Privacy Policy

1. Our Commitment to Privacy

At APOLLO CyberSentinel, protecting your privacy is fundamental to our mission and core to our product design. As a cybersecurity company dedicated to defending against nation-state threats, we understand the critical importance of data privacy and security. This commitment extends beyond mere compliance—it's built into the very architecture of our software.

Privacy by Design Principles

APOLLO CyberSentinel is built on seven foundational privacy principles:

• Proactive not Reactive - Privacy protection is built-in from the start
• Privacy as the Default - Maximum privacy protection without requiring action from you
• Local Processing - All analysis occurs on your device, not our servers
• Full Functionality - Privacy protection doesn't compromise security effectiveness
• End-to-End Security - Data protection throughout the entire system lifecycle
• Visibility and Transparency - Clear information about what data is processed and how
• Respect for User Privacy - Your privacy rights are paramount in all our decisions

2. Information We Collect and Process

2.1 Zero Telemetry Architecture

APOLLO CyberSentinel operates with zero telemetry by design. We have architected our system to provide military-grade protection without collecting personal data. Specifically, we do NOT collect:

• Personal browsing data - No web history, search queries, or browser information
• File contents or names - Files are analyzed locally without content transmission
• Usage analytics or telemetry - No tracking of software usage patterns or statistics
• Location data - No geolocation, IP address logging, or geographic tracking
• Communication content - No access to emails, messages, or communications
• Personal documents - Document content is never accessed or transmitted
• Financial information - No access to banking, payment, or financial data
• Biometric data - No collection of fingerprints, facial recognition, or biometric identifiers
• Social media activity - No monitoring of social media accounts or activity
• Device identifiers - No unique device tracking or persistent identifiers

2.2 Threat Intelligence Data Processing

For legitimate cybersecurity protection purposes, APOLLO may process the following data types locally on your device only:

2.2.1 Cryptographic Hashes

• File hashes (SHA-256) - Mathematical fingerprints of files for threat identification
• Process signatures - Cryptographic signatures of running applications
• Network connection hashes - Anonymized network activity fingerprints
• Behavioral pattern hashes - Mathematical representations of system behavior

Note: Cryptographic hashes are one-way mathematical functions that cannot be reversed to reveal original data content.

2.2.2 Network Security Indicators

• Suspicious IP addresses - Known malicious network endpoints (anonymized queries only)
• Domain patterns - Malicious domain structures without personal browsing data
• Network protocol anomalies - Unusual network behavior patterns
• Command and control indicators - Known APT communication patterns

2.2.3 System Security Data

• Operating system version - For compatibility and vulnerability assessment
• Security patch status - To identify potential system vulnerabilities
• Running process information - Process names and digital signatures (local analysis only)
• System configuration data - Security-relevant settings and configurations

2.3 Support and Service Information

When you voluntarily contact us for support, we may collect:

• Contact information - Email address, name, and other details you provide
• Support communications - Content of your support requests and our responses
• Technical logs - System logs relevant to technical issues (only with your explicit consent)
• Software version information - To provide appropriate technical assistance
• Hardware specifications - Only when relevant to resolving technical issues

2.4 Website and Service Usage

When you visit our website or use our services, we may collect:

• Server logs - Standard web server information for security and performance
• Error reports - Technical error information to improve software stability
• Update requests - Information about software update checks and downloads
• License validation - Verification of software licensing status

3. How We Use Information

3.1 Local-First Processing Philosophy

All threat analysis and protection occurs exclusively on your device. APOLLO does not send your personal data, file contents, or usage information to external servers for analysis. Our local-first approach ensures:

• Data sovereignty - Your data remains under your control at all times
• Network independence - Core protection works even without internet connectivity
• Latency optimization - Real-time protection without network delays
• Privacy preservation - No central data repository or cloud processing

3.2 Threat Intelligence Integration

We enhance protection through secure integration with threat intelligence sources:

3.2.1 Anonymous Query Mechanism

When querying external threat intelligence services:

• Only cryptographic hashes are transmitted - Never file contents or personal data
• No identifying information - Queries cannot be linked to your identity or device
• Encrypted transmission - All queries use TLS 1.3 or higher encryption
• No persistent tracking - Queries do not create permanent records

3.2.2 Government Intelligence Integration

APOLLO integrates with official government cybersecurity sources:

