Privacy posture for government readers

What we collect, what we don't, and what the deployment-side posture means for your agency.

The main-site privacy policy is the canonical statement for all visitors to cybriq.io. This page restates the posture in the way a federal or SLED privacy reviewer reads it, with the specific items that come up in PIA reviews, FOIA correspondence, and government-counsel evaluations.

A. When you visit this sub-site

What we collect

Aggregate page-view counts. A small first-party tracker records that a page was viewed, the path of the page, a hashed visitor identifier, and the timestamp.
Hashed IP address. The visitor's IP is SHA-256 hashed with a salt before storage. The raw IP is never written to disk.
Browser-supplied metadata. User-Agent string for browser/OS QA prioritization. No fingerprinting.
Form-field events. On pages with forms (currently the contact page), the tracker records which field gained focus and whether submission occurred. The contents of fields are not captured.

What we do not collect

No raw IP addresses are stored.
No personally identifiable information (PII) of any kind is collected from this sub-site. The only way the site learns your identity is if you choose to email contact_us@cybriq.io or fill out a form.
No Privacy Act records under 5 U.S.C. § 552a are created or maintained by this site. CybrIQ is a private vendor and does not operate a Privacy Act system of records.
No third-party advertising trackers, no marketing-automation pixels, no remarketing scripts, no cross-site identity vendors.
No PII is sold, shared, or transferred to data brokers under any circumstance.

What we use cookies for

The site sets three first-party cookies (cybriq-sid session ID, cybriq-vid visitor ID, cybriq-fvd first-visit date) used exclusively for the analytics described above. No third-party cookies. No advertising cookies. Visitors can clear cookies at any time; the site continues to function without them, with analytics simply not grouping visits into sessions.

Retention

Aggregate analytics records are retained in data.log on CybrIQ-controlled infrastructure. Records are not exported to third parties. The retention window for aggregate analytics is determined by file rotation (currently 50 MB ≈ multi-year horizon for this site's traffic); rotated logs are not used for marketing or shared externally.

B. When you email or fill the contact form

The contact form on this site emails directly to contact_us@cybriq.io. No data is stored on the website; the email goes into the CybrIQ inbound mail system. Email contents are retained for ordinary business-record purposes and are not enrolled in newsletters, marketing automation, or remarketing campaigns.

If you'd prefer to reach out without form-tracking, email directly. The address is the same.

C. When your agency deploys CybrIQ

This sub-site is a marketing site; the deployment posture below applies to CybrIQ products themselves (RoomIQ and SpacesIQ) inside an agency network. Federal and SLED privacy reviewers usually need this section more than the marketing-site section above.

What the deployed product collects

Switch-side signal sets. Link negotiation pattern, MAC OUI, LLDP/CDP advertisements, port statistics, VLAN context. Read from managed switches via read-only switch access over SNMP.
Device identifications. The Layer-1 fingerprint (Device DNA™) for each detected device, the agency's switch and port location, vendor identification, and model class.
Audit-trail records. Per-device add/remove/identification events, signed with a SHA-256 hash at the control plane.

What the deployed product does not collect

No traffic capture. No SPAN, no mirror, no inline tap. Packet contents are never inspected, copied, or stored.
No PII from device users. CybrIQ does not associate devices with the humans using them. NAC integration is the path for identity-based access policy; CybrIQ feeds device-identification data and the NAC owns identity correlation.
No PHI (HIPAA). CybrIQ does not handle protected health information. The deployment is upstream of any clinical or PHI-handling system.
No CJI (FBI Criminal Justice Information). CybrIQ does not access criminal justice information.
No FERPA-protected records. For K-12 deployments, CybrIQ does not collect student records, content, or behavior data. Device discovery is at the network layer, not the application layer.
No vendor backhaul. Customer data does not leave the agency-controlled deployment. CybrIQ does not have inbound access to agency CybrIQ deployments; signed reference-library updates are the only artifacts that move between vendor and agency, and they move from vendor to agency, not the reverse.

Privacy Impact Assessment (PIA) considerations

For agencies preparing a PIA on a CybrIQ deployment, the typical findings are: (a) the system processes device identifiers (MAC, switch port, VLAN, vendor-and-model identification), which are not Privacy Act records and do not reach the threshold of personally identifiable information; (b) the system does not process individual-user data; (c) the system does not interact with any system of records under 5 U.S.C. § 552a. The CybrIQ briefing call can walk a PIA-template draft against the deployment specifics; the most common path is a determination that no full PIA is required because no PII is processed.

D. FOIA-style questions

CybrIQ is a private vendor; FOIA requests are directed to the federal agency operating the deployment, not to CybrIQ. The agency's records of its CybrIQ deployment are subject to the agency's records-management policy. CybrIQ supports the agency's response with technical-architecture documentation, deployment records, and configuration evidence on request.

For records held by CybrIQ itself (sales correspondence, contracts, support communications), CybrIQ responds to legal-process requests directly. Subpoenas, court orders, and government legal-process requests are handled by CybrIQ legal counsel at legal@cybriq.io.

E. Reporting a privacy concern

If you find a privacy concern with this sub-site or the CybrIQ product line, email privacy@cybriq.io. Security-disclosure-class issues should follow the RFC 9116 security.txt process at cybriq.io/security/disclosure.

F. Canonical statement and links

The canonical privacy policy is at cybriq.io/privacy. This page restates the posture in government-evaluator framing; the two are designed to be consistent. If anything appears inconsistent, the main-site policy is the canonical statement and this page should be reconciled to it; please email privacy@cybriq.io if you spot a divergence.

Last updated: 2026-05-11. CybrIQ reserves the right to update this statement; material changes will be reflected in a revised "Last updated" date.