Skip to main content

Privacy Policy

Effective date: March 27, 2026

1. Overview

Security Research & Development (“SR&D”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (rnd.sh), use our client portal (portal.rnd.sh), or engage our cybersecurity and software development services. This policy applies to all visitors, clients, and users of our services.

2. Information We Collect

2.1 Information You Provide

Contact Information: Name, email address, phone number, company name, and job title when you contact us, register for the client portal, or engage our services
Account Information: Login credentials, two-factor authentication configuration, and security contact details when you create a portal account
Company Profile Data: Organization details, IT infrastructure information, compliance frameworks, and security posture data provided during onboarding
Engagement Data: Target specifications, testing parameters, questionnaire responses, and project communications
Technical Assessment Data: Information collected during authorized security assessments, including vulnerability findings, evidence, and remediation details

2.2 Information Collected Automatically

Log Data: IP address, browser type and version, operating system, referring URLs, pages visited, timestamps, and request metadata
Device Information: Device type, screen resolution, and user agent string
Geographic Data: Approximate location derived from IP address (country, region, city) for security monitoring purposes

3. Legal Basis for Processing

We process your personal information under the following lawful bases:

Contractual Necessity: Processing required to fulfill our service agreements and engagement contracts
Consent: Marketing communications, newsletter subscriptions, and optional data collection where you have given explicit consent
Legitimate Interest: Security monitoring, fraud prevention, service improvement, and protecting our systems and clients
Legal Obligation: Compliance with applicable laws, regulations, and legal processes

4. How We Use Your Information

Provide, maintain, and improve our cybersecurity and software development services
Authenticate users and secure access to the client portal
Process payments and manage billing through our payment processor
Respond to inquiries, support requests, and provide customer service
Send security updates, engagement notifications, and service communications
Send marketing communications (only with your explicit consent; you may opt out at any time)
Monitor for security threats, detect fraud, and protect our systems
Comply with legal obligations, enforce our terms, and protect our rights

5. Cookies & Tracking Technologies

We use a small number of cookies that are essential to how our services work:

Authentication cookies: Keep you signed in to the client portal
Spam protection: Prevent automated abuse of our contact forms
Cookie preference: Remembers that you have acknowledged our cookie notice

We use privacy-friendly analytics that do not track individual users across sites. We do not use advertising cookies, tracking pixels, or sell data to advertisers.

6. Data Sharing & Service Providers

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers who are contractually bound to protect your data:

Payment Processing: Stripe processes all payments. We do not store credit card numbers, bank account details, or full payment credentials. Stripe's privacy policy governs payment data handling.
Email Delivery: Resend delivers transactional and notification emails on our behalf.
Infrastructure & Security: Cloudflare provides CDN, DDoS protection, and Turnstile CAPTCHA services.
Data Storage: Client portal data is stored in our self-hosted infrastructure within the United States.

We may also disclose information when required by law, court order, subpoena, or to protect the safety, rights, or property of SR&D, our clients, or the public.

7. Data Protection & Security

We implement industry-standard security measures to protect your data:

Encryption: All data is encrypted in transit and at rest using industry-standard methods.
Access Controls: Only authorized personnel can access client data, with strict role-based permissions.
Authentication: Portal accounts support two-factor authentication for added security.
Monitoring: Continuous security monitoring and automated alerting protect our systems.
Data Minimization: We only collect and retain data necessary for service delivery and legal compliance.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy:

Account data: Retained for the duration of the client relationship plus 12 months after account closure
Assessment data: Retained for 12 months after engagement completion unless contractually specified otherwise
Security logs: Retained for up to 90 days for security monitoring and incident investigation
Billing records: Retained as required by tax and financial regulations (typically 7 years)

You may request earlier deletion of your data, subject to our legal retention obligations.

9. Data Breach Notification

In the event of a data breach involving your personal information, we will notify affected individuals and relevant authorities as required by applicable law. Under Florida law (Fla. Stat. § 501.171), we will provide notification no later than 30 days after discovery of the breach. Notification will include the nature of the breach, types of information involved, steps we are taking, and actions you can take to protect yourself.

10. Your Privacy Rights

10.1 All Users

Regardless of your location, you may:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data, subject to legal retention requirements
Opt-Out: Unsubscribe from marketing communications at any time via the link in any email
Portability: Request your data in a machine-readable format

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to exceptions.
Right to Opt-Out of Sale: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address), commercial information (service engagement details), internet activity (browsing data, portal usage), professional information (company, job title), and geolocation data (approximate location from IP).

10.3 Florida Residents

Under the Florida Digital Bill of Rights (Fla. Stat. § 501.701 et seq.), Florida residents have rights to access, correct, delete, and obtain a copy of their personal data. You may also opt out of the processing of personal data for targeted advertising (we do not engage in targeted advertising). To exercise these rights, contact us at [email protected].

10.4 European Economic Area (EEA) Residents

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

Right to Restrict Processing: Request restriction of processing in certain circumstances
Right to Object: Object to processing based on legitimate interest
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint: File a complaint with your local data protection authority

10.5 Exercising Your Rights

To exercise any of these rights, email [email protected]. We will respond within 30 days (or 45 days for complex requests, with notice). We may need to verify your identity before processing your request.

11. International Data Transfers

Our services are hosted in the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States. By using our services, you consent to the transfer of your information to the United States. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required by applicable law.

12. Children's Privacy

Our services are not directed to individuals under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at [email protected].

13. Do Not Track Signals

Our website does not respond to Do Not Track (DNT) browser signals because we do not engage in cross-site tracking. We do not use advertising cookies or participate in ad networks.

14. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. Material changes will be communicated via email to active clients and by prominent notice on our website. The “Effective date” at the top of this page indicates when the policy was last revised. Your continued use of our services after updates constitutes acceptance of the revised policy.

15. Contact Us

For questions about this Privacy Policy, data protection inquiries, or to exercise your privacy rights:

Privacy Inquiries: [email protected]
General Inquiries: [email protected]
Mailing Address: Available upon written request to [email protected]