storage and IT Services. Your information may be stored on third-party cloud platforms and/or processed by managed IT service providers that help us to facilitate bringing the Services to you.
Phone Number Verification. We use a trusted third-party provider (such as Twilio) to verify your phone number if you choose to add it to the Dark Web Monitoring feature. This verification is necessary and is only used to facilitate the process and complete the verification.

In each case provided above, the disclosure of information is limited to the minimum extent that is necessary to achieve the purpose for which the data is disclosed. Our third-party service providers are bound by contractual obligations to keep your personal information confidential and secure and use it only for the purpose for which it was disclosed.

No Sale or Sharing of Personal Information

We do not buy, sell, or share any personal information, including phone numbers, with third parties. Your data is only used to provide our services, comply with legal obligations, or with your explicit consent.

We may also disclose your personal information if we are required to do so by law or to protect our rights under the following circumstances:

To Comply with Legal Requirements. We may disclose your personal information if we are required to do so by law or to comply with a valid court order.
Compliance with Orders of Law Enforcement Agencies or Governmental Authorities. We may provide your personal information to law enforcement agencies or government authorities if we are ordered to do so by a relevant governmental body, to report potential illegal activity, or to respond to national security requirements.
Protecting Our Rights, Property, or Safety. We may disclose your personal information to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also disclose such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of our Terms of Service.

Other disclosures may include:

To Our Group Companies. We may disclose your personal information to our group companies to carry out our daily business operations and to enable us to maintain and provide the Services to you.
Corporate Reorganization. In the event of corporate reorganization or if we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, acquisition, sale, joint venture, assignment, consolidation, transfer, change of control, or other disposition of all or any portion of our business, assets, or stock, we may need to share your personal information with the parties involved in the transaction, including the buyer or target (and their agents and advisors) for the purpose of facilitating and completing the transaction.
With Your Consent. Apart from the reasons identified above, we may request your permission to share your personal information for a specific purpose. We will notify you and request your consent before we disclose your personal information or before the personal information you have already provided is shared for such purpose.

YOUR PRIVACY RIGHTS AND CHOICES

Depending on your state of residence, you may have certain rights regarding your personal information. This section describes those rights and how to exercise them.

While these rights may apply only to some of the personal information we collect, for transparency purposes and your convenience, you can submit the following requests to us no matter where you live:

Notification Preferences. We may send you email marketing communication about our or our affiliate products, features and services that may be of interest to you. You can opt out from receiving these marketing and promotional emails from us at any time in your account settings (Notification preferences tab) and in every promotional email by clicking the unsubscribe link located at the bottom of each email. If you opt out from receiving marketing emails, we may still send you non-marketing communication, such as notifications about your products or services, responses to your requests and inquiries, or notices of updates to the Terms of Service or this Privacy Policy.
Right to Opt Out of Personal Information Sharing. You have the right to opt out of sharing any of your personal information, including for advertising purposes. We do not sell your personal information in any form, whether for monetary gain or for marketing purposes such as targeted advertising. However, if you'd like to further prevent sharing of your personal information for advertising purposes, you can enable Global Privacy Control in your browser. Please visit the Global Privacy Control website to learn more about this.
Right to Know and Access Your Personal Information. You have the right to request and the right to know the personal information we have collected about you, including: i) the categories of personal information that we’ve collected about you; ii) categories of sources from which personal information was collected; iii) the business or commercial purpose for collecting the personal information; and iv) the categories of third parties with whom we disclose or share your personal information with.
Right to Deletion of Your Personal Information. You have the right to request the deletion of your personal information, subject to certain exceptions. We may need to retain some personal information for reasons like completing a transaction, detecting fraud, complying with legal obligations, or other lawful purposes aligned with the context in which the data was collected.
Right to Correct Personal Information. If you notice any incorrect information about you in our records, you have the right to ask us to correct it. We may ask for some documents to support your request, and we'll make the changes unless we determine that the information collected is accurate.
Right to Dispute Your Credit Report. If your credit report information is incorrect, the FCRA permits you to dispute inaccurate or incomplete information in your credit by contacting each of the applicable credit reporting agencies directly. For more information on disputing your credit report, please read our Terms of Service.
Right to Limit the Use of Sensitive Personal Information. In certain states, you may have specific rights regarding the processing of sensitive personal information, which may include SSN, financial information, or information related to the identity theft incidents.

