Privacy Policy

Last updated: May 22, 2026

CyberStudy ("we", "us") is a free, web-based study tool for Cisco and CompTIA networking certifications, operated by Will Hertz as a sole proprietor doing business as CyberStudy. This policy explains what information we collect, how we use it, who we share it with, and what choices you have. We aim to collect as little as possible and to be transparent about all of it.

Operator note: The contact section currently lists only an email address. A postal mailing address is required for full GDPR Article 13 and CCPA Section 1798.130 compliance and must be added before submitting to Google OAuth Production verification. Update privacy.html and terms.html with the address before launching to real users.

1. Who we are

Operator: Will Hertz, sole proprietor, doing business as CyberStudy.
Service: https://cyberstudy.io
Contact: whertz0215@gmail.com

All privacy questions, data access requests, deletion requests, and complaints should be sent to the email above. We aim to respond within 30 days (often much sooner).

2. What we collect

2.1 Account information

When you create an account, we collect:

Email address. Used to identify your account and to send transactional messages (password reset).
Display name. Used to greet you in the interface.
Username. Auto-generated from your email, used for sign-in.
Password (hashed only). If you sign up with a password, we store a bcrypt hash. We never store or see your plaintext password.
Google account identifier ("sub"). If you sign in with Google, we receive a stable identifier from Google plus your email and name (the standard OpenID Connect scopes: openid, email, profile). We do not request or receive contacts, calendar, Drive, or any other Google data.

2.2 Study state

While you use CyberStudy, we store:

Which questions you've answered and which you got right.
Notes and highlights you create on Learn-mode topics.
Final exam attempts and scores.
Which certification track you're studying (CCNA, CCNP, etc).

All of this stays in your account and syncs across your devices when you sign in. If you use the site without signing in, study state is kept only in your browser's localStorage and never sent to us.

2.3 Server logs

Our server records standard web request logs: IP address, timestamp, request path, response status. These are kept for operational debugging (typically ~14 days) and are not used for advertising or profiling.

2.4 What we do NOT collect

We do not use analytics services (no Google Analytics, no Mixpanel, no Plausible, etc).
We do not use advertising trackers or cookies.
We do not sell, rent, or share personal information for advertising.
We do not use automated decision-making or profiling that produces legal or similarly significant effects.

3. How we use information

We use the information above to:

Provide the service (let you sign in, save your progress, sync across devices).
Send transactional emails when you request a password reset.
Maintain operational logs for debugging and security.
Respond to your privacy requests (access, deletion, correction).

We do not use your information for advertising, profiling, or sale to third parties.

4. Who we share with (sub-processors)

We rely on a small number of service providers ("sub-processors") to operate CyberStudy. They are limited to operational roles and contractually bound to keep your data confidential.

DigitalOcean, LLC — hosts our database server (located in the U.S.). Receives all data needed to run the application.
Google LLC — provides Google Sign-In. If you choose to sign in with Google, Google receives the standard OAuth request and returns your account info. Google's privacy policy applies to their handling of that data.
Resend (Plus Five Five Inc.) — sends transactional emails (password reset only). Receives your email address and the message contents at send time.
Cloudflare, Inc. — provides DNS for our domain. Does not proxy our traffic and does not receive user account data.

5. Where data is stored

All user data is stored on a server located in New York, United States, operated by DigitalOcean. We do not transfer data outside the U.S. except where required to deliver a service you've requested (e.g., a password reset email passes through Resend's infrastructure).

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with restricted cross-border data transfer rules, please note that by using the service you consent to your data being stored in the United States.

6. How long we keep data

Account data: kept while your account is active.
Deleted accounts: when you delete your account, we soft- delete it immediately (your account becomes inaccessible) and hard-delete it within 30 days. After hard-deletion, your data cannot be recovered.
Server logs: approximately 14 days.
Password reset tokens: 30 minutes from creation.
Database backups: daily snapshots retained for 14 days; weekly snapshots retained for 8 weeks.

7. Your rights

7.1 For everyone

Access: you can request a copy of all personal information we hold about you.
Deletion: you can delete your account from the Account page, or by emailing us. Deletion is final after the 30-day grace window.
Correction: you can correct your name from the Account page, or email us to correct other fields.
Export: you can request your data in a portable format (JSON).

7.2 If you are in California (CCPA / CPRA)

California residents have the rights above and may also:

Request the categories and specific pieces of personal information we've collected about you in the preceding 12 months (or, on request, back to January 1, 2022 if applicable).
Opt out of "sale" or "sharing" of personal information. (We do not sell or share personal information for cross-context behavioral advertising. Opt-out is therefore not applicable, but you may submit a request and we will confirm.)
Direct us to limit our use of any sensitive personal information. (We do not collect sensitive personal information as defined by CPRA.)
Be free from retaliation for exercising any of these rights.

7.3 If you are in the EU or UK (GDPR / UK GDPR)

EU and UK residents have the rights above and may also:

Object to processing, restrict processing, or withdraw consent.
Receive your data in a structured, machine-readable format (data portability).
Lodge a complaint with your local data protection authority.

Our legal basis for processing is (a) performance of a contract (providing the study tool you signed up for) and (b) your consent for optional processing such as Google sign-in.

8. Security

We use HTTPS for all connections, store passwords using bcrypt hashing, keep our server software up to date, and limit access to the production database to the operator only. No system is perfectly secure; if we discover a breach affecting your data, we will notify you within 72 hours where required by law.

9. Children's privacy

CyberStudy is intended for users aged 16 and over. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created an account, please email us and we will delete it.

10. Cookies and similar technologies

We use localStorage to store your authentication token and study progress in your own browser. We do not set tracking cookies. We do not use third-party advertising cookies.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. For material changes, we will notify signed-in users by email.

12. Contact

Privacy questions, requests, or complaints: whertz0215@gmail.com