RedRadar Technologies Privacy Statement

---

Last updated: April 2026

This Privacy Statement explains how RedRadar Technologies Ltd. ("RedRadar") and EPCYBER LLC ("EPCYBER") collect, use, and protect personal data when you visit our websites, contact us, subscribe to our blog, purchase or attend training, or engage with us as a client, partner, or candidate.

RedRadar and EPCYBER are separate companies under common leadership. Each acts as an independent data controller for the activities it operates, and we describe below which entity is responsible in each context. Where we process personal data jointly, we identify ourselves as joint controllers and explain what that means for you.

This Statement is written to be read in plain language. It does not replace contractual terms that may apply to specific services (for example, training enrollment terms or platform Master Services Agreements). Where those terms address data handling, they take precedence over this Statement for the activities they cover.

RedRadar Technologies Ltd. Tel Aviv, Israel 

RedRadar operates redradar.ai website and provides the RedRadar OSINT platform and the VAULT intelligence engine to government, defense, and selected enterprise clients.

EPCYBER LLC Privacy contact: privacy@epcyber.com

EPCYBER operates the epcyber.com website and provides training and professional services to government, defense, and corporate clients.

This Statement covers personal data we process about:

• Visitors to redradar.ai and epcyber.com
• People who subscribe to the EPCYBER blog or other RedRadar/EPCYBER mailing lists
• People who purchase, register for, or attend EPCYBER training
• People who contact us by email, web form, or other channels
• Personnel of our clients, prospective clients, partners, and suppliers
• Attendees at events we host or co-host
• Job applicants and candidates
• People referenced in publicly available sources we use for business development

This Statement does not cover the data that flows through the RedRadar platform when our clients use it to conduct open-source intelligence work. When a client uses RedRadar to collect, query, or analyze information, the client is the data controller for that activity. RedRadar acts as a data processor or service provider on the client's behalf, under the terms of our contract with that client. 

The client's own privacy policies, lawful basis for processing, and data protection obligations govern that activity. See Section 11 (Platform use by clients) for more detail. This distinction is important. A request to access or delete information that may exist inside a client's environment on the RedRadar platform should be directed to that client, not to RedRadar.

We collect different categories of personal data depending on how you interact with us. The lists below describe each category, the purpose for which we use it, and our lawful basis under the GDPR / UK GDPR. Lawful bases under the Israeli Privacy Protection Law and US state laws are addressed in Sections 13–15.

Data collected: device and browser identifiers, pages visited, referral URL, approximate location derived from IP, and cookie identifiers. See Section 17 (Cookies) for detail.

Purpose: To operate, secure, and improve our websites; to analyze traffic patterns; to detect abuse; to improve your user experience.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in operating a secure, functional website and understanding how it is used. Where required by law, we obtain your consent before placing non-essential cookies.

Controller: EPCYBER.

Data collected: Email address, any name or organization-associated data (such as the domain of your email). We also record subscription date, and engagement data such as whether emails were opened or links clicked.

Purpose: To send you the blog content you subscribed to, related EPCYBER training updates, and occasional notices about EPCYBER and RedRadar offerings that may be relevant to your professional role. To measure engagement and improve content.

Lawful basis (GDPR/UK GDPR): Your consent, given when you subscribed. You may withdraw consent at any time using the unsubscribe link in any email or by writing to privacy@epcyber.com. We do not sell or rent subscriber lists, and we do not share email addresses with advertising networks or any third parties.

Controller: EPCYBER.

Data collected (where and when available):

• Identification and contact data: name, email, country of residence, professional title and employer.
• Enrollment data: courses purchased or enrolled in.
• Payment data: billing name, telephone, billing address, country of residence, buyer email, and payment identifiers. Full payment card details are collected and processed only and directly by our payment processor (currently PayPal); EPCYBER does not have visibility to any financial PII and does not store any.
• Communications: correspondence between you and EPCYBER about your training, questions, requests, access, support.

Purpose: To enroll you, deliver the training, issue certificates, process payment, comply with our tax and accounting obligations, and respond to your questions. 

