PRIVACY POLICY

ocalacyber.com  |  Client Portal (portal.ocalacyber.com)

Effective Date: June 2026  |  Last Reviewed: 6/15/26  |  Reviewed by: Sidney Wilson

Section 1 - Who We Are

Ocala Cyber is a cybersecurity consulting firm located in Marion County, FL, serving small businesses and home offices. This Privacy Policy describes how we collect, use, store, and protect information gathered through our website (ocalacyber.com) and our client portal (portal.ocalacyber.com).

Owner and Data Controller: Sidney Wilson  |  Ocala Cyber
contact@ocalacyber.com  |  (352) 327-8056  |  Marion County, FL

Section 2 - What Information We Collect

We collect information only for the purpose of delivering our services.

2.1  Website Contact Form (ocalacyber.com)

When you submit the contact form on our website, we collect:

This information is processed by Netlify, Inc. (netlify.com) and delivered to Ocala Cyber by email. It is used solely to respond to your inquiry. When you submit the form, an automated confirmation email is also sent to the email address you provide. That confirmation is delivered by Resend, Inc. (resend.com), which processes your name and email address solely to send it.

2.2  Client Portal (portal.ocalacyber.com)

The client portal requires an account. When you create an account and use the portal, we collect:

This information is required to deliver the cybersecurity services described in your Service Agreement. We do not collect payment card data, patient records, medical history, or any Protected Health Information (PHI) through the portal. See Section 7 for our HIPAA scope limitation.

2.3  Invoices and Payments

If you become a client and pay an Ocala Cyber invoice online, your payment is processed by Zoho Payments (Zoho Corporation, zoho.com), the payment processor connected to our invoicing system, Zoho Books. Your payment card or bank details are entered directly with Zoho Payments and are never received, seen, or stored by Ocala Cyber. We retain only standard billing records: the invoice, the amount, the date, and the payment status. Zoho’s handling of payment data is governed by Zoho’s own privacy policy (zoho.com/privacy).

2.4  Website Analytics & Cookies (ocalacyber.com)

When you visit our website, we use Google Analytics 4 - a measurement service provided by Google LLC (google.com) - to understand how visitors find and use the site so we can improve it. This information is collected automatically as you browse; you do not have to submit a form for it to be gathered. It includes:

To do this, Google Analytics stores a small file called a cookie in your browser and assigns a random identifier to your visit. We use this data only to measure and improve the website in aggregate - never to advertise to you, and never to identify you personally. Google Analytics 4 does not log or store your full IP address, and we do not combine this analytics data with the personal information you provide through the contact form or client portal.

Google processes this data on our behalf and also under Google’s own privacy policy (policies.google.com/privacy), and retains it according to the period configured in our Google Analytics account. You can prevent Google Analytics from collecting your data by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout), by blocking or clearing cookies in your browser settings, or by browsing in your browser’s private/incognito mode.

2.5  Security Check Submissions (portal.ocalacyber.com/check/device)

If we give you a one-time check code, you can run a Security Check (Windows, Mac, WiFi, Home, or the Mobile & POS checklist) and send us the results from our check page - no account or login is required, and the code identifies the submission as yours. We collect the results tied to that code: for the scripts, read-only security-configuration findings; for the Mobile & POS checklist, the answers you select plus an optional device label and any notes you add. We do not collect your files, messages, contacts, or passwords. These submissions are stored in a private, code-protected area of our Supabase storage (see Section 3), removed once we retrieve them, and deleted within 30 days.

Section 3 - How We Store Your Information

3.1  Client Portal Data

Client portal data - including account credentials and intake questionnaire responses - is stored in a cloud database and file storage system operated by Supabase, Inc. (supabase.com). Supabase hosts this infrastructure on Amazon Web Services (AWS) servers located in the United States. All data is transmitted over encrypted HTTPS connections. Security Check results submitted with a check code are stored in a separate, code-protected area of the same Supabase storage, reached with the one-time code rather than a login; they are removed once Ocala Cyber retrieves them and within 30 days at the latest.

Only you (via your authenticated portal account) and Ocala Cyber have access to your portal data. Supabase does not access, analyze, or share your data with any third party.

3.2  Website Contact Form Data

Contact form submissions are processed by Netlify, Inc. Netlify stores submissions temporarily and delivers them to Ocala Cyber by email. Netlify’s data handling is governed by Netlify’s own privacy policy (netlify.com). The automated confirmation email is delivered by Resend, Inc. Resend processes the submitted name and email address solely to deliver that confirmation, and its data handling is governed by Resend’s own privacy policy (resend.com).

3.3  AI Tools

Ocala Cyber uses Anthropic Claude (claude.ai) under a paid professional subscription to support service delivery, including analysis, report drafting, and research. The following practices govern how your data interacts with this tool:

Before any AI-assisted analysis runs against your engagement, Ocala Cyber captures your explicit consent at portal intake - you type your full name and check an acknowledgment box stamped with the current AI Data Handling Policy version (v1.4-2026-06). This consent is timestamped and stored in the client portal as a separate, append-only record. You may revoke consent at any time by emailing contact@ocalacyber.com; revocation halts AI tooling on future work but does not undo prior runs. Ocala Cyber’s internal Orchestrator refuses to invoke any AI-using tool against a client whose consent record is missing.

