Kaavalan Limited (trading as CyberCheck360)
Last updated: May 2026
This policy covers everything under the CyberCheck360 name: our website at cybercheck360.com, the Email Security Platform, the Threat Intelligence Platform, Email Link Security, Dynamic Threat Protection, our Gmail add-on, our Outlook add-in, and our Chrome and Firefox browser extensions.
If you have questions about anything in here, please email us at privacy@cybercheck360.com. We are a small team and we will get back to you properly.
We are Kaavalan Limited, an Irish company that builds security tools under the CyberCheck360 brand. Our job is to help organisations spot and block phishing emails, malicious links, and other cyber threats before they cause damage.
To do that, we need to process certain information. This policy explains what we collect, why we collect it, who can see it, and what your rights are. We have tried to write it in plain language rather than legalese, because we think you deserve to actually understand it.
A few things worth knowing upfront:
When you create an account or get in touch with us, we collect:
What we collect depends on which product you use. Read the section that applies to you.
When you visit cybercheck360.com or use our free scanning tools without an account, we collect:
When you open an email in Outlook with our add-in running, it checks that email for threats. It reads:
The add-in only looks at the email you have open in front of you. It does not read anything else in your inbox.
Our Gmail add-on works in the same way as the Outlook version, but it connects to your Gmail account using four specific permissions that Google requires us to declare. Here is exactly what each permission does and does not allow:
| Permission | What it allows | How we use it | What we never do with it |
|---|---|---|---|
| gmail.addons.execute | Runs our add-on inside Gmail | Opens our panel when you click it | Nothing is read by this permission on its own |
| gmail.addons.current.message.metadata | Reads information about the email you have open | We read the routing headers, subject line, sender, recipients, and attachment details such as name, size, type, and fingerprint | We cannot and do not read the email body via this permission |
| gmail.addons.current.message.readonly | Reads the full content of the email you have open | We use this to extract links from the email body locally, inside the add-on. Only the links are sent to our servers, not the email text. We also use this when you choose to report an email, but only after you give your explicit consent. | The email body is never sent to our servers unless you actively choose to report the email and tick the consent checkbox |
| script.external_request | Sends information to external services | Sends the extracted links and header data to our servers for analysis | Your Google login token is never sent to our servers under any circumstances |
The add-on is only active when you have our panel open on screen. It does not run in the background, it cannot access other emails in your inbox, and it has no access to your contacts, calendar, or any other Google data.
This is the only situation where we ever collect the full content of an email, and it only happens when you choose to report one.
Registered users can flag a suspicious email using the Report Email button inside the add-in. Before anything is submitted, you must tick a checkbox that reads:
"Email content will be shared with CyberCheck360 or your organisation's designated security provider for threat analysis."
If you tick that box and submit the report, we collect the full email including the body text, headers, sender and recipient details, the subject line, your written description of the issue, and any attachments if you chose to include them.
Who sees this reported email depends on how your organisation has set up their CyberCheck360 account. It may be reviewed by CyberCheck360, your organisation's own security team, or a third-party security provider your organisation works with.
Our browser extension does two things that involve collecting data.
Checking links you visit: when you click a link on a webpage, or type or paste a web address into your browser's address bar, that address is sent to our servers to be checked for threats. We do not monitor your browsing in the background. Scanning only happens when you take one of those two actions.
Checking pages for phishing: if you land on a webpage that contains a form, such as a login page, our extension takes a small sample of plain text from that page and sends it to our servers to check whether the page looks like a phishing attempt. We take text from the top of the page, the bottom of the page, and the first few hundred characters of the main content area. That is all. We do not collect any HTML code, any form field contents, anything you have typed, any passwords, or any session data.
This phishing check only runs when a form is detected on the page. It does not happen on every page you visit.
We also log sandbox sessions against your account when you open a link in our sandbox through the extension.
Basic link checking works without an account. The sandbox and reporting features require you to be registered.
Our Threat Intelligence Platform, which you can find at tip.cybercheck360.com, is a tool for security professionals to look up and track indicators of compromise. These are things like suspicious IP addresses, domains, URLs, and file hashes.
When you search for something: every time someone searches for an indicator, registered or not, we log the IP address the search came from. If you are logged in, your search is also linked to your account. This information is only visible to CyberCheck360 and is used to protect the platform from abuse and to maintain a record of who looked up what in the event of a security investigation. It is not shared with other platform users.
IOC lists: you can create lists of indicators to track and share.
