CycleCore PQ — Privacy Policy

Effective: February 21, 2026 | Last updated: February 21, 2026

1. What We Collect

Data	Purpose	Retention
Email address	Account identity, billing, service alerts	Until account deletion
Name (optional)	Personalization	Until account deletion
Password hash	Authentication (bcrypt, never stored in plaintext)	Until account deletion
API usage counts	Rate limiting, billing	Rolling 30-day window
IP address (demo only)	Demo rate limiting	In-memory only, cleared on restart
Payment identifier	Payment processing	Until account deletion

2. What We Do NOT Collect

Message content — processed in memory, never stored
Signatures or ciphertexts — returned to you, not retained
Cookies or tracking pixels — we use none
Third-party analytics — we use none

3. Cryptographic Keys

Your Dilithium3 and Kyber768 key pairs are generated server-side and stored in our database. Private keys are associated with your account and used only to process your API requests. We are working on client-side key generation and encrypted-at-rest storage.

4. Third-Party Services

We use a small number of third-party providers for payment processing, transactional email, and network infrastructure (TLS termination, DDoS protection). These providers receive only the minimum data necessary to perform their function. We do not sell, share, or transfer your data to anyone else.

5. Your Rights

Email [email protected] to:

Export your account data
Delete your account and all associated data
Correct inaccurate information

6. Security

We use bcrypt password hashing, constant-time comparisons, TLS in transit, and NIST-standardized cryptographic algorithms. API keys are hashed before storage.

7. Contact

[email protected]