Fractional CISO Privacy Policy

Last Revised: October 13, 2025

About This Document

Fractional CISO helps companies with their cybersecurity strategy and execution. We have offices in the Greater Boston Area and Toronto, Canada, and currently provide services to clients in the United States and Canada.

Fractional CISO is committed to protecting and respecting your privacy and complying with the principles of applicable data protection laws.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

This Privacy Policy informs you of important information about how Fractional CISO, LLC (“Fractional CISO,” “we,” or “our”) processes the personal data that we collect in online and offline formats through the Services.

“Personal data” means data that reasonably can be used to identify a living person, or that reasonably relates to a living person.

When we use the term “Services,” we mean to refer collectively to:

How we collect and use personal data

We collect and process personal data about a number of different individuals through the provision of the Services. These individuals include our individual clients and prospective clients, their representatives, visitors to our offices, visitors to our Sites, vendors, and other individuals.

Clients and prospective clients

The majority of our clients are corporate entities and data about entities is not personal data. However, we process personal data of company employees, representatives and other personal data clients provide to us, or allow us to collect on their behalf, while providing the Client Services. This includes contact information and any other personal data that is relevant to or necessary for us to deliver the Client Services.

We also process personal data to assist in building relationships. This may include, but is not limited to, name, contact information, and job title.

We collect and use this information to provide the Client Services and for other legitimate business interests. For example, we use contact details to send communications and industry updates.

Our basis for processing personal data in connection with Client Services is:

Visitors to our Sites

Certain visitors interact with the Sites in ways that lead us to gather personal data. The amount and type of data that we gather depends on the nature of the interaction. For example, if you sign up to our mailing list we collect your name, contact details, job title and company name. Visitors can always refuse to supply personal data, with the caveat that it may prevent them from engaging in certain Site-related activities.

In addition, we collect information automatically as disclosed in our Cookie Notice, below.

The bases we rely on to process this information is:

Visitors to our offices

For visitors to our offices, we will take a record of name and contact information. This information is recorded for legitimate business purposes and for health and safety purposes so that we know who is in the building in event of an emergency.

The bases we rely on to process your personal data is:

Vendors and business partners

We process personal data of vendors and business partners, including name and contact details. For vendors, we do this so that we can liaise about the services the vendors are providing to us now and in the future. For business partners, we do this to support, grow, and maintain the relationship. For individual vendors and business partners, we also may hold financial information in order to pay invoices. Sometimes we receive this information from a third party who is recommending the service to us.

The basis we rely on to process this personal data is:

Other individuals

When we provide certain types of Client Services we may be provided with personal data from third parties about a number of individuals other than those described explicitly in this Privacy Policy.

The primary reason we process this personal data is to provide the Client Services, fulfill our professional duties, comply with law, and operate our business.

The bases we rely on to process your personal data is:

We retain personal data only as long as necessary for the purposes described or as required by law. We implement appropriate technical and organizational measures, including encryption and access controls, to protect personal data.

Additional uses of personal data

In addition to the uses described above, we may use your personal data for the following purposes. Some of these uses may, under certain circumstances, be based on your consent, may be necessary to fulfill our contractual commitments to you, or are necessary to serve our legitimate interests in the following business operations:

How we share and disclose personal data

We share personal data with the following categories of recipients.

Service Providers

We may disclose your personal data to third-party service providers to provide us with services  such as website hosting, professional services, including information technology services and related infrastructure, customer service, email delivery, marketing activities, auditing and other similar services.

To Perform Client Services

We will also disclose personal data to the following categories of third parties: (1) anyone involved in the matter we are working on; (2) law enforcement, tax, and regulatory agencies and bodies; (3) insurers; and (4) service providers such as IT and telephony services, document production, and postal and delivery services.

We may disclose personal data to third parties in order to perform services you request or functions you initiate, such as when you post information and materials on message boards and forums. When you post information publicly.

We do not sell any personal data and have not sold any personal data in the past.

Corporate Transactions or Events

We may disclose your information to a third party in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital, including in connection with any bankruptcy or similar proceedings.

Other Legal Reasons

In addition, we may use or disclose your personal data as we deem necessary or appropriate: (1) under applicable law, including laws outside your country of residence; (2) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (3) to comply with subpoenas and other legal processes; (4) to pursue available remedies or limit damages we may sustain; (5) to protect our operations or those of any of our affiliates; (6) to protect the rights, privacy, safety or property of Fractional CISO, our affiliates, you and others; and (7) to enforce our terms and conditions.

