top of page

Privacy Policy –
CyberNova OÜ

Last Updated: December 2025

1. Introduction

This Privacy Policy (“Policy”) explains how CyberNova OÜ, a private limited company incorporated under the laws of the Republic of Estonia (“CyberNova”, “we”, “us”, or “our”), collects, processes, stores, safeguards, transfers, and deletes personal data in the course of providing cybersecurity, digital risk management, consultancy, and related professional services (“Services”).

This Policy has been drafted in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)

  • Estonian Personal Data Protection Act

  • UK GDPR and Data Protection Act 2018

  • Swiss Federal Data Protection Act (FADP)

  • EU Directive 2022/2555 (NIS2 Directive)

  • Relevant guidance from the European Data Protection Board (EDPB)

  • International standards, including ISO/IEC 27001, ISO 27701, PCI-DSS, NIST Cybersecurity Framework and Tier I–III data centre practices

This Policy applies to all clients, prospective clients, website visitors, and authorised users who interact with CyberNova’s websites, platforms, or Services.

By accessing or using our Services, you acknowledge that you have read and understood this Policy.

2. Data Controller

The Data Controller for all processing activities described herein is:

CyberNova OÜ
Registry No.: 17267279
Registered Office: Lõõtsa tn 5, Lasnamäe district, Tallinn 11415, Estonia
Email: legal@cybernovaprotect.com

CyberNova may act as a Data Processor where explicitly agreed in writing, particularly in incident response or log analysis scenarios. In such cases, a Data Processing Agreement (DPA) will apply pursuant to Article 28 GDPR.

3. Lawful Bases for Processing

CyberNova processes personal data exclusively under the lawful bases permitted by the GDPR, including:

3.1 Contractual Necessity (Art. 6(1)(b) GDPR)

For the performance of contracts, service delivery, billing, authentication, and the provision of technical and advisory support.

3.2 Legitimate Interests (Art. 6(1)(f) GDPR)

For ensuring platform security, maintaining logs, preventing fraud, optimising Services, enforcing acceptable use policies, and protecting CyberNova’s infrastructure. Legitimate interest assessments (LIA) are performed as required.

3.3 Legal Obligation (Art. 6(1)(c) GDPR)

For compliance with accounting, tax, security, audit, and regulatory obligations under GDPR, NIS2, and Estonian law.

3.4 Explicit Consent (Art. 6(1)(a) and Art. 49(1)(a) GDPR)

For international data transfers, marketing communications, optional cookies, and other activities requiring informed consent.

3.5 Vital Interests (Art. 6(1)(d) GDPR)

Applicable only in exceptional circumstances where processing is necessary to protect vital interests, particularly during security incidents.

3.6 Public Interest (Art. 6(1)(e) GDPR)

Applicable solely when working with entities falling under specific public interest or critical infrastructure mandates. This basis is used sparingly and only when legally justified.

4. Categories of Personal Data Processed

CyberNova may process the following categories of personal data:

4.1 Identity and Contact Information

Full name, job title, business email, business phone number, company name and registered address.

4.2 Account and Authentication Data

Usernames, access control information, two-factor authentication details, and login metadata.

4.3 Billing and Financial Information

Billing details, invoicing data, tax identifiers, and payment confirmation information.
CyberNova does not store full credit card numbers.

4.4 Technical and Service Usage Data

IP addresses, device identifiers, security scan metadata, logs, performance data, platform usage statistics, and incident reports.

4.5 Marketing and Communication Preferences

Information voluntarily provided for newsletters, webinars, events, or promotional materials.

5. Data We Never Collect Under Any Circumstances

To ensure transparency and scope limitation, CyberNova does not collect, store, analyse, infer, or process:

  • biometric identifiers

  • genetic or health information

  • facial recognition data

  • location tracking data

  • personal emails or internal documents unless voluntarily submitted for diagnostics

  • special category data under Art. 9 GDPR unless explicitly provided for a specific service

  • children’s data (persons under 16)

  • behavioural advertising profiles

  • employee surveillance or productivity monitoring

  • financial account numbers or payment card details (beyond confirmation tokens)

  • political beliefs, religious opinions, union membership

  • any data unrelated to the Services

6. Purposes of Processing

CyberNova processes personal data for the following purposes:

  • delivering cybersecurity and consulting services

  • generating technical and executive-level deliverables

  • managing subscriptions and billing

  • administering accounts, access, and authentication

  • providing customer support

  • enhancing, optimising, and securing our platforms

  • protecting systems from unauthorised access

  • complying with legal and regulatory obligations

  • conducting threat analysis and incident diagnostics

  • CRM and client relationship management

CyberNova does not use personal data for advertising profiling, resale, data brokerage, or automated decision-making with legal or significant effects.

