Legal

Privacy Policy

Last updated: April 29, 2026

This Privacy Policy describes how RCX Digital Labs LLC (“Defend the Org,” “we,” “us,” or “our”) collects, uses, and shares information when you use the Defend the Org website at defendtheorg.com and our related training platform and services (the “Service”). It is incorporated by reference into our Terms of Service.

1. Information We Collect

We collect information you provide to us, information generated as you use the Service, and limited information collected automatically.

  • Account information. When you create an account we collect your name, email address, and password (passwords are stored only as salted hashes by our authentication provider, Supabase).
  • Profile and onboarding information. During onboarding and from your profile, we collect information you choose to provide such as a display name, experience level, and career goals.
  • Platform activity. As you use the Service we record the exercises, labs, tracks, and courses you start or complete; submissions you make (detection queries, incident response decisions, threat-hunting findings, code review notes, and reviews you write); and progress data such as XP, streaks, badges, completion timestamps, and leaderboard standings.
  • Payment information. Subscriptions are processed by Stripe. Stripe collects your payment card and billing details directly; we do not receive or store full card numbers on our servers. We receive a customer identifier, the plan you purchased, and subscription status from Stripe.
  • Cookies, device, and usage data. We use cookies and similar technologies to keep you signed in and to operate the site. We use Vercel Analytics to collect aggregated usage information such as IP address, browser and device type, referring URLs, and pages viewed, which helps us understand how the Service is used and improve it.

2. How We Use Your Information

We use the information described above to:

  • Provide, operate, and maintain the Service, including authenticating you and saving your progress.
  • Personalize your experience, recommend relevant content, and display your standing on leaderboards and profiles.
  • Process subscriptions, billing, refunds, and account management through Stripe.
  • Send you transactional and product emails (for example, account, billing, password reset, and material product updates) via our email provider, Resend.
  • Improve the Service, including reviewing aggregate exercise submissions to improve content quality, scenario realism, and detection signal.
  • Detect, investigate, and prevent fraud, abuse, security incidents, or violations of our Terms of Service.
  • Comply with legal obligations and enforce our agreements.

3. How We Share Your Information

We do not sell your personal information. We share information only in the limited circumstances described below.

  • Service providers. We share information with vendors who process data on our behalf to operate the Service: Supabase (authentication and database hosting), Stripe (payments and subscription billing), Resend (transactional and product email), and Vercel (web hosting and analytics). These providers are contractually limited to using the data for the services they provide to us.
  • Other users (pseudonymous). Your display name, XP, streak, badges, and leaderboard rank may be visible to other authenticated users of the Service. We do not display your email address, real name (unless you choose to use it as your display name), or payment information to other users.
  • Legal and safety. We may disclose information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of DefendTheOrg, our users, or others.
  • Business transfers. If RCX Digital Labs LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to a successor's obligation to honor the protections in this Privacy Policy.

4. Data Retention

We retain your account information and platform activity for as long as your account is active. If you delete your account, we delete or de-identify your personal information within a reasonable period, except where we are required to retain limited records for legal, tax, accounting, fraud-prevention, or audit purposes. Stripe retains payment records on its own systems in accordance with its terms and applicable law.

5. Security

We use reasonable technical and organizational measures to protect your information, including encryption in transit (TLS) and encryption at rest provided by our infrastructure partners, scoped database access controls, and access logging. No service is perfectly secure, and we cannot guarantee absolute security. If you believe your account has been compromised, contact us promptly at the address below.

6. Your Rights and Choices

You can review and update most account information directly from your account settings. Depending on where you live (for example, the European Economic Area, the United Kingdom, or California), you may have the right to request access to, correction of, or deletion of your personal information; to object to or restrict certain processing; to data portability; and, where applicable, to withdraw consent. To exercise any of these rights, email us at the contact address below. We will respond within the timeframe required by applicable law and may need to verify your identity before fulfilling the request.

We do not sell personal information and do not engage in cross-context behavioral advertising.

7. International Users

DefendTheOrg is operated from the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for these transfers.

8. Children's Privacy

The Service is intended for users 16 and older and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at the address below and we will delete it.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at the address associated with your account and update the "Last Updated" date above. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

10. Contact

For questions, requests, or concerns about this Privacy Policy or your information, contact us at:

RCX Digital Labs LLC

Email: ryan@rcxdigitallabs.com