3rd Party Information Disclosure

Outside of specific information listed above, Fractional CISO does not provide or sell personal information collected.

Request for Access and Erasure

You may submit requests for access or erasure of your personal information.

If you make a request related to personal data about you, you may be required to supply a valid means of identification as a security precaution.

Individuals who submit requests for access or erasure of personal information will be required to verify their identity by answering certain questions. We will not disclose or delete any information until identity is verified.

If you are making a request for access, we may not be able to provide specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your personal information, your account with us, or our systems or networks.

If you are making a request for erasure, we may ask that you confirm that you would like us to delete your personal information again before your request is submitted.

You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.

Agents who make requests on behalf of individuals may be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.

Email Marketing

We may periodically send you relevant alerts and newsletters by email. To help improve our marketing activities, we often receive confirmation when you open an email or click on a link included in one of these emails, if your computer supports such capabilities. Instructions on how to unsubscribe from these alerts and newsletters are included in each email.

We use cookies and related technologies (“Cookies”) to provide Services, gather information when users navigate through the Sites to enhance and personalize the experience, to understand usage patterns, and to improve our Sites, products, and Services.

You can review your Internet browser settings to exercise your options for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Sites.

This Cookie Policy explains how Fractional CISO uses cookies to recognize you when you visit our Website (www.fractionalciso.com). It explains what these technologies are and why we use them, as well as your rights to control our use of them. 

What are cookies?

A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the site again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information.  Cookies provide a convenience feature to save you time, or tell the web server that you have returned to a specific page. 

Cookies set by the website owner are called “first party cookies”. Cookies set by parties other than the website owner are called “third party cookies”.  Third party cookies enable third party features or functionality to be provided on or through the website (e.g., advertising, interactive content and analytics). The parties that set these third party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites. 

Why do we use cookies?

We use first party and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites to operate, and we refer to these as “essential” or “strictly necessary” cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our Website.  This data is used to deliver customized content and promotions to clients and potential customers whose behavior indicates that they are interested in a particular subject area. Third parties serve cookies through our Website for analytics and other purposes.  This is described in more detail below.

What types of cookies do we use and how do we use them?

The specific types of first and third party cookies served through our Websites and the purposes they perform. These cookies include:

COPPA and Do Not Track

Our website is designed exclusively for corporate customers and does not collect, process, or store personal information from individuals under the age of 13, ensuring full compliance with the Children’s Online Privacy Protection Act (COPPA). We collect only the business-related information necessary to provide our services, such as company contact details and transaction data, which is handled in accordance with applicable data protection laws and used solely for legitimate business purposes.

We do not support “Do Not Track” (DNT) signals, as our services are tailored for corporate entities and do not involve consumer tracking for advertising purposes. If you have any questions about our data practices or wish to exercise your rights under applicable privacy laws, please contact us through the details provided in our full privacy policy.

Analytics 

The services contained in this section enable Fractional CISO to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics (Google LLC)

Google Analytics is a web analysis service provided by Google LLC (“Google”). Google tracks and examines the data collected on our Sites to prepare reports on its activities and share them with other Google services.  Google may use the data collected to contextualize and personalize the ads of its own advertising network.

Personal Data collected: Cookies and usage data. 

Place of processing: United States – Privacy PolicyOpt Out

LinkedIn

The LinkedIn Insight Tag is a piece of JavaScript code that is added to a website to enable in-depth campaign reporting and unlock valuable insights about website visitors. The LinkedIn Insight tag is used to track conversions, retarget website visitors, and unlock additional insights about members interacting with LinkedIn ads.

Personal Data collected: Cookies and usage data.

Place of processing: United States – Privacy PolicyOpt Out

Hubspot

HubSpot cookies are used to gain context for site visits. When a user lands on a page with the HubSpot tracking code, a cookie is added to their browser to remember which site pages were viewed. This information is associated with the user’s contact profile in HubSpot, if one exists. 

Personal Data collected: Cookies and usage data.

Place of processing: United States – Privacy PolicyOpt Out.

Occasionally we provide links to other websites for your convenience and information. These sites operate independently from our Sites and are not under our control. These sites may have their own privacy notices or terms of use, which you should review if you visit any sites linked through our Sites. We are not responsible for the content or use of these unrelated sites.

Updates to this Privacy Policy

Fractional CISO may change its Privacy Policy from time to time, and at Fractional CISO’s sole discretion. Fractional CISO encourages visitors to check this page frequently for any changes to its Privacy Policy.

How to contact us

If you have any queries, questions or concerns about this Privacy Policy or our personal data handling practices, please contact us at [email protected].

Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales