Privacy Policy

1. Introduction and data controller

SevenCyber is a cybersecurity company providing governance, risk and compliance (GRC), managed security, threat detection, and advisory services. For the purposes of UU PDP, SevenCyber acts as the Data Controller (Pengendali Data Pribadi) that determines the purposes and means of processing your personal data.

We operate from offices in Jakarta and Tangerang (Indonesia) and Kuala Lumpur (Malaysia). If you have any questions about this policy or how we handle your data, contact us at contact@sevencyber.io.

2. Personal data we collect

We only collect personal data that is relevant and necessary for the purposes described in this policy. Depending on how you interact with us, this may include:

• Identity and contact data — your name, company, job title, business email address, and phone number when you submit our contact form or request a service or assessment.
• Cyber Maturity Assessment data — the responses and resulting scores you provide when using our self-assessment tool.
• Technical and usage data — IP address, browser and device type, operating system, referring pages, and how you navigate the site, collected through essential logs and, with your consent, analytics.
• Communications — the content of messages you send us and our related correspondence.
• Consent records — your cookie and processing choices, stored with a timestamp, policy version, and a unique proof identifier.

We do not intentionally collect specific personal data (such as health, biometric, or financial-account data) through this website.

3. How we collect your data

• Directly from you — when you complete a form, request an assessment, email us, or otherwise communicate with us.
• Automatically — through cookies and similar technologies as you use the website (see Section 5).
• From your device — technical data generated by your browser and network when you access our services.

4. Purposes and legal basis

We process your personal data for the following purposes and on the following legal bases recognised under UU PDP:

• To respond to your enquiries and provide the services or assessments you request — necessary to enter into or perform a contract with you.
• To operate, maintain, secure, and improve the reliability of our website — our legitimate interest in running a safe and functional service.
• To analyse how the site is used so we can improve it — based on your consent (analytics).
• To send you relevant updates and measure our campaigns — based on your consent (marketing).
• To comply with applicable laws and regulatory obligations, including UU PDP and financial-sector requirements — necessary for compliance with a legal obligation.

5. Cookies and similar technologies

We use cookies and similar technologies in three categories:

• Essential — required for security and core site functionality; always active and cannot be switched off.
• Analytics — help us understand site usage; loaded only after you give consent.
• Marketing — support personalised content and campaign measurement; loaded only after you give consent.

You can review or change your choices at any time using the Privacy Settings (the gear icon at the bottom of the page). Withdrawing consent does not affect processing already carried out before withdrawal.

6. How we share your data

We do not sell your personal data. We may share it only as necessary with:

• Service providers (data processors) — such as hosting, email delivery, and analytics providers, who act on our instructions under appropriate agreements.
• Professional advisers — such as auditors and legal counsel, where necessary.
• Authorities and regulators — where required by law, regulation, or valid legal process.
• Parties to a corporate transaction — in connection with a merger, acquisition, or reorganisation, subject to confidentiality.

7. International data transfers

Because we operate in Indonesia and Malaysia and use reputable service providers, your personal data may be processed or stored outside Indonesia. Where we transfer personal data across borders, we take steps consistent with UU PDP — including ensuring the destination provides an adequate level of protection, obtaining your consent, or putting appropriate contractual safeguards in place.

8. Data retention

We keep your personal data only for as long as necessary to fulfil the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Consent and audit records are retained as evidence of compliance. When data is no longer needed, we securely delete or anonymise it.

9. How we protect your data

As a cybersecurity company, data protection is core to what we do. We apply appropriate technical and organisational measures — including encryption in transit, access controls, network monitoring, and regular security reviews — to protect your personal data against unauthorised access, alteration, disclosure, or loss. No method of transmission or storage is completely secure, but we work continuously to safeguard your information.

10. Your rights

Subject to applicable law, you have the following rights over your personal data under UU PDP:

• Access — obtain confirmation and a copy of the personal data we hold about you.
• Rectification — correct or update inaccurate or incomplete data.
• Erasure — request deletion of your personal data where permitted.
• Withdraw consent — withdraw any consent you have given, at any time.
• Object or restrict — object to or limit certain processing of your data.
• Portability — receive your data in a structured, commonly used format.
• Complaint — lodge a complaint with the competent supervisory authority.

To exercise any of these rights, contact us at contact@sevencyber.io. We may need to verify your identity before acting on your request. Where you withdraw consent, we will cease the relevant processing no later than 3×24 hours (72 hours) after your request, as required by UU PDP.

11. Children’s privacy

Our website and services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children. Where the personal data of a child is involved, processing will be carried out with the consent of a parent or legal guardian in accordance with applicable law.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the updated version on this page with a new “last updated” date. For material changes, we may ask you to review your consent again.

13. Contact us

If you have questions, requests, or concerns about this policy or your personal data — including to reach our Data Protection Officer — please contact us at contact@sevencyber.io, or write to our offices in Jakarta or Tangerang (Indonesia) or Kuala Lumpur (Malaysia).