Lawful basis (GDPR/UK GDPR):

• Performance of a contract with you (or steps taken at your request prior to entering one), agreeing to terms on epcyber.com/terms where you purchase or enroll in training directly.
• Our legitimate interest in delivering training that has been arranged through your employer or a sponsoring organization, where the contractual relationship is between us and that organization.
• Compliance with legal obligations (tax, accounting, anti-fraud, export control where applicable).
• Your explicit consent for any processing of special-category data such as security clearance information.

We retain training records as described in Section 9.

Controller: RedRadar or EPCYBER, depending on the inbox or form used.

Data collected: Name, email address, employer, role, and the contents of your message and any attachments. If you request a demo or platform evaluation, we may also collect information about your organization's role, mission, jurisdiction, and intended use case.

Purpose: To respond to your inquiry, evaluate fit, and (where applicable) progress a procurement, partnership, or media engagement.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in responding to inquiries and developing business relationships, and steps taken at your request prior to entering a contract.

We may keep your contact information on file after the initial exchange so we can resume the conversation if you re-engage. If you would prefer we delete your details, write to us.

Controller: RedRadar or EPCYBER, depending on which entity holds the contract.

Data collected: Names, contact details, professional roles, and correspondence of individuals at our client organizations who interact with us as users, project leads, procurement contacts, legal counsel, or otherwise. Contract documentation, invoices, and account records.

Purpose: To establish and manage the contractual relationship; to deliver the platform, training, or services; to issue invoices and process payments; to provide support; to comply with legal and regulatory obligations including export control screening; to enforce our agreements; and to maintain account records.

Lawful basis (GDPR/UK GDPR): Performance of a contract; legitimate interest in managing a commercial relationship; compliance with legal obligations. This category does not include data that clients process inside the RedRadar platform in the course of intelligence work. That data is governed by Section 11.

Controller: RedRadar.

Data collected: Name, professional role, employer, public professional contact information (LinkedIn URL, business email where publicly listed), and notes on relevance to our work.

Purpose: To identify organizations and individuals to whom our offering may be relevant and to make initial outreach.

Lawful basis (GDPR/UK GDPR): Our legitimate interest in business development. Where required by applicable law, we limit such outreach to recipients in their professional capacity at organizations whose mission aligns with ours. You can object to this processing at any time by writing to us.

Controller: RedRadar or EPCYBER, depending on the event host.

Data collected: Registration details, attendance, and (where applicable) recordings. We will tell you in advance if a session is being recorded.

Purpose: To deliver the event, follow up afterward, take notes, and improve future events for attendees.

Lawful basis (GDPR/UK GDPR): Performance of a contract (your registration), our legitimate interest in operating educational events, and consent for any optional uses such as inclusion in promotional material.

Controller: RedRadar

Data collected: As described in our Candidate Privacy Notice. In summary: identification and contact data, CV / résumé, application materials, interview notes, references, and (where the role and jurisdiction require) background check results and right-to-work documentation.

Purpose: To assess your application and, if you are hired, to onboard you.

Lawful basis (GDPR/UK GDPR): Steps taken at your request prior to entering a contract, our legitimate interest in evaluating candidates, and compliance with legal obligations.

We collect personal data:

• Directly from you, when you visit our sites, fill in a form, write to us, subscribe to the blog, register for training, attend an event, or apply for a role or any similar direct or indirect form of engagement with us, our digital assets or infrastructure.
• Automatically, through cookies and similar technologies on our websites (see Section 17).
• From your employer or sponsoring organization, when training is purchased or arranged by yourself or on your behalf.
• From service providers and partners who help us run our business (for example, payment processors, training delivery platforms, identity verification providers or other involved in any business operations or maintenance process).
• From public sources, including company websites, professional networks, regulatory filings, and other publicly available material, in connection with business development and client/partner due diligence.

We use personal data to:

• Operate, secure, and improve our websites for you.
• Send blog content, training updates, and other communications people have asked to receive.
• Deliver training, issue certifications, and process related payments.
• Respond to inquiries and progress potential client, partner, and media relationships.
• Manage contractual relationships with clients, suppliers, and partners, potential leads, and prospects.
• Identify prospective clients and make initial business outreach.
• Operate events.
• Recruit and assess job candidates.
• Comply with legal, regulatory, tax, accounting, anti-fraud, and export-control obligations.
• Establish, exercise, and defend legal claims, and enforce our agreements.
• Protect the rights, property, and safety of RedRadar, EPCYBER, our personnel, our clients, and others.