• CISA (Cybersecurity and Infrastructure Security Agency) - Official US government threat indicators
• FBI Cyber Division - Federal law enforcement cyber threat data
• NCSC (National Cyber Security Centre) - UK government cybersecurity intelligence
• Academic research institutions - Peer-reviewed cybersecurity research

3.3 Data Processing Purposes

We process information solely for the following legitimate purposes:

3.3.1 Cybersecurity Protection

• Detecting and preventing nation-state cyber attacks
• Identifying advanced persistent threats (APTs)
• Protecting against cryptocurrency theft and fraud
• Preventing data exfiltration and system compromise
• Blocking command and control communications

3.3.2 Software Functionality

• Providing real-time threat analysis and alerts
• Updating threat signatures and detection rules
• Maintaining software compatibility and performance
• Delivering security patches and vulnerability fixes
• Enabling user preference and configuration management

3.3.3 Legal Compliance and Safety

• Complying with applicable cybersecurity laws and regulations
• Reporting suspected criminal activity to appropriate authorities
• Protecting the security and integrity of our systems
• Defending against legal claims and ensuring compliance

4. Data Sharing and Third-Party Integrations

4.1 Threat Intelligence Service Providers

APOLLO integrates with the following threat intelligence services for enhanced protection:

4.1.1 VirusTotal (Google)

• Data shared - Only SHA-256 file hashes (no file contents)
• Purpose - Malware detection and threat classification
• Privacy protection - Hashes cannot be reversed to reveal file contents
• API limits - Rate-limited queries to prevent abuse

4.1.2 AlienVault OTX (AT&T Cybersecurity)

• Data shared - Anonymous threat indicators and IOCs
• Purpose - Community-driven threat intelligence
• Privacy protection - No personally identifiable information transmitted
• Data retention - Queries are not logged or stored

4.1.3 Shodan (Shodan LLC)

• Data shared - Network indicators and IP addresses (anonymized)
• Purpose - Network infrastructure threat assessment
• Privacy protection - Only suspicious network indicators, never personal data
• Query encryption - All queries encrypted in transit

4.1.4 Anthropic Claude AI

• Data shared - Anonymized threat patterns and behavioral indicators
• Purpose - Advanced threat analysis and classification
• Privacy protection - No personal data or file contents shared
• Processing location - Anthropic's secure cloud infrastructure

4.2 Data Sharing Restrictions

We do NOT share your personal information with:

• Advertisers or marketing companies - No commercial data sharing
• Data brokers or aggregators - No sale or licensing of personal data
• Social media platforms - No integration with social networks
• Analytics companies - No behavioral tracking or profiling
• Affiliate marketing networks - No commercial partnerships involving data sharing

4.3 Legal Disclosure Requirements

We may disclose information only in the following limited circumstances:

4.3.1 Legal Process

• Valid court orders or subpoenas
• Search warrants with appropriate legal authority
• National security letters (with applicable legal challenges)
• Regulatory investigations with proper authorization

4.3.2 Emergency Situations

• Imminent threat to life or safety
• Active cyber attacks against critical infrastructure
• Child protection and safety situations
• Prevention of serious criminal activity

4.3.3 Business Protection

• Protection of our legal rights and interests
• Enforcement of terms of service and license agreements
• Investigation of suspected fraudulent activity
• Defense against legal claims and litigation

5. Data Security and Protection Measures

5.1 Technical Security Controls

We implement comprehensive security measures to protect your information:

5.1.1 Encryption

• Data in transit - TLS 1.3 encryption for all network communications
• Data at rest - AES-256 encryption for local data storage
• Key management - Hardware security modules (HSMs) for key protection
• Certificate pinning - Protection against man-in-the-middle attacks

5.1.2 Access Controls

• Principle of least privilege - Minimal necessary access permissions
• Multi-factor authentication - Required for all administrative access
• Regular access reviews - Quarterly audits of access permissions
• Privileged access management - Monitored and logged administrative activities

5.1.3 Network Security

• Network segmentation - Isolated systems and data environments
• Intrusion detection - Real-time monitoring of network activity
• DDoS protection - Mitigation of distributed denial-of-service attacks
• Vulnerability management - Regular security assessments and patching

5.2 Organizational Security Measures

5.2.1 Personnel Security

• Background checks - Comprehensive screening of all employees
• Security training - Regular cybersecurity awareness programs
• Confidentiality agreements - Legal obligations to protect user data
• Incident response training - Prepared response to security incidents

5.2.2 Compliance and Auditing

• SOC 2 Type II compliance - Independent security audits
• ISO 27001 certification - Information security management standards
• Regular penetration testing - Third-party security assessments
• Continuous monitoring - 24/7 security operations center

