Privacy Policy
Effective date: June 1, 2025
1. Introduction
Koh Cyber (“Koh”, “we”, “our”) operates the Koh Cyber email security service, accessible at kohcyber.com and app.kohcyber.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have in relation to it.
By using our service you agree to the collection and use of information in accordance with this policy.
2. Data we collect
2.1 Account data
When you sign up we collect your name, work email address, Google Workspace domain, and billing information (processed by Stripe; we never see raw card numbers).
2.2 Email metadata
To provide threat detection we process the following per-message metadata: sender address, recipient address(es), subject line, message timestamp, MIME structure, authentication headers (SPF, DKIM, DMARC results), and URLs extracted from the message body. We do not store email body text or attachments. Body content is read in-memory solely to extract signals (URLs, keywords for active content rules) and is discarded immediately after processing.
2.3 Usage data
We collect server-side logs of API requests (endpoint, HTTP status, latency) and admin actions (quarantine releases, rule changes). IP addresses in logs are retained for 30 days and then deleted.
2.4 Cookies
Our application sets a session cookie (koh_session) required for authentication. Our marketing website (kohcyber.com) does not currently use any analytics cookies. The consent banner on kohcyber.com stores your preference in your browser’s local storage (not a cookie) so that it is honoured automatically if and when analytics are enabled in the future. This section will be updated before any analytics cookies are set. No third-party advertising cookies are used on any Koh Cyber property.
3. How we use your data
- To provide, operate, and improve the email security service.
- To detect and classify email threats on your behalf.
- To send transactional notifications (quarantine alerts, billing receipts).
- To respond to support requests.
- To comply with legal obligations.
We do not sell your data, use it to train shared ML models, or share it with third parties for advertising purposes.
4. Data retention
Email metadata (sender, recipient, subject, timestamps, threat classification) is retained for 90 days by default. Organisations on the Business or Enterprise plan may configure a custom retention window (7–365 days) from the dashboard.
Account data is retained for the lifetime of your subscription and deleted within 30 days of account closure.
5. Data sharing and sub-processors
We share data with the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting, Cloud SQL, Cloud Run | US |
| Stripe | Payment processing | US |
| SendGrid / Twilio | Transactional email (notifications) | US |
| Slack Technologies | Webhook alert delivery (if configured) | US |
6. Security
All data in transit is encrypted via TLS 1.2+. All data at rest is encrypted using AES-256. Access to production systems is restricted to named engineers and requires MFA. We conduct regular security reviews and dependency audits.
7. Your rights (GDPR / CCPA)
Depending on your location you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data (“right to erasure”).
- Object to or restrict processing.
- Request portability of your data in machine-readable format.
- Withdraw consent for cookies at any time.
To exercise any of these rights, email privacy@kohcyber.com. We will respond within 30 days.
8. Contact
Koh Cyber
Data controller for EU/UK purposes
Email: privacy@kohcyber.com
9. Changes to this policy
We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the dashboard. Continued use of the service after the effective date constitutes acceptance of the revised policy.