How our threat data works: our threat intelligence is stored in our own database, which we keep updated from various security feeds. When you search for an indicator, the search goes to our database. We do not send your query to external providers in real time. The one exception is IP address lookups, where a standard DNS lookup is used to find the associated domain name. This is a routine part of how the internet works. The IP address is sent to public DNS servers and no personal information about you travels with it.
Third-party integrations: if you choose to connect a third-party threat intelligence provider using your own API key, then your searches in our platform will also be sent to that provider. What gets sent is the indicator you searched for and your own API key for that service. We store your API key on your account profile so the integration can run. We do not attach any personal information about you to these requests beyond the API key you provided.
Feedback and bug reports: when you report a bug, flag a false positive, or leave feedback, we collect your IP address, your account details, and what you wrote. Bug reports include a screenshot of the platform interface at the time of the report. Screenshots do not include any personal data beyond what you have entered into the platform yourself.
Email Link Security is a feature organisations can enable where every link in incoming emails is automatically rewritten before it reaches anyone's inbox. When someone clicks a rewritten link, they are briefly routed through CyberCheck360 so we can check the destination before they arrive there.
Reading emails to rewrite links: our system reads incoming emails to find the links inside them. It reads the email body locally to find those links, but the body content is never sent to our servers. Only the links and some basic email details are extracted and processed.
What we collect from each email:
What we collect when someone clicks a rewritten link:
Every click from every user is recorded. This is a deliberate design decision. If a security incident happens and a malicious link was sent to the organisation, the security team needs to be able to find out exactly who clicked it and when. This click data is available to your organisation's administrators, their security team, and any third-party security provider managing the organisation's CyberCheck360 account (see Section 4).
Organisations can also quarantine emails containing links they believe are dangerous. This requires two people within the organisation to approve the quarantine before it takes effect.
Dynamic Threat Protection connects to your organisation's firewall and automatically checks network traffic against our threat intelligence database. When a known threat is detected, it is added to a block list automatically.
To do this, the system receives log data from your firewall. These logs contain network-level information including IP addresses, port numbers, protocols, whether connections were allowed or blocked, and other standard fields that firewalls record.
This product can be set up in two ways:
When you report a bug through any CyberCheck360 product, we collect a screenshot of the interface you were using, your IP address, your account details, and your description of the problem. Screenshots only capture our interface. They do not include any email content, webpage content, or firewall data.
When you open a URL or file in our sandbox:
We use the information we collect to:
This section is required under GDPR for users in the EU and UK. If you are in the US or another region, the relevant section is further down.
We only process your information when we have a lawful reason to do so. Depending on what we are doing and why, we rely on one of the following:
Where we process data on behalf of an organisation customer, for example in Email Link Security or managed Dynamic Threat Protection deployments, we are acting as a data processor. The organisation is the data controller and their instructions and contract with us govern how the data is handled.
If you are in Canada, we rely on express or implied consent as appropriate, or on the exceptions that Canadian privacy law permits.
We do not sell personal data.
Here is every situation where your information might be shared with someone outside of Kaavalan Limited:
When you search for an IOC, the indicator itself (the IP address, domain, URL, or file hash) is submitted to third-party threat intelligence providers to check its reputation and return an accurate verdict. No account details, IP address, username, or any other information that could identify you or your organisation is included in these requests. The specific providers used may vary depending on your subscription plan. See Section 1 for full details on what data is collected from each product.
Yes. Our website uses cookies and similar tracking technologies. Under GDPR and the ePrivacy Directive, we are required to tell you exactly what we use, why we use it, and to ask for your consent before anything other than strictly necessary cookies are placed on your device.
We manage all tracking through Google Tag Manager. The tags we currently have configured are listed below, grouped by purpose.
Strictly necessary
These are required for the website and platform to function. They do not track you for advertising or analytics purposes and they do not require your consent.
| Tool | What it does |
|---|---|
| Termly Cookie Consent | Manages your cookie preferences and remembers your choices |
| Session cookies | Keep you logged in and protect against cross-site request attacks |
| Usage limit cookies | Track your free sandbox session count for the day |
Analytics and performance
These help us understand how people use our website so we can improve it. They only run if you have accepted analytics cookies.
