OutSpace — Privacy Policy

Last updated: April 2026

Who We Are

OutSpace ("we," "our," "us") is a personal cybersecurity awareness and education service operated at outspacecybers.com. This policy explains what data we collect, how we use it, how we protect it, and your rights regarding your information.

What We Collect

We collect only what is necessary to provide our services. Here is exactly what we store and what we do not.

What we store:

• Your email address (encrypted with AES-256 and hashed with SHA-256 for secure lookup)

• Your subscription tier

• Breach scan results (breach names and dates only — this is publicly available information)

• Your risk score (a number, no personal details)

• Security checklist progress (which items you completed)

• Alert history (titles and timestamps, no sensitive content)

• Account creation date and last active date

• Video recordings from completed coaching sessions (Zoom)

What we NEVER store:

• Your passwords — not even temporarily, not even encrypted

• Uploaded images — permanently deleted immediately after every scan, deletion is verified

• Your payment information — handled entirely by Squarespace payment processor

• Your IP address

• Your browsing history

• Your email inbox or messages

• Cookies for tracking or advertising purposes

How We Use Your Data

Your data is used only to:

• Monitor your email addresses for data breaches

• Calculate and track your security risk score

• Generate security alerts and monthly reports

• Display your dashboard and checklist progress

• Improve the accuracy of our tools

We do not use your data for advertising, marketing to third parties, profiling, or any purpose other than providing your cybersecurity dashboard and services.

How We Protect Your Data

Encryption at rest:

Your email addresses are encrypted using AES-256 (Fernet symmetric encryption) before being stored in our database. Even if our database were compromised, your emails cannot be read without the encryption key.

Hashing for lookup:

We use SHA-256 one-way hashing to look up your account. This hash cannot be reversed back to your email address.

Image handling:

Any image you upload for deepfake scanning or face exposure scanning is processed in memory, analyzed, and permanently deleted from our servers immediately after. Deletion is programmatically verified and logged. We do not cache, back up, or retain uploaded images under any circumstances.

Password checking:

Our password breach checker uses k-Anonymity. Your password is hashed on your device. Only the first 5 characters of that hash are sent to check against breach databases. Your full password never leaves your device and is never transmitted to our servers.

Auto-purge:

Breach records are automatically deleted after 90 days. Inactive accounts with no activity for 6 months are automatically deleted. Temporary upload files are swept hourly as a safety measure. All purge activity is logged with timestamps.

Third-Party Services

We use the following third-party services to operate:

• HaveIBeenPwned (HIBP) — for breach data lookups. Your email is sent securely to their API over HTTPS. See their privacy policy at haveibeenpwned.com/Privacy

• Reverse image search providers — for face exposure scanning. Your image is sent for analysis and not retained by us after results are returned

• Payment processor (via Squarespace) — handles all billing and payment information. We never see or store your credit card number, billing address, or financial details

• Zoom — for coaching sessions. Subject to Zoom's privacy policy

We do not sell, rent, trade, or share your personal data with any third party for marketing or advertising purposes.

Coaching Sessions

During coaching sessions we may discuss your accounts, security concerns, and personal situation.We do record sessions for liability. We do not access your accounts or devices. Notes or action plans created during sessions are shared only with you.

Coaching sessions conducted over Zoom will be recorded for quality assurance and liability purposes. You will be notified at the beginning of each session that recording is in progress and asked to confirm at time of booking. Recordings are stored by Zoom in accordance with their privacy policy and retained for up to 12 months before being deleted. Recordings are not shared with any third party.

Cookies

Our dashboard does not use tracking cookies, advertising cookies, or analytics cookies. We may use essential cookies required for the website to function (such as session management through Squarespace). We do not track you across websites.

Your Rights

You have the right to:

• Access — View exactly what data we have on you from the Data and Privacy page in your dashboard

• Delete — Remove all your data permanently with one click at any time. This action is immediate and irreversible. It deletes your account, encrypted emails, breach records, scores, checklist progress, alerts, and all associated data along. Data deletion does not equate to cancelled subscription. You must cancel your subscription on outspacecybers.com to not receive further charges.

• Portability — Request a copy of your data by contacting us

• Correction — Contact us to correct any inaccurate information

• Withdraw consent — Stop using our services at any time. Cancel your subscription and delete your data

If you are located in the European Union, you are entitled to these rights under the General Data Protection Regulation (GDPR). If you are a California resident, you are entitled to these rights under the California Consumer Privacy Act (CCPA).

We respond to all data requests within 30 days.

Children

Our services are not intended for anyone under the age of 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal information, contact us and we will delete it immediately.

Data Breach Notification

In the unlikely event that our own systems are breached, we will:

• Notify affected users within 72 hours

• Disclose what data was involved

• Explain what steps we are taking

• Provide guidance on what you should do

Because we store minimal data and encrypt everything personal, the impact of any potential breach is significantly reduced by design.

Data Retention

| Data Type          | Retention Period                          

------------------------------------------------------------

Encrypted email    | Until you delete your account information or unsubscribe           

Breach records     | 90 days, then auto-deleted                

Risk scores        | Until you delete your account information or unsubscribe                 

Checklist progress | Until you delete your account information or unsubscribe       

Alerts             | Until you delete your account information or unsubscribe          

Uploaded images    | Deleted immediately after scan            

Inactive accounts  | 6 months of no activity, then auto-deleted

Where Your Data Lives

Your data is stored on secured servers. All data is encrypted at rest and all connections to our servers use HTTPS encryption in transit.

Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the date at the top of this page. Continued use of our services after changes constitutes acceptance of the updated policy. For significant changes, we will notify you through email or notifications.

Contact Us

If you have any questions about this privacy policy or your data, contact us through the form on our website or at the email address provided on outspacecyber@gmail.com.

‍ ‍