Privacy Policy

Who we are

OpSecSafe (www.opsecsafe.com) is operated by Synack Solutions Pty Ltd, an Australian company based in Brisbane, Queensland. Questions: notifications@opsecsafe.com.

This policy explains what personal information we collect, how we use it, and the choices you have. We operate under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where you access the site from outside Australia, applicable local laws (including the GDPR if you're in the EU/UK) also apply to the limited extent they do.

What we collect

• Account data — email address, chosen display name + account name, sign-in provider (for future social sign-ins), and when you first registered.
• Session + sign-in context — session token (in an HttpOnly cookie, scoped to www.opsecsafe.com), the IP address + country/city your session was started from (from Cloudflare's edge), and a SHA-256 hash of your User-Agent string. Raw User-Agent strings are not retained.
• Activity — articles you've liked, marked read, or tagged with your own labels; saved digests; one-off ingests you triggered if you're an admin. We use this to drive your personalised feed — not for external profiling or ad targeting.
• Server logs — Cloudflare Workers standard logs (request path, response status, per-request timing). Email addresses in auth logs are stored as SHA-256 hash prefixes only.

What we don't collect

• No third-party trackers, ad pixels, or analytics scripts. The site runs no Google Analytics, Facebook Pixel, or similar.
• No payment card data — when we introduce paid plans, Stripe handles the card details; we only store the subscription status + Stripe customer id.
• No password. Sign-in uses one-time email codes (OTP); there is no stored credential that could be breached.

How we use it

• To sign you in and keep you signed in.
• To personalise the feed (unread state, likes, your private tags, default filters).
• To send you the email digests you configure (and nothing else — no marketing blasts).
• To detect abuse (rate-limiting sign-in attempts, flagging anomalous session origins).
• To bill you accurately when you're on a paid plan.

Third parties

• Cloudflare — hosts the site, the database (D1), and handles DNS + TLS. All your traffic is proxied through their edge.
• Mailjet — delivers transactional email (sign-in codes, weekly digest). Your email address is shared with Mailjet for the purpose of delivery.
• Anthropic — powers the editorial classifier (Claude Haiku 4.5). The content we classify is publicly-published articles we've crawled; no user-private data is sent to Anthropic.
• Shodan (CVEDB) — public CVE lookup + paid host count API. No user-identifying info is sent.
• NVD / MITRE / first.org EPSS — public vulnerability data sources we poll. No user data sent.

Retention

• Sessions: 30 days after last use, then auto-deleted.
• OTP codes: 10 minutes or first use, whichever comes first.
• Account data + activity: kept while your account is active. Request deletion any time by emailing notifications@opsecsafe.com — we remove the account + derived data within 30 days.
• Operational logs (Cloudflare edge): per Cloudflare's retention window (typically 7 days) unless an incident requires longer retention.

Your rights

Under the APPs you can ask us to show you what personal info we hold about you, correct anything that's wrong, or delete your account. Email notifications@opsecsafe.com and we'll action it within 30 days. If you're in the EU/UK, the GDPR gives you equivalent rights — same email.

If you're not satisfied with how we've handled a privacy concern, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).

Cookies

We use one strictly-necessary cookie: opsecsafe_session. It's HttpOnly, Secure, SameSite=Lax, expires after 30 days of inactivity. No analytics cookies, no tracking cookies.

Security

Site architecture + controls are documented in the engineering architecture doc, but the short form: HTTPS-only, session cookie is HttpOnly+Secure, sign-in uses email OTP with rate limits, Anthropic/Mailjet/Stripe keys live in Cloudflare's account-level Secrets Store, prompt-injection defences applied to every LLM call. We take this seriously — we're in the business.

Changes

If we materially change this policy we'll post a note at the top of the page and notify registered users by email before it takes effect.