| Tool | What it does |
|---|---|
| Google Analytics GA4 | Tracks page views, session duration, traffic sources, and general usage patterns. IP addresses are anonymised before we see them. |
| Google Tag | The base configuration tag that connects our site to Google's measurement services |
| Cloudflare Insights | Collects performance data such as page load times and error rates to help us keep the site running smoothly |
| Microsoft Clarity | Records anonymised session behaviour including mouse movements, clicks, and scroll depth so we can understand how people interact with our pages. Clarity is configured to mask form fields, so anything you type into a form is not captured. |
Marketing and advertising
These are used to measure the performance of our advertising campaigns and to show relevant ads to people who have visited our website. They only run if you have accepted marketing cookies. Our advertising platforms are not all running live campaigns at the time this policy was published, but the following tools are configured and will be subject to your consent before they fire.
| Tool | What it does |
|---|---|
| LinkedIn Insight Tag | Tracks conversions from LinkedIn ads and enables us to reach people with similar profiles to our visitors on LinkedIn |
| Facebook (Meta Pixel) | Tracks conversions from Meta ads across Facebook and Instagram and enables retargeting |
| Google Ads Conversion | Tracks when someone takes an action after clicking one of our Google Ads |
| Reddit Pixel | Tracks conversions from Reddit ads and enables retargeting on Reddit |
CRM and contact tracking
| Tool | What it does | When it fires |
|---|---|---|
| HubSpot | Tracks form submissions and contact activity to help our team follow up with people who have expressed interest in our products | Only on pages where a contact form is present, not across all pages |
All marketing, analytics, and CRM tags are managed through our cookie consent banner. None of them should activate before you have made a choice. If you have concerns about how consent is applied on our website, please get in touch at privacy@cybercheck360.com.
You can update your preferences at any time by clicking Cookie preferences in the footer of our website. Full details are in our Cookie Policy at cybercheck360.com/cookie-policy/.
Yes, in one specific and limited way.
When you use our Chrome or Firefox extension and visit a webpage that contains a form, such as a login page, our extension checks whether that page might be a phishing site. To do this, it takes a small sample of plain text from the top of the page, the bottom of the page, and the beginning of the main content area. That text is sent to our servers and then to an AI model for classification.
We use OpenAI's API for this. We have not named a specific model version here because the model we use may change over time. What will not change is that OpenAI is the provider, and that the following apply regardless of which model is running:
To be specific about what we do send:
This only runs when a form is detected on a page. It does not happen on every page you visit.
| Data type | Retention period |
|---|---|
| Email headers, extracted links, threat verdicts | 12 months |
| Browser extension scan logs | 12 months |
| Threat Intelligence Platform search logs | 12 months |
| TIP public comments | Kept while your account is active. Removed within 30 days of account deletion. |
| TIP integration API keys | Kept while your account is active. Removed within 30 days of account deletion. |
| Email Link Security metadata and click logs | 12 months |
| Dynamic Threat Protection firewall logs (managed deployments) | As agreed in your organisation's contract with us |
| Sandbox session logs | 12 months |
| Files opened in the sandbox | Deleted immediately when the session ends, without exception |
| Reported email content (where you consented) | 12 months |
| Bug reports and screenshots | 12 months |
| Account information | While your account is active, plus 30 days after closure |
| Website analytics | Per Google Analytics settings (anonymised) |
When you delete your account or cancel your subscription, all your associated data is deleted within 30 days.
Security is our business, and we hold ourselves to the same standards we ask of our customers.
No system is completely unbreakable. While we take every reasonable precaution, we cannot guarantee absolute security. We recommend you access our services only from secure networks and devices.
No. Our services are designed for business use and are not intended for anyone under 18. We do not knowingly collect data from children. If you think we have accidentally received data from someone under 18, please contact us at privacy@cybercheck360.com and we will delete it promptly.
Under GDPR and UK GDPR, you have the right to:
To use any of these rights, email privacy@cybercheck360.com. We will respond within 30 days.
You can also complain to the Data Protection Commission (Ireland) at dataprotection.ie, or to the supervisory authority in your own country. If you are in Switzerland, contact the Federal Data Protection and Information Commissioner.
Under the Protection of Personal Information Act 4 of 2013 (POPIA), you have the right to access, correct, and delete your personal information. Complaints can be directed to the Information Regulator at inforegulator.org.za.
Under the Nigeria Data Protection Act 2023, you have equivalent rights. Complaints can be directed to the Nigeria Data Protection Commission at ndpc.gov.ng.
You can update your account details in your account settings. If you want to close your account, contact us and we will process the deletion within 30 days.
Every marketing email we send includes an unsubscribe link. You can also email privacy@cybercheck360.com to opt out. We will continue to send service-related messages even if you opt out of marketing.
