Privacy Policy

Your privacy matters. This policy explains how Sarsa Technology collects, uses, stores, and protects your personal information.

Effective Date:March 22, 2026  | Last Updated: March 22, 2026

1. Introduction

Sarsa Technology ("we," "us," or "our") is a cybersecurity consulting firm headquartered in New York, NY, United States. We provide virtual CISO services, security program development, compliance management, vendor questionnaire response, and vulnerability assessment and penetration testing to businesses worldwide.

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website at sarsatechnology.com(the "Site") or engage with our services. It applies to visitors and users in all jurisdictions we serve, including the United States, United Kingdom, Canada, European Union, India, and Singapore.

By using our Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use our Site.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you interact with our Site:

  • Contact Form: First name, last name, work email address, company name, phone number (optional), service interest, and message content.
  • Newsletter Subscription: Email address.
  • Email & Phone Communications: Any information you share when you contact us directly at info@sarsatechnology.com or (646) 466-4227.

2.2 Information Collected Automatically

When you visit our Site, certain information is collected automatically by our hosting infrastructure:

  • IP address, browser type and version, operating system, and device type.
  • Pages visited, referring URL, time and date of access, and duration of visit.

2.3 Cookies & Tracking

Our Site uses only essential cookies required for basic site functionality (e.g., security tokens and session management). We do not use advertising cookies, social media tracking pixels, or third-party analytics trackers. If this changes in the future, we will update this policy and, where required, obtain your consent before deploying non-essential cookies.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Service Delivery: To respond to your inquiries, schedule consultations, and deliver our cybersecurity services.
  • Communications: To send you information you have requested, including newsletter content and security insights.
  • Customer Relationship Management: To manage our relationship with you and maintain records of our interactions.
  • Site Operation & Security: To maintain, protect, and improve our Site, including monitoring for security threats and preventing fraud.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

Legal Bases for Processing

Where applicable (including under the GDPR and UK GDPR), we rely on the following legal bases:

  • Consent: When you submit a contact form, subscribe to our newsletter, or otherwise voluntarily provide your information.
  • Legitimate Interests: To operate and improve our Site, respond to inquiries, and manage business relationships, where these interests are not overridden by your rights.
  • Contractual Necessity: To perform or prepare a contract for services you have requested.
  • Legal Obligation: To comply with applicable laws and regulations.

4. Phishing Awareness & Simulation Campaigns

As part of our cybersecurity services, we conduct authorized phishing simulation campaigns on behalf of our clients to test and improve their employees' security awareness. These campaigns are performed exclusively under a written agreement with the client organization.

4.1 How These Campaigns Work

During a phishing simulation engagement:

  • Our client provides us with a list of their employee email addresses and names for the purpose of conducting the simulation.
  • Simulated phishing emails are sent to those employees via our email delivery provider, Mailgun.
  • We track whether recipients opened the email, clicked on links, or submitted information on a simulated phishing page. No credentials or sensitive data entered during a simulation are stored or used for any purpose other than reporting results to the client.
  • Campaign results are reported to the client in aggregate and/or individual form as agreed in the engagement scope.

4.2 Data Processed in Phishing Campaigns

The personal data processed during these campaigns may include:

  • Employee names and work email addresses (provided by the client).
  • Email interaction data (open rates, click-through rates, form submissions on simulated pages).
  • IP address and browser/device metadata at the time of interaction.

4.3 Legal Basis & Authorization

Phishing simulations are conducted solely under the authorization of the client organization, which acts as the data controller for its employees' data. Sarsa Technology acts as a data processor on behalf of the client. The legal basis for processing is the client's legitimate interest in protecting its organization from security threats and fulfilling its obligations to train employees on cybersecurity risks.

4.4 Data Retention & Security

Phishing campaign data is retained only for the duration of the engagement plus a reasonable reporting period (typically 90 days after the final campaign report is delivered), unless the client requests otherwise. All campaign data is securely deleted upon conclusion of the retention period. Employee data is never used for marketing, shared with other clients, or repurposed beyond the scope of the authorized engagement.

