Privacy Policy

Last updated: 15 November 2025

Hexabelt (“we”, “our”, “us”) provides cybersecurity training and monthly security drills designed to help individuals and organisations strengthen their digital resilience.
We take your privacy seriously and process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

This Privacy Policy explains what data we collect, why we collect it, how it is used, and the rights you have over your information.

1. Who We Are

Hexabelt, a non-profit organization registered in the Democratic Republic of Congo
Website: https://hexabelt.com
Email: pilipili@hexabelt.com

We act as the Data Controller for personal data collected through:

  • our website

  • our Monthly Security Drills platform

  • our newsletters, webinars, or online forms

  • onboarding and support communications

2. What Personal Data We Collect

We only collect data necessary to operate our services. This may include:

a. Information you provide

  • Name

  • Email address

  • Organization (optional)

  • Country/region

  • Communication preferences

  • Form submissions (e.g., sign-up forms)

b. Data generated through Monthly Security Drills

We do not collect real credentials, passwords, or sensitive content.
We only collect behavioral responses, such as:

  • whether a user clicked a simulated phishing link

  • time taken to respond

  • whether a user reported the simulation

  • whether a user uploaded a file for analysis (metadata only; file content is not stored)

c. Technical data

Collected automatically when visiting our website:

  • IP address (anonymized where possible)

  • Browser type and device information

  • Basic analytics data

  • Cookies (see Section 10)

d. Communication data

  • Emails you send us

  • Support requests

  • Feedback from mentoring or debrief sessions

We do not collect:

  • passwords

  • private message content

  • sensitive personal data (unless you voluntarily provide it)

3. Why We Collect Your Data (Legal Bases)

Under GDPR, we must have a legal reason for processing your data. We use the following bases:

a. Contractual necessity

To provide the Monthly Security Drills or any training you sign up for.

b. Legitimate interest

To improve our services, run security simulations, and prevent abuse.

c. Consent

For newsletters, marketing messages, and non-essential cookies.

d. Legal obligation

To comply with applicable laws and resolve disputes.

4. How We Use Your Data

We use your data to:

  • create and manage your account

  • send monthly security drills

  • analyze responses to drills and generate reports

  • detect unsafe behavior and provide corrective guidance

  • send service updates or threat alerts

  • maintain platform security

  • respond to support requests

  • process opt-in communications (newsletters, educational content)

We never sell or trade your personal data.

5. How Long We Keep Your Data

We retain personal data only as long as necessary:

  • Account data: kept while your account is active

  • Drill response data: retained for up to 12 months for trend analysis, then anonymized

  • Analytics logs: 12–18 months

  • Email/support communications: up to 24 months

  • Marketing consents: until you opt out

You may request deletion at any time (see Section 8).

6. Who We Share Data With

We may share necessary data with trusted third-party service providers that help us operate our services (all GDPR-compliant), such as:

  • cloud hosting providers

  • analytics tools

  • email delivery services

All processors are bound by strict data protection agreements.

We do not share personal data with advertisers or social media platforms.

We do not share drill response data with your employer unless explicitly agreed in organisational deployments.

We will only disclose data if required by law.

7. International Data Transfers

Some of our service providers may operate outside the EU/EEA.
We ensure legal safeguards such as:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Data Processing Agreements

Your data is protected to GDPR standards regardless of location.

8. Your GDPR Rights

You have the right to:

  • Access your personal data

  • Correct inaccurate data

  • Delete your data (“right to be forgotten”)

  • Object to certain processing

  • Restrict processing

  • Withdraw consent at any time

  • Receive your data in a portable format

  • Lodge a complaint with a Data Protection Authority

To exercise these rights, contact us at:
pilipili@hexabelt.com

We respond within 30 days, as required by GDPR.

9. Security Measures

We use robust, industry-standard security practices, including:

  • encrypted communications (HTTPS TLS 1.2+)

  • access control & authentication

  • secure hosting

  • data minimization

  • internal staff confidentiality rules

  • regular security audits

  • safe drill design ensuring no harmful operations

Drills never collect sensitive content; only behavioral patterns.

10. Cookies

We use cookies to improve functionality and analytics.
Non-essential cookies require your consent.

You can manage or disable cookies through your browser settings.

11. Children’s Data

Our services are not intended for children under 16.
We do not knowingly collect data from minors.

12. Changes to This Privacy Policy

We may update this policy as needed.
Changes will be posted on this page with a new “Last updated” date.

13. Contact Us

If you have any questions about this Privacy Policy or how we process personal data, contact:

Email: pilipili@hexabelt.com
Website: https://hexabelt.com

Hexabelt

Protecting those who protect democracy through cybersecurity action plans and tools.
Built for journalists, human rights defenders and non-profits.

Quick Links

Resources

Formation Cybersecurité Module (FR)

4 Modules
View All

Contact Us

  • pilipili@hexabelt.com
  • +243 995 234 951
  • Concession COTEX N° 63, Ave Colonel Mondjiba, Kinshasa

Leave a Reply

Your email address will not be published. Required fields are marked *