Some browsers have a Do Not Track setting that sends a signal to websites asking them not to track you. There is currently no agreed industry standard for how websites should respond to these signals, so we do not act on them at this time. If that changes, we will update this policy.
This section applies to residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.
| Category | Description | Collected? |
|---|---|---|
| A. Identifiers | Email address, IP address (anonymised for analytics; logged for TIP searches and click tracking), account name, session identifiers | Yes |
| B. Personal information (California Customer Records) | Name, email address, organisation, billing information | Yes |
| C. Protected characteristics | Gender, age, race, ethnicity, national origin | No |
| D. Commercial information | Subscription plan, transaction and payment records | Yes |
| E. Biometric information | Fingerprints, facial recognition, voiceprints | No |
| F. Internet or network activity | URLs visited on user action via browser extension; IOCs searched in TIP; link click events in Email Link Security; firewall log data in managed DTP deployments (processed as data processor on behalf of the organisation) | Yes |
| G. Geolocation data | Approximate location from IP address only. No GPS or precise location. | Yes |
| H. Electronic or sensory information | Screenshots of our interface for bug reports only. No email or webpage content is captured. | Yes |
| I. Professional information | Organisation name and job title, if provided during registration | Yes |
| J. Education information | Student records or directory information | No |
| K. Inferences | We do not build user profiles or draw inferences for advertising | No |
| L. Sensitive personal information | Health, biometric, financial credentials, or other sensitive categories | No |
No. We have never sold personal information and we will not do so.
You have the right to know what personal information we have about you, access a copy of it, correct inaccuracies, request deletion, receive your data in a portable format, and not be discriminated against for exercising these rights. You also have the right to opt out of targeted advertising, sale of data, or profiling that produces significant effects.
To exercise any of these rights, email privacy@cybercheck360.com. We will respond within 45 days. You may appoint an authorised agent to make a request on your behalf, with your written and signed permission.
If we decline your request, you may appeal by emailing us. If your appeal is denied, you may complain to your state attorney general.
California Shine the Light: we do not share personal information with third parties for their direct marketing purposes. California residents may ask us to confirm this once per year, free of charge, by emailing privacy@cybercheck360.com.
This section is required by Google's OAuth verification process and applies specifically to users of the CyberCheck360 Gmail add-on. If anything here conflicts with another part of this policy, this section takes priority for Google API data.
We use Google's permissions only to provide you with the email security service you can see and use within the add-on. We do not use your Google data for advertising. We do not build profiles from it. We do not share it except as described here and in Section 4.
Kaavalan Limited's use of information received from Google APIs follows the Google API Services User Data Policy, including the Limited Use requirements.
Only data from the single email you currently have open, and only while our add-on panel is visible on your screen. The full scope table is in Section 1 under the Gmail add-on heading.
To check email headers for signs of spoofing, to find and analyse links for threats, to support the reporting feature when you give your explicit consent, and to manage sandbox sessions.
Your organisation's administrators and designated security providers, as described in Section 4. We do not send your Google API data to any external threat intelligence provider in real time. Threat verdicts come from our own internal database.
All data is stored within the European Economic Area. Security measures are described in Section 8. We never store your Google login credentials or session tokens. Those stay within Gmail.
Section 7 has the full retention table — 12 months for most data types. You can request deletion at any time by emailing privacy@cybercheck360.com. You can also remove our access to your Gmail account at any time through myaccount.google.com/permissions.
We may update this policy when we launch new products, when the law changes, or when we change how we handle data. If we make a significant change, we will email registered users at least 14 days before the change takes effect. The date at the top of this page shows when it was last updated.
Kaavalan Limited (trading as CyberCheck360)
Email: privacy@cybercheck360.com
Address: 21, The Academy Building, Dublin, D12 H024, Ireland
If you are in the EEA or UK and you are not happy with how we have handled your data, you have the right to complain to the Data Protection Commission (Ireland) at dataprotection.ie, or to the supervisory authority in your country.
You can update your account information at any time by logging into your account settings.
To request a copy of your data, correct something, or ask us to delete your information, email privacy@cybercheck360.com with your account email address and a description of what you need. We will verify your identity and respond within 30 days, or within 45 days for requests under US state privacy laws.
Kaavalan Limited (trading as CyberCheck360) | Registered in Ireland | ISO 27001:2022 certified | GDPR compliant
Privacy Policy v5.1 | Effective May 2026 | cybercheck360.com/privacy/