We do not use personal data to train any third-party AI or large language model. We do not sell personal data. We do not engage in cross-context behavioral advertising. We do not share personal data with advertising networks for targeting purposes.

We share personal data only where necessary, and only with recipients who are bound by appropriate confidentiality and data protection obligations. Recipients fall into the following categories:

• Between RedRadar and EPCYBER, where it is necessary to operate our shared functions (for example, central legal, finance, and IT support). We treat these transfers as transfers between separate controllers and document them accordingly.
• Service providers (processors) who act on our instructions: hosting and infrastructure, email delivery, blog and CRM platforms, training delivery platforms, payment processors, identity verification, accounting and tax advisors, professional services firms, and similar. A current list of material sub-processors is available on request.
• Professional advisors, including lawyers, auditors, and insurers, where needed.
• Government and regulatory authorities, where we are required by law to disclose information, including in response to lawful court orders, regulatory inquiries, tax reporting, and export-control screening.
• A successor entity, in the event of a merger, acquisition, investment, financing, restructuring, or sale of all or part of our business. We will inform affected individuals where required by law.
• Other parties at your direction or with your consent, including (for training) your employer or sponsoring organization where they have purchased or arranged your training.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

RedRadar is established in Israel. EPCYBER is established in Miami, Florida, USA. Our service providers are located in Israel, EU, UK, US. As a result, your personal data may be transferred to, stored in, and processed in countries other than the one in which you live (storage servers, cloud providers, third party hosting infrastructure, applications, platforms).

When we transfer personal data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we put in place appropriate safeguards. These typically include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss equivalents, supplemented where necessary by additional technical and organizational measures.

For transfers from Israel, we comply with the cross-border transfer requirements of the Israeli Privacy Protection Law and the regulations issued under it. If you are a RedRadar client, you may request a copy of the safeguards we use by writing to us.

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, exposure, leakage or destruction. These include access controls based on least privilege, encryption in transit and (where appropriate) at rest, infrastructure hardening, logging and monitoring, employee confidentiality obligations, vendor due diligence, and an incident response process.

However, since we rely on third party products for communication, delivery of training, delivery of platform access and other functions relevant for business operations, we cannot directly or indirectly control those third party vendors (e.g., cloud providers, site hosting, data storage and others) from being breached, compromised, or targeted (that includes your data). No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your information, we will notify the relevant supervisory authorities and affected individuals where required by applicable law and within the timeframes those laws specify.

We keep personal data only as long as we need it for the purposes described in this Statement, plus any additional period required to:

• Comply with legal, tax, accounting, and regulatory obligations.
• Establish, exercise, or defend legal claims.
• Honor our internal record-keeping and audit requirements.

Indicative retention periods (the numbers are approximate):

• Blog subscriber data: Until you unsubscribe, then deleted within 60 days, except for a suppression record retained to ensure we do not contact you again.
• Demo and inquiry contacts: Up to 24 months from the last interaction, unless you re-engage or show interest to re-engage directly or indirectly.
• Training records (enrollment, attendance, assessments, certifications): up to 7 years from the date of the training, to support certification verification and comply with tax and accounting requirements.
• Payment and billing records: up to 7 years, to comply with tax law.
• Client contractual records: Term of the contract plus up to 7 years.
• Job applicant data (unsuccessful candidates): 12-24 months, then deleted unless you ask us to keep it on file longer.
• Event recordings: 12-24 months unless retained as part of a course or program.
• Website analytics and security logs: 12-24 months. 

These periods are indicative and may be longer where required by law or shorter where the purpose has been fulfilled. Specific retention is documented in our internal data retention schedule, which is available to supervisory authorities on request.

Depending on where you live and which laws apply, you may have rights in relation to your personal data, including:

• The right to access your personal data and obtain information about how it is processed.
• The right to correct inaccurate or incomplete personal data.
• The right to delete your personal data, subject to legal exceptions.
• The right to restrict or object to certain processing, including processing for direct marketing.
• The right to data portability, where it applies.
• The right to withdraw consent at any time, only where processing is based on consent.