4.5 Rights of Campaign Recipients

If you are an employee who has received a simulated phishing email as part of your organization's security awareness program, your rights regarding the data collected are governed by your employer's privacy policies. You may contact your organization's IT or HR department, or reach out to us at privacy@sarsatechnology.com, and we will coordinate with your employer to address your request in accordance with applicable data protection laws.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your data only with the following categories of recipients, and only to the extent necessary:

  • CRM Provider (Odoo): Contact form submissions are stored in our customer relationship management system to manage inquiries and service delivery.
  • Email Marketing Provider (MailerLite): Newsletter subscriber email addresses are processed by MailerLite to deliver our email communications.
  • Phishing Simulation Provider (Mailgun): Employee email addresses and campaign interaction data are processed by Mailgun to deliver authorized phishing simulation emails on behalf of our clients.
  • Hosting Provider (Vercel): Our Site is hosted on Vercel, which processes server logs containing technical access data.
  • Legal & Regulatory: We may disclose your information if required to do so by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, safety, or the rights, safety, or property of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

All third-party service providers are contractually obligated to protect your information and use it only for the purposes we specify.

6. International Data Transfers

Our Site is operated from the United States. If you access our Site from the European Union, United Kingdom, Canada, India, Singapore, or any other jurisdiction with data protection laws that differ from those of the United States, please be aware that your information may be transferred to, stored in, and processed in the United States.

Where we transfer personal data internationally, we implement appropriate safeguards as required by applicable law, including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other legally recognized transfer mechanisms. By providing your information, you consent to such transfers where consent is a recognized legal basis for the transfer.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy:

  • Contact Inquiries: Retained for up to 3 years from the date of your last interaction, or longer if required for an active business relationship or legal obligation.
  • Newsletter Subscribers: Retained until you unsubscribe or request deletion.
  • Server Logs: Retained for up to 90 days by our hosting provider.

When personal information is no longer needed, we securely delete or anonymize it in accordance with applicable laws.

8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

8.1 Rights Under EU & UK GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Eraseyour personal data ("right to be forgotten").
  • Restrict processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (e.g., the ICO in the UK or your national DPA in the EU).

8.2 Rights Under U.S. State Privacy Laws

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other U.S. states with comprehensive privacy legislation, you may have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. (Note: We do not sell or share your personal information for cross-context behavioral advertising.)
  • Non-discrimination — exercise your rights without receiving discriminatory treatment.

We will respond to verified requests within the timeframes required by applicable law (typically 45 days for CCPA/CPRA, 30 days for GDPR).

8.3 Rights Under Canadian Law (PIPEDA)

If you are located in Canada, you have the right under the Personal Information Protection and Electronic Documents Act (PIPEDA) to:

  • Access your personal information held by us.
  • Challenge the accuracy and completeness of your data and have it amended.
  • Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
  • File a complaint with the Office of the Privacy Commissioner of Canada.

8.4 Rights Under India's Digital Personal Data Protection Act (DPDPA)

If you are located in India, you have the right under the Digital Personal Data Protection Act, 2023 to:

  • Access a summary of your personal data and processing activities.
  • Correction & Erasure of inaccurate or unnecessary personal data.
  • Grievance Redressal — you may raise concerns with us and, if unresolved, escalate to the Data Protection Board of India.
  • Nominate an individual to exercise your rights on your behalf.

8.5 Rights Under Singapore's PDPA

If you are located in Singapore, you have rights under the Personal Data Protection Act 2012 (PDPA) to:

  • Access your personal data held by us.
  • Correction of inaccurate personal data.
  • Withdraw consent for the collection, use, or disclosure of your personal data.
  • Data portability — request that your data be transmitted to another organization.
  • File a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

8.6 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@sarsatechnology.com. We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law and will not charge a fee unless the request is manifestly unfounded or excessive.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit via TLS/HTTPS.
  • Access controls limiting who within our organization can access personal information.
  • Secure storage of data with our vetted third-party providers.
  • Regular review and updating of our security practices.

While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

10. Third-Party Links

Our Site may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of every site you visit.

11. Children's Privacy

Our Site and services are directed to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16 (or the applicable age of consent in your jurisdiction). If we learn that we have collected personal data from a child, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@sarsatechnology.com.

12. Do Not Track Signals

Our Site does not use tracking technologies that respond to Do Not Track (DNT) browser signals. As we do not track users across third-party websites, we do not respond to DNT signals. Should we adopt tracking technologies in the future, we will update this policy accordingly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page. Where required by law (e.g., under GDPR or PDPA), we will notify you of significant changes by email or through a prominent notice on our Site. We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For general inquiries, you may also reach us at info@sarsatechnology.com or through our Contact page.

Supervisory Authorities

If you are unsatisfied with our response to your privacy concern, you may contact the appropriate supervisory authority:

  • EU: Your local Data Protection Authority (DPA)
  • UK:Information Commissioner's Office (ICO)
  • Canada: Office of the Privacy Commissioner of Canada (OPC)
  • India: Data Protection Board of India
  • Singapore: Personal Data Protection Commission (PDPC)
  • California, US: California Attorney General