Processing of certain sensitive personal information is essential to provide the Services to you. For example, for Credit Monitoring Services, we process this information to monitor your credit file against suspicious credit activity and alert you about critical changes on your credit report. We wouldn’t be able to provide these Services to you without processing your sensitive personal information.

While privacy laws may grant the right to limit the use of sensitive personal information, in certain cases, this right does not apply when processing of such information is necessary for the provision of service you have subscribed for. Restricting our ability to process this information may result in the inability to render the Services to you.

Non-Discrimination: We will not discriminate against you for exercising your privacy rights. However, certain Services or features may be unavailable to you if you opt out of personal information sharing, and these Services depend on disclosing certain personal information with third parties to function properly. Additionally, some requests may be denied if we are unable to authenticate your identity or if fulfilling such requests would conflict with legal obligations.

Please note that there are exceptions and limitations to these rights, and while changes will be reflected in active user databases either instantly or within a reasonable period, we may retain personal information for purposes such as backups, archiving, fraud prevention, abuse detection, analytics, and compliance with legal obligations. We may also retain information when we have a legitimate business reason to do so, in accordance with the applicable laws.

HOW TO EXERCISE YOUR RIGHTS

To exercise the rights described above, please submit a request to us:

Via email: [email protected]
On the Service: through your NordProtect account settings

If you contact us by email, we may require additional information to verify your identity, such as details about your purchase, recent usage activity or other identifying information. Verification is necessary to make sure that we exercise the rights of an authorized user. If you don’t provide us enough information for user verification, it could delay or stop us from processing your request.

Only you, or a person that you authorize to act on your behalf, can make a request related to your personal information. If you are an authorized representative submitting a request on behalf of someone else, you must provide us with a proof of your authorization.

Certain privacy rights, such as requesting deletion, can be exercised directly through your account settings online. This method typically expedites the process and enhances security because it eliminates the need for separate identity verification and authentication.

DATA SECURITY

We maintain control over the personal information we collect to adequately protect the data. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:

Physical Measures. We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.
Technical Measures. We use layered defense with firewalls, anti-malware protection, and intrusion detection and prevention systems. Our infrastructure is regularly updated, and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.
Organizational Measures. We adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal information is granted on a need-to-know basis.

If we detect something suspicious, we will notify you without undue delay and guide you through steps to stay better protected. However, no company can guarantee the absolute security of internet communications because no technology is completely bulletproof. By using the Services and Website, you expressly acknowledge that we cannot guarantee the 100% security of personal information provided to or received by us through the Services and that any information received from you through Website or Services is provided at your own responsibility. If you have any reason to believe that your interaction with us is no longer secure, please notify us at [email protected]

CHILDREN’S DATA

We do not knowingly collect or solicit personal information from anyone under the age of 18. If you are under 18, please do not attempt to send any personal information about yourself to us. If we acknowledge that we have collected and processed personal information from a child under the age of 18, we will delete that data as quickly as possible.

OTHER TERMS

Limitation of Liability. To ensure the security of personal information, we employ various technical, physical, and organizational security measures; however, it is your responsibility to exercise caution and reason when using the Services and Websites. You will be personally liable if your use of the Services and Websites violates any third-party privacy or any other rights or any applicable laws. Under no circumstances shall NordProtect be liable for the consequences of your unlawful, willful, and negligent activities, and any circumstances that may not have been reasonably controlled or foreseen (please read our Terms of Service for more information).

Links to Other Websites. Our Website may include links to other websites (e.g., social media websites) whose privacy practices may be different from ours. If you access any of those websites via such links and/or submit your personal information to any of those websites, your personal information is processed by the procedures established by them and governed by their privacy policies. We encourage you to carefully read the privacy policy (or other respective privacy notice) of any website you visit.

Updates to the Privacy Policy. We develop our Services and Website, introducing new features or modifying current ones regularly. Therefore, we may need to amend the Privacy Policy from time to time. If the amendments to the Privacy Policy materially affect the activities of processing of your personal information, we will notify you in advance of such changes by reasonable means (e.g., notification through the respective applications, our Website, or via email), and we will always indicate the date of the last update. Unless it is stated by us otherwise, each update of the Privacy Policy comes into force as of the moment when the amended Privacy Policy is published on this Website. You are expected to check this Privacy Policy regularly so that you are familiar with the most current wording of the Privacy Policy. Your continued use of the Services and Website will be deemed acceptance thereof.