7. Data Sharing and Subprocessors

CyberNova does not sell, rent, trade, or commercially exploit personal data.

We may share personal data with:

7.1 Authorised Subprocessors

This includes service providers meeting stringent GDPR, NIS2, ISO/IEC 27001, PCI-DSS, or equivalent standards, such as:

  • hosting and website infrastructure providers

  • CRM and analytics tools

  • SIEM and SOC monitoring systems

  • payment processors

  • Innova Group operational infrastructure (where necessary)

Each subprocessor is bound by:

  • written data processing agreements (Art. 28 GDPR)

  • confidentiality terms

  • strict access limitations

  • audit and compliance oversight

7.2 Legal and Regulatory Authorities

Disclosure is made only where legally required. Clients will be notified unless prohibited by law.

8. International Data Transfers (Articles 44–49 GDPR)

8.1 Overview

CyberNova is established in the EU but carries out core processing activities in Guatemala, a jurisdiction lacking an adequacy decision under Article 45 GDPR.

8.2 Legal Basis for Transfer

Transfers to Guatemala occur exclusively under:

Explicit Informed Consent – Article 49(1)(a) GDPR

By using our Services, clients:

  • explicitly consent to the international transfer of data

  • acknowledge the absence of an EU adequacy decision

  • accept the risks inherent in third-country transfers

  • authorise CyberNova to process data through secure systems located in Guatemala

8.3 Compensatory Safeguards

CyberNova applies a comprehensive set of technical and organisational safeguards, including:

  • end-to-end encryption (AES-256, TLS 1.3)

  • zero-trust access models

  • role-based access control (RBAC)

  • network segmentation

  • hardened server environments

  • SIEM-backed real-time monitoring

  • intrusion detection systems

  • encrypted backups

  • staff confidentiality and security training

8.4 Subprocessing in Third Countries

Where subprocessors operate outside the EEA, CyberNova ensures contractual protections, auditability, limited data exposure, and adherence to security requirements equivalent to EU expectations.

8.5 Withdrawal of Consent

Clients may withdraw consent for international transfers at any time.
Withdrawal may prevent CyberNova from performing Services and may require contract termination. Processing prior to withdrawal remains lawful.

9. Data Retention

Data is retained only for as long as necessary for the purposes described, including:

  • contractual relationship duration

  • accounting and tax obligations (5–7 years)

  • security logs (6–12 months)

  • technical analytical data (up to 90 days unless extended for security reasons)

  • marketing communications (12–24 months)

Upon request or at the end of retention periods, data is securely erased or anonymised.

10. Data Security

CyberNova implements advanced security measures consistent with Article 32 GDPR, NIS2, ISO/IEC 27001, ISO 27002, PCI-DSS, where applicable, NIST CSF, and Tier I–III data centre practices. Measures include:

  • encryption at rest and in transit

  • multifactor authentication

  • least-privilege access controls

  • continuous monitoring through SIEM

  • regular penetration testing

  • hardened system configurations

  • vulnerability assessments

  • disaster recovery and business continuity controls

11. Cookies and Tracking Technologies

CyberNova uses cookies and similar technologies for:

  • performance optimisation

  • visitor analytics

  • service security

  • user experience improvement

Non-essential cookies require prior consent. Users may manage preferences through browser settings or cookie banners.

12. Data Subject Rights

Under GDPR, UK GDPR, and FADP, individuals may exercise the following rights:

  • access (Art. 15)

  • rectification (Art. 16)

  • erasure (Art. 17)

  • restriction (Art. 18)

  • portability (Art. 20)

  • objection (Art. 21)

  • withdrawal of consent

  • complaint to supervisory authorities

Requests must be submitted to legal@cybernovaprotect.com.

13. Automated Decision-Making

CyberNova does not engage in automated decision-making or profiling producing legal or significant effects as defined under Article 22 GDPR.

14. Children’s Data

CyberNova’s Services are not intended for minors under 16. CyberNova does not knowingly collect children’s data.

15. Updates to This Policy

This Policy may be revised periodically to reflect operational, technical, or legal changes.
Clients will receive notice of material changes at least 48 hours before they take effect unless earlier modification is required by law.

16. Contact Details

CyberNova Legal Department
Email: legal@cybernovaprotect.com
Phone: +34 902 01 81 83

bottom of page