Privacy Policy

Beta

Last Updated: May 13, 2026 — This policy applies to the GlobalProtectify platform and Security Sentinel Chrome extension (v1.0, Beta).

1. Introduction

At GlobalProtectify, we take your privacy seriously. This policy explains what data we collect, how we use it, and how we protect it when you use our cybersecurity awareness training platform and the Security Sentinel browser extension. By using our services you agree to the practices described here.

2. Platform — Information We Collect

  • Account Information: Name, email address, and username provided during registration.
  • Training Data: Course enrolment, progress, quiz answers, completion status, and certificates earned.
  • Phishing Simulation Data: Whether you clicked, reported, or ignored a simulated phishing email — used solely for security awareness reporting within your organisation.
  • Threat Reports: Domain names your team submits as suspicious via the browser extension or the web platform.
  • Technical / Session Data: IP address, browser type, and operating system, collected for session security, MFA enforcement, and audit logging.

3. Security Sentinel Chrome Extension — Data Handling

The Security Sentinel extension monitors browser navigation to protect you from phishing, malware, and typosquatted domains in real time. The following explains exactly what data the extension processes:

3a. URL Transmission to Our API

Every time you navigate to an http:// or https:// URL, the extension sends that URL to our threat-intelligence API for evaluation.

  • The URL is used only to evaluate whether the domain is listed as a threat.
  • No page content, form data, cookies, or credentials are transmitted — only the URL.
  • Lookups are performed server-side in real time and are not linked to your account unless you are signed in to the platform.
  • We do not build individual browsing profiles or sell browsing data to third parties.
3b. Local Browser Storage

The result of each threat lookup (threat type, risk level, domain) is stored in chrome.storage.local keyed by the browser tab ID. This data:

  • Never leaves your device.
  • Is used only to populate the extension popup for the active tab.
  • Is automatically overwritten when you navigate to a new URL in the same tab.
3c. Browser Notifications

When a threat is detected, the extension may display a browser notification containing the flagged domain name and threat category. This data is processed locally by Chrome and is not transmitted anywhere.

3d. Browser Permissions Used
PermissionWhy it is needed
tabsTo read the URL of the active tab so it can be checked against the threat intelligence API.
storageTo cache the threat result for the current tab locally in chrome.storage.local.
notificationsTo display a system notification when a dangerous site is detected.
Host permissions (http://*/*, https://*/*)Required to inject the simulation-challenge overlay into pages flagged as active phishing simulations (warning-level only — danger sites are redirected to a local block page).
3e. Data Not Collected by the Extension
  • Page content, text, images, or files on any website you visit.
  • Passwords, form inputs, or autofill data.
  • Browsing history stored in Chrome.
  • Your identity — lookups are anonymous unless you are logged in to GlobalProtectify.

4. How We Use Your Information

We use your data to:

  • Provide and maintain our training and threat-protection services.
  • Track your progress and issue completion certificates.
  • Report training and simulation metrics to your Organisation Admin (if applicable).
  • Improve the accuracy of our threat intelligence blocklist.
  • Detect and prevent abuse, fraud, and unauthorised access.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data Sharing

  • Organisation Admins: If your account belongs to an organisation, your training progress, certificate status, and phishing simulation results are visible to your organisation's admin.
  • Threat Intelligence Sources: We cross-reference domain lookups against the URLhaus public feed. No personal data is sent to URLhaus.
  • Legal Obligations: We may disclose data if required by law or to protect the safety and security of our users.

6. Data Security

We implement the following security measures:

  • Passwords are hashed using bcrypt — plaintext passwords are never stored.
  • Multi-Factor Authentication (MFA via TOTP) is available and encouraged for all accounts.
  • All platform traffic is served over HTTPS (TLS).
  • Session tokens are regenerated on login and are subject to activity-based expiry.
  • Rate limiting is applied to authentication and API endpoints to prevent brute-force attacks.
  • Admin activity is logged for audit purposes.

7. Data Retention

  • Account data is retained for the lifetime of your account.
  • Training and simulation records are retained for as long as your organisation's subscription is active.
  • API request logs (including URLs submitted for threat lookup) may be retained for up to 30 days for security monitoring, then deleted.
  • You may request deletion of your account and associated data by contacting us.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and data.
  • Object to certain processing activities.

To exercise any of these rights, contact us at support@globalprotectify.com.

9. Beta Notice

GlobalProtectify and the Security Sentinel extension are currently in Beta. Features, data handling practices, and this privacy policy may change as the product evolves. We will update this page and notify users of material changes.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@globalprotectify.com.