Privacy Policy

Fortuna_Security processes personal, technical, and operational data through two channels: information you voluntarily provide, and metadata our systems automatically record to ensure platform security and service delivery.

A. Information You Provide Directly

B. Automatically Collected Technical Metadata

To enforce rate-limiting, verify authorization boundaries, and protect the platform from unauthorized access, our backend automatically records:

• IP addresses of incoming requests — stored exclusively as one-way SHA-256 hashes. Raw IP addresses are never persisted in our logs. The hash cannot be reversed to identify you.
• HTTP request metadata: user-agent strings, request paths, timestamps, and response codes — used for security monitoring and rate-limit enforcement only.
• Payloads directed at honeypot endpoints or restricted API paths — recorded for security incident investigation and law enforcement referral where applicable.
• Scan session metadata from the device assessment suite: scan type, completion timestamp, and result category (pass/warn/fail) — not linked to your identity without your explicit download action.

Where applicable under GDPR or equivalent data protection frameworks, we process your data on the following legal bases:

• Contractual Necessity: Processing required to deliver services you have purchased or enrolled in — account management, assessment delivery, course access.
• Legitimate Interests: Security monitoring, rate-limit enforcement, honeypot telemetry, and platform integrity protection — balanced against your rights and not overriding them.
• Consent: Any data processing not covered above — such as marketing communications — requires your explicit opt-in consent, which you may withdraw at any time.
• Legal Obligation: Compliance with applicable law, including mandatory disclosure to law enforcement where required by statute.

We use the data we collect for the following specific purposes and no others:

• Creating and managing student and client accounts on the platform.
• Delivering booked security assessments, penetration tests, and SOC monitoring services.
• Providing access to academy courses, lab environments, and progress tracking.
• Processing and responding to consultation bookings and career applications.
• Enforcing platform rate limits, detecting abuse, and blocking malicious access patterns.
• Maintaining security audit logs required for incident investigation and legal compliance.
• Sending transactional communications — booking confirmations, course updates, account notifications. We do not send unsolicited marketing without consent.

Fortuna_Security does not use third-party advertising cookies or cross-site tracking mechanisms. Authentication on this platform is managed through JSON Web Tokens (JWTs) — cryptographically signed, stateless tokens stored in your browser's sessionStorage.

These tokens expire after 24 hours and are not persistent across browser sessions. They contain your user ID, role, and token expiry timestamp — nothing else. They are signed with a server-side secret and cannot be forged or tampered with.

Clearing your browser storage or closing your browser session will log you out. This is by design. We do not use persistent cookies that track you across other websites.

We share data only with trusted third-party service providers who are contractually bound to process data only on our behalf and in accordance with this policy. Current categories of processors include:

• Infrastructure Hosting: The server and storage provider hosting the platform. Data is processed in the United States.
• Payment Processing: Venmo and PayPal handle all financial transactions. We receive only transaction confirmation metadata — never card numbers, bank details, or financial account information.
• Email Delivery: Transactional emails (booking confirmations, account notifications) may be routed through an SMTP provider. Email addresses are not used for advertising by these providers under our agreements.

We do not sell, rent, license, or otherwise transfer your personal data to data brokers, advertising networks, analytics companies, or any other third party for commercial purposes.

We may also disclose data in response to a valid court order, subpoena, or other lawful legal process. Where permitted by law, we will attempt to notify you of such a request before complying. We will challenge any legal demand we believe to be overbroad or unlawful.

Fortuna_Security applies the following technical and administrative controls to protect your data:

• Password Hashing: Passwords are hashed using bcrypt with a work factor of 12. Raw passwords are never stored or logged at any point.
• IP Anonymization: All IP addresses in security logs are immediately transformed to one-way SHA-256 hashes before storage. Raw IP addresses are not persisted.
• JWT Security: Authentication tokens are signed with a 64-character random secret, expire after 24 hours, and are validated on every authenticated request.
• Rate Limiting: All API endpoints are rate-limited by IP to prevent brute-force attacks and credential stuffing.
• Access Controls: Client vulnerability data, course progress records, and user profiles are isolated to individual account workspaces with role-based access enforcement.
• Transport Security: All data in transit is protected by TLS. HTTP connections are redirected to HTTPS.

You acknowledge that no internet-facing application can be guaranteed completely secure against sophisticated or coordinated exploitation. We apply industry-standard controls and disclose our security posture transparently — but we do not make absolute guarantees of imperviousness.

Technical findings, assessment outputs, network vulnerability details, and configuration weaknesses generated during security engagements are treated as strictly confidential client data. Fortuna_Security enforces the following isolation controls:

• Vulnerability findings and assessment reports are isolated to the individual client account workspace and are never shared across client environments.
• Assessment data is never aggregated into shared threat intelligence databases, anonymized research datasets, or cross-client analytics without explicit written consent.
• Engagement data is retained only for the duration required to satisfy the active contract, applicable legal obligations, and reasonable dispute resolution windows — after which it is securely deleted.

We retain data only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

To request deletion of your account and associated data, contact privacy@fortunasecurity.com. We will acknowledge your request within 5 business days and complete deletion within 30 calendar days, subject to any legal retention obligations that prevent immediate deletion.

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honor these rights for all users regardless of location.

Fortuna_Security services are intended exclusively for individuals 18 years of age or older. We do not knowingly collect, solicit, or process personal information from anyone under 18. Our Terms of Service require users to confirm they meet this age requirement at account creation.

If we become aware that we have inadvertently collected personal information from a person under 18, we will delete that information from our systems within 72 hours of discovery. If you believe a minor has created an account on our platform, contact us immediately at privacy@fortunasecurity.com.

In the event of a security incident that results in unauthorized access to, disclosure of, or destruction of personal data, Fortuna_Security will:

• Contain and assess the scope of the incident within 24 hours of discovery.
• Notify affected users by email within 72 hours of confirming that personal data was compromised, in compliance with GDPR Article 33 and applicable US state breach notification laws.
• Notify relevant supervisory authorities where required by applicable law.
• Provide a public disclosure within 30 days if the breach affects a significant number of users or involves sensitive security assessment data.

Notification will include: the nature of the breach, categories of data affected, likely consequences, and steps we have taken or will take to mitigate harm.

Our platform is operated from the United States. If you are accessing our services from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA) or United Kingdom, data transfers are conducted under appropriate safeguards including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under applicable data protection law. By using our services, you acknowledge and consent to this transfer.

We reserve the right to update this Privacy Policy to reflect changes in our services, legal obligations, or data handling practices. When material changes are made, we will update the "Last Revised" date at the top of this document and notify registered users by email at least 14 days before the revised policy takes effect.

Continued use of the platform after the effective date of a revised policy constitutes acceptance of the updated terms. If you do not agree to a revised policy, you must discontinue use and may request account deletion.