3.4  Continuous Monitoring Services

If you subscribe to one of our ongoing monitoring services (the Cyber Watch bundles), we look up publicly available information about your business domain on your behalf. Brand Watch and Domain Watch query your public domain name(s) against public DNS resolvers, WHOIS records, and TLS certificate-transparency logs to detect look-alike domains, expiring certificates, and unauthorized changes. Mail Watch receives DMARC authentication reports about your domain through a Google (Gmail) inbox; these reports contain sending-server IP addresses and domain names only, never the content of your email. Threat Watch reads public vulnerability feeds (such as the CISA and NIST catalogs) and matches them to your software list - no information about you is sent to those sources. Only your public domain name and DMARC report data are involved in monitoring; no credentials, passwords, financial data, or PHI are ever transmitted. The specific providers used for each monitoring service are listed in Section 9 and in Service Agreement Section 7.7.

Section 4 - How Long We Keep Your Information

The table below shows retention periods for each category of information we collect. Retention periods run from the trigger event shown, not from the date of original collection.

Data CategoryRetention PeriodAction at End of Period
Portal intake questionnaire submissions30 days after final deliverable deliveryPermanently deleted from Supabase
Security Check submissions (results sent with a check code)Removed when retrieved; 30 days maximumPermanently deleted from Supabase
Portal account data (email, company name)Deleted at engagement close, within 30 daysPermanently deleted from Supabase
Service agreements and contracts5 years from engagement endSecure deletion
Engagement deliverables (reports, plans)3 years from delivery dateSecure deletion
Financial records (invoices, payments)7 years (IRS requirement)Secure deletion
Website contact form submissionsNot retained by Ocala Cyber beyond email delivery; Netlify’s and Resend’s retention is governed by their own policiesN/A

Section 5 - How We Use Your Information

Information collected through the portal and contact form is used only to:

We do not sell, rent, or share your information with any third party for marketing purposes. We do not use your information for purposes beyond your engagement without your explicit written consent.

Section 6 - Your Rights

You have the right to:

To exercise any of these rights, submit a written request to contact@ocalacyber.com. Ocala Cyber will:

Note: Financial records required by law (7-year IRS retention period) cannot be deleted upon request.

Section 7 - HIPAA and Protected Health Information

Ocala Cyber does not collect, receive, process, transmit, or store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). Our services assess the security posture of systems and operations - not patient or health data.

The client portal does not contain fields for patient records, medical history, or any health information, and such fields will never be added. Engagements with healthcare organizations are scoped to infrastructure security, email authentication, and operational practices only. Ocala Cyber does not execute Business Associate Agreements (BAAs). See Service Agreement Section 7.8 for the full scope limitation.

Section 8 - Security

We take reasonable measures to protect your information:

No method of internet transmission or electronic storage is 100% secure. While we use industry-reasonable security measures, we cannot guarantee absolute security.

Section 9 - Third-Party Services

The following third-party services are used in the delivery of Ocala Cyber’s services. Ocala Cyber does not share your data with any party not listed below without your prior written consent, except as required by law.

ServicePurposeData Shared
Supabase, Inc. (supabase.com)Client portal database and file storagePortal account data, intake questionnaire submissions, and Security Check submissions
Netlify, Inc. (netlify.com)Website hosting and contact form processingContact form submissions only
Anthropic (anthropic.com)AI-assisted analysis and report draftingAnonymized (scrubbed) data only - no real client identifiers
Public DNS, WHOIS, and certificate-transparency lookup servicesDomain monitoring (Brand Watch, Domain Watch)Your public business domain name(s) only
Google LLC (Gmail / google.com)Email authentication monitoring (Mail Watch) - DMARC report intakeDMARC report data (sending IP addresses and domains); no email content
Google LLC (Google Analytics / google.com)Website traffic analytics - measuring how visitors use ocalacyber.comAnonymous website usage data: pages viewed, approximate (city-level) location, device and browser type, and referral source, set via cookies. No full IP address, name, or contact information.
Resend, Inc. (resend.com)Automated email delivery (contact form confirmation emails)Name and email address submitted through the contact form
Zoho Corporation (zoho.com)Invoicing and online payment processing (Zoho Books and Zoho Payments)Billing contact details and payment information; card and bank details are entered directly with Zoho Payments and are never stored by Ocala Cyber

Section 10 - Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices or applicable law. When we do, we will update the “Last Reviewed” date at the top of this document. Material changes will be communicated to active clients by email at the address on file.

Section 11 - Contact

Questions about this Privacy Policy or your data?

Sidney Wilson  |  Ocala Cyber
contact@ocalacyber.com  |  (352) 327-8056  |  ocalacyber.com
Marion County, FL