6. Your Privacy Rights and Choices

6.1 Data Subject Rights (GDPR/CCPA Compliance)

You have the following rights regarding your personal information:

6.1.1 Right to Access

• Request copies of your personal data we hold
• Understand how your data is being processed
• Receive information about data sharing practices
• Access data processing logs and records

6.1.2 Right to Rectification

• Correct inaccurate or incomplete personal data
• Update your contact and account information
• Modify your communication preferences
• Ensure data accuracy and completeness

6.1.3 Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data
• Complete removal of account and usage data
• Cessation of data processing activities
• Notification to third parties about erasure requests

6.1.4 Right to Data Portability

• Receive your data in a machine-readable format
• Transfer data to another service provider
• Export your configuration and preference settings
• Obtain historical data and usage records

6.1.5 Right to Object

• Object to processing based on legitimate interests
• Opt-out of specific data processing activities
• Restrict certain types of data analysis
• Limit automated decision-making processes

6.2 Communication and Marketing Preferences

You can control various types of communications:

6.2.1 Security Notifications

• Critical security alerts - Cannot be disabled for security reasons
• Threat intelligence updates - Can be limited to high-priority threats
• Software vulnerability notices - Recommended to keep enabled
• Incident response communications - Required during active threats

6.2.2 Product Communications

• Software updates and releases - Can be set to critical updates only
• Feature announcements - Optional marketing communications
• Beta testing invitations - Opt-in basis only
• User surveys and feedback requests - Always optional

6.3 Data Control and Configuration

6.3.1 Local Data Management

• Configuration backup - Export your settings and preferences
• Threat detection logs - Review local analysis and detection history
• Whitelist management - Control trusted applications and processes
• Complete uninstallation - Remove all software and data traces

6.3.2 Intelligence Feed Controls

• Selective intelligence sources - Choose which threat feeds to use
• Query frequency limits - Control how often external sources are queried
• Anonymous mode - Enhanced privacy with reduced functionality
• Offline mode - Complete independence from external services

7. Special Privacy Considerations

7.1 Children's Privacy Protection

APOLLO CyberSentinel is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected information from a child under 13:

• We will delete the information immediately upon discovery
• We will not use the information for any purpose
• We will not disclose the information to third parties
• We will notify parents or guardians if contact information is available
• We will take steps to prevent future collection from the same source

7.2 Sensitive Data Categories

APOLLO does not intentionally collect or process sensitive personal data, including:

• Health information - Medical records, health conditions, or health data
• Financial records - Bank accounts, credit card numbers, or financial transactions
• Biometric identifiers - Fingerprints, facial recognition, or biological characteristics
• Political opinions - Political beliefs, affiliations, or voting records
• Religious beliefs - Spiritual beliefs, religious affiliations, or practices
• Sexual orientation - Personal relationships or intimate preferences
• Trade union membership - Labor organization affiliations or activities

7.3 Cryptocurrency and Financial Privacy

Given APOLLO's focus on cryptocurrency protection:

7.3.1 Wallet Protection

• No wallet access - APOLLO never accesses wallet contents or private keys
• File monitoring only - Monitors file access patterns, not financial data
• Transaction privacy - No monitoring of cryptocurrency transactions
• Address protection - Protects against clipboard hijacking without storing addresses

7.3.2 Financial Data Safeguards

• PCI DSS compliance - Payment card industry data security standards
• Financial data isolation - No integration with financial systems
• Bank account protection - Monitors for threats without accessing account data
• Investment privacy - No collection of investment or trading information

8. International Data Transfers and Compliance

8.1 Cross-Border Data Processing

As a local-first application, APOLLO processes data primarily on your device. However, limited data transfers may occur:

8.1.1 Threat Intelligence Queries

• United States - VirusTotal, Anthropic Claude (with appropriate safeguards)
• European Union - GDPR-compliant data processors only
• United Kingdom - UK GDPR and Data Protection Act compliance
• Canada - PIPEDA-compliant service providers

8.1.2 Legal Basis for International Transfers

• Adequacy decisions - Transfers to countries with adequate protection
• Standard contractual clauses - EU-approved data transfer agreements
• Binding corporate rules - Internal data protection policies
• Explicit consent - Your clear consent for specific transfers

