Skip to main content

Privacy Policy

Effective Date: January 26, 2026

Version 2.0

Our Privacy Commitment

AAM Cyber is a privacy-first cybersecurity consultancy. We practice what we preach: minimal data collection, maximum data protection, and absolute client confidentiality.

Unlike most organizations, we do not rely on third-party cloud services, external analytics platforms, or data brokers. All client data is processed and stored exclusively on AAM Cyber-owned infrastructure within the United States.

Data We Collect

Information You Provide Directly

We collect only information you voluntarily provide when contacting us:

  • Name
  • Email address
  • Phone number (if provided)
  • Company name (if provided)
  • Message content

We do not collect data you do not explicitly provide.

Information We Do NOT Collect

  • No tracking cookies
  • No analytics scripts
  • No behavioral tracking
  • No IP address logging
  • No browser fingerprinting
  • No third-party pixels or beacons

Our website does not use Google Analytics, Facebook Pixel, HubSpot, or any external tracking service.

How We Use Your Information

We use your contact information solely to:

  1. Respond to your inquiry
  2. Provide requested services under a signed engagement agreement
  3. Comply with legal obligations (if any)

We do not use your information for marketing, profiling, or any purpose beyond direct service delivery.

Data Storage & Security

Self-Hosted Infrastructure

All client data is stored on:

  • AAM Cyber-owned servers
  • Physically secured facilities under our direct control
  • Encrypted at rest and in transit
  • Air-gapped from public networks where applicable

We do not use AWS, Azure, Google Cloud, or any third-party hosting provider for client data.

Security Measures

  • End-to-end encryption (TLS 1.3 minimum)
  • AES-256 encryption at rest
  • Multi-factor authentication on all administrative access
  • Regular security audits and penetration testing
  • Principle of least privilege access controls

Content Delivery & Protection

Our website uses Cloudflare for DDoS protection and content delivery. Cloudflare may process minimal technical data (IP addresses, request headers) to provide these security services. We do not access, retain, or analyze this data. This infrastructure protection does not involve tracking, profiling, or advertising. See Cloudflare's Privacy Policy for details on their data handling practices.

Secure Communications

Private Communication Channels

For clients requiring enhanced confidentiality, we offer secure communication options beyond standard email:

  • Signal — End-to-end encrypted messaging (preferred for sensitive discussions)
  • Proton Mail — Zero-access encrypted email; Proton-to-Proton messages are automatically end-to-end encrypted
  • Secure file transfer — Self-hosted encrypted file sharing (no Dropbox, Google Drive, or third-party cloud)
  • Air-gapped consultation — In-person or secure voice for highest-sensitivity matters

We adapt our communication methods to your threat model. Standard inquiries via email are appropriate for most clients. Clients with elevated privacy requirements — executives, public figures, or those facing targeted threats — may request secure channels at any time.

To initiate secure communications:

  • Signal: Request our Signal contact via initial email
  • Encrypted email: Our inbox is hosted on Proton Mail; for non-Proton users, we can send password-protected messages

We never conduct sensitive client discussions over unencrypted channels without explicit consent.

Data Retention

Minimalist Retention Policy

Data Type Retention Period Rationale
General inquiries 90 days Deleted after response completed
Engagement records Duration + 1 year Business necessity; deleted upon request
Financial records 7 years Arizona law / IRS requirements
Communications (no engagement) 30 days Deleted unless engagement initiated

All non-legally-mandated data is deleted upon your request.

Your Rights

Universal Rights (All Jurisdictions)

You have the right to:

  • Access: Request a copy of any data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request destruction of all data we hold about you
  • Portability: Receive your data in a machine-readable format

How We Handle Deletion Requests

Upon receiving a verified deletion request:

  1. We identify all data associated with your identity
  2. We permanently destroy all non-legally-required data within 7 business days
  3. We provide written confirmation of destruction
  4. Data subject to legal retention is isolated and deleted upon expiration of the retention period

We do not charge fees for exercising your privacy rights.

California Residents (CCPA/CPRA)

In addition to the above:

  • We do not sell your personal information
  • We do not share your personal information for cross-context behavioral advertising
  • We do not use sensitive personal information for profiling
  • You may designate an authorized agent to submit requests on your behalf

European Economic Area Residents (GDPR)

In addition to the above:

  • Legal basis for processing: Legitimate interest (responding to inquiries) or contract performance (engagement services)
  • You have the right to lodge a complaint with your local supervisory authority
  • We do not transfer your data outside the United States; all processing occurs domestically

Third-Party Disclosure

We Do NOT Share Your Data

We do not disclose your personal information to any third party except:

  1. With your explicit written consent
  2. When legally compelled (subpoena, court order, or regulatory requirement)

If legally compelled to disclose, we will:

  • Notify you promptly (unless prohibited by law)
  • Limit disclosure to the minimum required
  • Challenge overbroad requests where appropriate

We have never sold, traded, or disclosed client information for marketing purposes. We never will.

Cookies & Tracking

No Tracking Technologies

This website uses:

  • No cookies (analytics, tracking, or otherwise)
  • No JavaScript tracking libraries
  • No session recording
  • No heat mapping
  • No A/B testing platforms

Essential functionality (if any) uses session-only technical cookies that expire when you close your browser and contain no personally identifiable information.

Data Breach Response

In the unlikely event of a data breach:

  1. We will investigate immediately
  2. We will notify affected individuals within 72 hours of confirmed breach discovery
  3. We will notify relevant authorities as required by law (Arizona: 45 days; GDPR: 72 hours)
  4. We will provide a detailed incident report upon request

Children's Privacy

We do not knowingly collect information from individuals under 18. If we discover we have inadvertently collected such information, we will delete it immediately.

Policy Changes

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be:

  • Posted on this page with an updated effective date
  • Communicated to active clients via email

Contact

To exercise your privacy rights or ask questions:

Email: privacy@aamcyber.com (encrypted via Proton Mail)

Signal: Available upon request

We respond to all privacy requests within 7 business days.

Our email is hosted on Proton Mail with zero-access encryption. Messages from other Proton Mail users are automatically end-to-end encrypted. For non-Proton users requiring encryption, we can send password-protected messages — contact us to arrange secure delivery.

Governing Law

This policy is governed by the laws of the State of Arizona, United States.

AAM Cyber — Privacy is not a feature. It's the foundation.