ocalacyber.com | Client Portal (portal.ocalacyber.com)
Ocala Cyber is a cybersecurity consulting firm located in Marion County, FL, serving small businesses and home offices. This Privacy Policy describes how we collect, use, store, and protect information gathered through our website (ocalacyber.com) and our client portal (portal.ocalacyber.com).
We collect information only for the purpose of delivering our services.
When you submit the contact form on our website, we collect:
This information is processed by Netlify, Inc. (netlify.com) and delivered to Ocala Cyber by email. It is used solely to respond to your inquiry. When you submit the form, an automated confirmation email is also sent to the email address you provide. That confirmation is delivered by Resend, Inc. (resend.com), which processes your name and email address solely to send it.
The client portal requires an account. When you create an account and use the portal, we collect:
This information is required to deliver the cybersecurity services described in your Service Agreement. We do not collect payment card data, patient records, medical history, or any Protected Health Information (PHI) through the portal. See Section 7 for our HIPAA scope limitation.
If you become a client and pay an Ocala Cyber invoice online, your payment is processed by Zoho Payments (Zoho Corporation, zoho.com), the payment processor connected to our invoicing system, Zoho Books. Your payment card or bank details are entered directly with Zoho Payments and are never received, seen, or stored by Ocala Cyber. We retain only standard billing records: the invoice, the amount, the date, and the payment status. Zoho’s handling of payment data is governed by Zoho’s own privacy policy (zoho.com/privacy).
When you visit our website, we use Google Analytics 4 - a measurement service provided by Google LLC (google.com) - to understand how visitors find and use the site so we can improve it. This information is collected automatically as you browse; you do not have to submit a form for it to be gathered. It includes:
To do this, Google Analytics stores a small file called a cookie in your browser and assigns a random identifier to your visit. We use this data only to measure and improve the website in aggregate - never to advertise to you, and never to identify you personally. Google Analytics 4 does not log or store your full IP address, and we do not combine this analytics data with the personal information you provide through the contact form or client portal.
Google processes this data on our behalf and also under Google’s own privacy policy (policies.google.com/privacy), and retains it according to the period configured in our Google Analytics account. You can prevent Google Analytics from collecting your data by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout), by blocking or clearing cookies in your browser settings, or by browsing in your browser’s private/incognito mode.
If we give you a one-time check code, you can run a Security Check (Windows, Mac, WiFi, Home, or the Mobile & POS checklist) and send us the results from our check page - no account or login is required, and the code identifies the submission as yours. We collect the results tied to that code: for the scripts, read-only security-configuration findings; for the Mobile & POS checklist, the answers you select plus an optional device label and any notes you add. We do not collect your files, messages, contacts, or passwords. These submissions are stored in a private, code-protected area of our Supabase storage (see Section 3), removed once we retrieve them, and deleted within 30 days.
Client portal data - including account credentials and intake questionnaire responses - is stored in a cloud database and file storage system operated by Supabase, Inc. (supabase.com). Supabase hosts this infrastructure on Amazon Web Services (AWS) servers located in the United States. All data is transmitted over encrypted HTTPS connections. Security Check results submitted with a check code are stored in a separate, code-protected area of the same Supabase storage, reached with the one-time code rather than a login; they are removed once Ocala Cyber retrieves them and within 30 days at the latest.
Only you (via your authenticated portal account) and Ocala Cyber have access to your portal data. Supabase does not access, analyze, or share your data with any third party.
Contact form submissions are processed by Netlify, Inc. Netlify stores submissions temporarily and delivers them to Ocala Cyber by email. Netlify’s data handling is governed by Netlify’s own privacy policy (netlify.com). The automated confirmation email is delivered by Resend, Inc. Resend processes the submitted name and email address solely to deliver that confirmation, and its data handling is governed by Resend’s own privacy policy (resend.com).
Ocala Cyber uses Anthropic Claude (claude.ai) under a paid professional subscription to support service delivery, including analysis, report drafting, and research. The following practices govern how your data interacts with this tool:
Before any AI-assisted analysis runs against your engagement, Ocala Cyber captures your explicit consent at portal intake - you type your full name and check an acknowledgment box stamped with the current AI Data Handling Policy version (v1.4-2026-06). This consent is timestamped and stored in the client portal as a separate, append-only record. You may revoke consent at any time by emailing contact@ocalacyber.com; revocation halts AI tooling on future work but does not undo prior runs. Ocala Cyber’s internal Orchestrator refuses to invoke any AI-using tool against a client whose consent record is missing.