8.2 Regional Privacy Law Compliance

8.2.1 European Union (GDPR)

• Legal basis - Legitimate interests in cybersecurity protection
• Data minimization - Processing only necessary data
• Purpose limitation - Data used only for stated purposes
• Storage limitation - Data retained only as long as necessary
• DPO appointment - Data Protection Officer for GDPR compliance

8.2.2 California (CCPA/CPRA)

• Consumer rights - Right to know, delete, and opt-out
• Sale prohibition - No sale of personal information
• Discrimination protection - No penalties for exercising privacy rights
• Sensitive information - Enhanced protection for sensitive data

8.2.3 Other Jurisdictions

• Canada (PIPEDA) - Personal Information Protection and Electronic Documents Act
• Brazil (LGPD) - Lei Geral de Proteção de Dados compliance
• Australia (Privacy Act) - Australian Privacy Principles adherence
• Japan (APPI) - Act on Protection of Personal Information compliance

9. Data Retention and Deletion

9.1 Local Data Retention

Data stored locally on your device is retained according to the following schedule:

9.1.1 Threat Detection Logs

• Retention period - 90 days for security analysis
• Automatic deletion - Logs automatically purged after retention period
• User control - Manual deletion available at any time
• Storage location - Local encrypted database only

9.1.2 Configuration Data

• Retention period - Until software uninstallation
• User preferences - Retained to maintain user experience
• Whitelist data - Retained to prevent false positives
• Export capability - Can be backed up and restored by user

9.2 Support Data Retention

Information collected through support interactions:

9.2.1 Support Communications

• Retention period - 3 years for service improvement
• Purpose limitation - Used only for support and product improvement
• Access restriction - Limited to authorized support personnel
• Anonymization - Personal identifiers removed after case closure

9.2.2 Technical Logs

• Retention period - 1 year for technical analysis
• Automatic deletion - Systematic deletion after retention period
• Aggregation - Individual data aggregated for trend analysis
• Security purposes - May be retained longer for security investigations

9.3 Data Deletion Procedures

9.3.1 User-Initiated Deletion

• Immediate deletion - Local data removed immediately upon request
• Secure deletion - Multiple-pass overwriting of sensitive data
• Verification - Confirmation provided after successful deletion
• Third-party notification - External services notified of deletion requests

9.3.2 Automatic Deletion

• Scheduled processes - Automated deletion based on retention policies
• Audit trails - Logging of deletion activities for compliance
• Recovery prevention - Secure deletion prevents data recovery
• Compliance verification - Regular audits of deletion procedures

10. Changes to This Privacy Policy

10.1 Policy Updates and Notifications

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service offerings. When we make changes:

10.1.1 Notification Methods

• Email notification - Sent to all registered users for material changes
• In-app notifications - Prominent notices within the software interface
• Website posting - Updated policy posted on our website
• Version tracking - Clear version numbers and change dates

10.1.2 Implementation Timeline

• Advance notice - 30 days notice for material changes
• Immediate effect - Technical or legal requirement changes
• Opt-out period - Time to object or discontinue service
• Grace period - Continued service under previous terms during transition

10.2 Change Categories

10.2.1 Material Changes

Changes requiring 30-day advance notice include:

• New data collection categories
• Changes to data sharing practices
• Modifications to user rights or choices
• Changes to data retention periods
• New third-party integrations

10.2.2 Non-Material Changes

Changes that take effect immediately include:

• Clarifications to existing language
• Contact information updates
• Legal compliance requirements
• Technical security improvements
• Formatting and organizational changes

11. Contact Information and Data Protection

11.1 Privacy Contacts

For privacy-related questions, concerns, or requests:

11.1.1 Data Protection Officer

• Email: [email protected]
• Subject Line: "Privacy Inquiry - [Your Topic]"
• Response Time: 72 hours for initial response
• Resolution Time: 30 days for complete resolution

11.1.2 Regional Representatives

• EU Representative: [email protected]
• UK Representative: [email protected]
• California Representative: [email protected]
• General Inquiries: [email protected]

11.2 Regulatory Authorities

You have the right to lodge complaints with relevant data protection authorities:

11.2.1 European Union

• Your local EU data protection authority
• European Data Protection Board (EDPB)
• Right to judicial remedy for data protection violations

11.2.2 United States

• Federal Trade Commission (FTC)
• State attorneys general offices
• California Privacy Protection Agency (for CCPA matters)

11.2.3 Other Jurisdictions

• Canada: Office of the Privacy Commissioner of Canada
• Australia: Office of the Australian Information Commissioner
• UK: Information Commissioner's Office (ICO)