You can exercise these rights by writing to us (or privacy@epcyber.com for EPCYBER-specific requests). We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request, and we may decline or limit a request where the law allows us to do so — for example, where granting it would conflict with the rights of others, expose confidential information, or undermine an active legal claim. 

Our websites and services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

This section supplements the rest of the Statement for individuals protected by the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection.

Lawful bases. The lawful bases on which we rely are identified in Section 3 for each processing activity.

Right to object to processing based on legitimate interests. You may object to processing of your personal data that we carry out on the basis of our legitimate interests. Where you object, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is needed to establish, exercise, or defend legal claims.

Right to object to direct marketing. You can object to direct marketing at any time, and we will stop. Unsubscribe links are included in every marketing email.

Automated decision-making. We do not make decisions producing legal or similarly significant effects on you based solely on automated processing.

This section supplements the rest of the Statement for individuals protected by the Israeli Privacy Protection Law, 5741-1981 ("PPL") and the regulations issued under it.

Identity of the database owner. RedRadar Technologies Ltd. is the owner of the databases containing the personal data described in this Statement that it controls. EPCYBER LLC is the owner of the databases containing the personal data it controls. 

Provision of data. You are not under a legal obligation to provide your personal data to us. However, in some cases (for example, completing a training enrollment, processing a payment, or entering into a contract), we will not be able to provide the relevant service if you do not provide the fundamental data required for it.

Your rights under the PPL. You have the right to access the personal data we hold about you, to request correction or deletion, and to object to the use of your data for direct marketing. Requests should be sent to us.

Direct marketing. Where we send direct marketing under Section 30A of the Communications Law (Bezeq and Broadcasts), 1982, we will identify the message clearly, provide an opt-out, and honor opt-out requests promptly.

This section applies to individuals who are residents of US states whose comprehensive consumer privacy laws apply to RedRadar or EPCYBER, including (as applicable) California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.

Categories of personal information we collect. As described in Section 3. In the categories used by the California Consumer Privacy Act:

• Identifiers (e.g., name, email, country / city of residence based on IP address)
• Customer records information (e.g., billing address, payment identifiers)
• Commercial information (e.g., training purchased)
• Internet or network activity (e.g., website interactions)
• Professional or employment information
• Education information (training and certification records)
• Audio and visual information (e.g., event recordings, Zoom sessions where applicable)
• Inferences drawn from the above
• Sensitive personal information, limited to government identifiers used solely for identity verification where required for specific training programs (domain names, corporate email addresses).

Sources, purposes, and recipients. As described in Sections 3, 5, and 6.

Sale and sharing. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California and other US state privacy laws. We do not knowingly sell or share the personal information of consumers under 16.

Your rights. Subject to verification and statutory exceptions, you have the right to:

• Know what personal information we have collected, used, disclosed, and (if applicable) sold or shared.
• Request a copy of your personal information in a portable format.
• Request correction of inaccurate personal information.
• Request deletion of your personal information.
• Opt out of any sale or sharing for cross-context behavioral advertising (not applicable to us, but the right is available).
• Limit the use and disclosure of sensitive personal information (California).
• Appeal a denial of a rights request (Colorado, Connecticut, Virginia, and others).
• Not be discriminated against for exercising any of these rights.

How to exercise rights. Email us with the subject line "US Privacy Request" and identify the right you wish to exercise. We may ask you for information necessary to verify your identity. You may use an authorized agent; we may require proof of authorization.

Our records about clients, prospects, and individuals identified through public sources may include information whose disclosure would compromise legal claims, contractual confidentiality, security, or the rights and freedoms of third parties. Where applicable law allows us to do so, we may redact or withhold information from a response on these grounds, and we will explain the reason. Requests will not be denied on these grounds where the law does not permit it.

Our websites use cookies and similar technologies for the following purposes:

• Strictly necessary cookies, which are required for the site to function (for example, to remember a cookie preference).
• Analytics cookies, which help us understand how people use our sites. Where required by law, these are set only with your consent.
• We do not use advertising or cross-site tracking cookies.

You can control cookies through your browser settings and through the cookie banner on our sites. A more detailed Cookies Notice is available at redradar.ai

We may update this Statement from time to time. The "Last updated" date at the top of the page shows when the most recent change was made. Where a change materially affects how we process your personal data, we will notify you in advance by email or by a notice on our websites, where required by law.