If you subscribe to one of our ongoing monitoring services (the Cyber Watch bundles), we look up publicly available information about your business domain on your behalf. Brand Watch and Domain Watch query your public domain name(s) against public DNS resolvers, WHOIS records, and TLS certificate-transparency logs to detect look-alike domains, expiring certificates, and unauthorized changes. Mail Watch receives DMARC authentication reports about your domain through a Google (Gmail) inbox; these reports contain sending-server IP addresses and domain names only, never the content of your email. Threat Watch reads public vulnerability feeds (such as the CISA and NIST catalogs) and matches them to your software list - no information about you is sent to those sources. Only your public domain name and DMARC report data are involved in monitoring; no credentials, passwords, financial data, or PHI are ever transmitted. The specific providers used for each monitoring service are listed in Section 9 and in Service Agreement Section 7.7.
The table below shows retention periods for each category of information we collect. Retention periods run from the trigger event shown, not from the date of original collection.
| Data Category | Retention Period | Action at End of Period |
|---|---|---|
| Portal intake questionnaire submissions | 30 days after final deliverable delivery | Permanently deleted from Supabase |
| Security Check submissions (results sent with a check code) | Removed when retrieved; 30 days maximum | Permanently deleted from Supabase |
| Portal account data (email, company name) | Deleted at engagement close, within 30 days | Permanently deleted from Supabase |
| Service agreements and contracts | 5 years from engagement end | Secure deletion |
| Engagement deliverables (reports, plans) | 3 years from delivery date | Secure deletion |
| Financial records (invoices, payments) | 7 years (IRS requirement) | Secure deletion |
| Website contact form submissions | Not retained by Ocala Cyber beyond email delivery; Netlify’s and Resend’s retention is governed by their own policies | N/A |
Information collected through the portal and contact form is used only to:
We do not sell, rent, or share your information with any third party for marketing purposes. We do not use your information for purposes beyond your engagement without your explicit written consent.
You have the right to:
To exercise any of these rights, submit a written request to contact@ocalacyber.com. Ocala Cyber will:
Note: Financial records required by law (7-year IRS retention period) cannot be deleted upon request.
Ocala Cyber does not collect, receive, process, transmit, or store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). Our services assess the security posture of systems and operations - not patient or health data.
The client portal does not contain fields for patient records, medical history, or any health information, and such fields will never be added. Engagements with healthcare organizations are scoped to infrastructure security, email authentication, and operational practices only. Ocala Cyber does not execute Business Associate Agreements (BAAs). See Service Agreement Section 7.8 for the full scope limitation.
We take reasonable measures to protect your information:
No method of internet transmission or electronic storage is 100% secure. While we use industry-reasonable security measures, we cannot guarantee absolute security.
The following third-party services are used in the delivery of Ocala Cyber’s services. Ocala Cyber does not share your data with any party not listed below without your prior written consent, except as required by law.
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase, Inc. (supabase.com) | Client portal database and file storage | Portal account data, intake questionnaire submissions, and Security Check submissions |
| Netlify, Inc. (netlify.com) | Website hosting and contact form processing | Contact form submissions only |
| Anthropic (anthropic.com) | AI-assisted analysis and report drafting | Anonymized (scrubbed) data only - no real client identifiers |
| Public DNS, WHOIS, and certificate-transparency lookup services | Domain monitoring (Brand Watch, Domain Watch) | Your public business domain name(s) only |
| Google LLC (Gmail / google.com) | Email authentication monitoring (Mail Watch) - DMARC report intake | DMARC report data (sending IP addresses and domains); no email content |
| Google LLC (Google Analytics / google.com) | Website traffic analytics - measuring how visitors use ocalacyber.com | Anonymous website usage data: pages viewed, approximate (city-level) location, device and browser type, and referral source, set via cookies. No full IP address, name, or contact information. |
| Resend, Inc. (resend.com) | Automated email delivery (contact form confirmation emails) | Name and email address submitted through the contact form |
| Zoho Corporation (zoho.com) | Invoicing and online payment processing (Zoho Books and Zoho Payments) | Billing contact details and payment information; card and bank details are entered directly with Zoho Payments and are never stored by Ocala Cyber |
We may update this Privacy Policy to reflect changes in our data practices or applicable law. When we do, we will update the “Last Reviewed” date at the top of this document. Material changes will be communicated to active clients by email at the address on file.
Questions about this Privacy Policy or your data?