Privacy Policy

Your privacy and data protection are fundamental to our managed cyber deception platform

Last Updated: June 21, 2026 | Effective Date: June 21, 2026

1. Introduction

Welcome to PHANTAQSM (Protective Honeyed Adversarial Network Through Quantum Agent Simulation & Mapping). This Privacy Policy explains how we collect, use, process, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

PHANTAQSM is a managed SSH honeypot deception platform for EU government and regulated European enterprise, designed with EU data sovereignty and privacy by design at its core. We are committed to protecting your privacy while operating the service.

Key Principles: Data minimization, purpose limitation, storage limitation, accuracy, lawfulness, fairness, transparency, and accountability.

2. Data Controller

PHANTAQSM Technologies Europe B.V.

Registered Address:

Wilhelmina van Pruisenweg 104
2595 AN The Hague
Netherlands

Contact Information

Email: privacy@phantaqsm.eu

DPO: dpo@phantaqsm.eu

Phone: +31 70 123 4567

3. Data We Collect

3.1 Personal Information You Provide

  • Account Information: Name, email address, job title, organization
  • Contact Details: Phone number, business address, department
  • Security Credentials: Encrypted authentication tokens, access permissions
  • Professional Information: Industry sector, security clearance level (if applicable)
  • Communication Data: Support requests, feedback, meeting recordings

3.2 Technical and Usage Data

  • System Logs: Login timestamps, feature usage, deception and detection events
  • Network Data: IP addresses, device identifiers, browser information
  • Performance Metrics: Response times, error logs, system health indicators
  • Security Analytics: Threat detection patterns, behavioral analysis (anonymized)

3.3 Security & Evidence Data

  • Integrity Hashes: SHA-256/keccak256 evidence hashes
  • Attribution Intelligence: Threat actor patterns, attack methodologies
  • Tamper-Evident Records: integrity-checked audit trails, evidence chains
  • AI Agent Interactions: Deception layer analytics, adversary behavior modeling

5. How We Use Your Data

Primary Purposes

  • • Cyber deception service delivery
  • • Threat detection and attribution
  • • AI agent orchestration and management
  • • Tamper-evident evidence generation
  • • User authentication and access control
  • • System monitoring and optimization

Secondary Purposes

  • • Service improvement and development
  • • Security research and analytics
  • • Customer support and training
  • • Regulatory compliance reporting
  • • Product customization
  • • Marketing communications (with consent)

6. Data Sharing and Disclosure

6.1 EU-Only Data Sharing

We operate under EU data sovereignty principles. Personal data is only shared within the EU/EEA unless explicitly required by law or with your consent.

6.2 Authorized Recipients

EU Cloud Providers: AWS Europe, Google Cloud EU, Microsoft Azure EU

EU Security Partners: ENISA-approved threat intelligence feeds

EU Infrastructure: EU-based hosting and compute services

Legal Authorities: EU law enforcement, cybersecurity agencies

Auditors: EU-certified security auditors

Resellers: Authorized EU government contractors

We never sell personal data to third parties or share it with non-EU entities without explicit consent or legal obligation.

7. Data Storage and Security

EU Data Residency

  • • Primary: Netherlands (Amsterdam)
  • • Secondary: Germany (Frankfurt)
  • • Backup: Ireland (Dublin)
  • • All within EU/EEA jurisdiction

Security Controls

  • • AES-256 encryption at rest
  • • TLS 1.3 encryption in transit
  • • Zero-knowledge architecture
  • • Multi-factor authentication
  • • Regular security audits

8. Security & Integrity Measures

Encryption & Integrity

  • • AES-256 at rest, TLS 1.3 in transit
  • • Tamper-evident evidence (SHA-256/keccak256)
  • • EU-region data residency
  • • Crypto-agility on the roadmap (post-quantum a future goal)

Attribution & Evidence

  • • Tamper-evident evidence trails (SHA-256/keccak256)
  • • Behavioural threat analysis of decoy sessions
  • • Tamper-evident attribution records
  • • Integrity-verifiable session logs

We track post-quantum developments so the platform can adopt new cryptographic standards as they mature. This is a roadmap goal, not a shipped feature.

9. Data Retention

Data CategoryRetention PeriodLegal Basis
Account InformationDuration of service + 3 yearsContract & Legal Obligation
Security Logs7 yearsLegal Obligation (NIS2)
Threat Intelligence10 yearsLegitimate Interest
Tamper-Evident EvidencePer legal hold / retention policyLegal Obligation
Marketing DataUntil consent withdrawnConsent

10. Your Rights Under GDPR

Right of Access (Art. 15)

Request a copy of your personal data we process

Right to Rectification (Art. 16)

Correct inaccurate or incomplete data

Right to Erasure (Art. 17)

Request deletion of your personal data

Right to Restrict Processing (Art. 18)

Limit how we process your data

Right to Data Portability (Art. 20)

Receive your data in a structured format

Right to Object (Art. 21)

Object to processing based on legitimate interest

Right to Withdraw Consent

Withdraw consent for consent-based processing

Right to Lodge a Complaint

File a complaint with your local supervisory authority

To exercise any of these rights, contact us at privacy@phantaqsm.eu. We will respond within 30 days.

11. Cookies and Tracking

Essential Cookies

Required for platform functionality

  • • Authentication tokens
  • • Session management
  • • Security preferences

Analytics Cookies

With your consent

  • • Usage statistics
  • • Performance metrics
  • • Feature adoption

Marketing Cookies

With your explicit consent

  • • Personalized content
  • • Campaign tracking
  • • Interest profiling

12. International Data Transfers

EU Data Sovereignty

We maintain strict EU data residency. Personal data is processed exclusively within EU/EEA countries with adequate data protection laws.

Safeguards

  • • EU adequacy decisions
  • • Standard Contractual Clauses (SCCs)
  • • Binding Corporate Rules (BCRs)

Emergency Exceptions

Data may only be transferred outside EU/EEA in exceptional circumstances:

  • • Legal obligations
  • • Vital interests protection
  • • Explicit consent
  • • Public interest

13. Children's Privacy

PHANTAQSM is designed for professional cybersecurity use and is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at privacy@phantaqsm.eu, and we will promptly delete such information.

14. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through:

  • • Email notification to registered users
  • • Prominent notice on our platform
  • • 30-day advance notice for significant changes

Current version: 1.0 | Last updated: June 21, 2026 | Next review: December 21, 2026

15. Contact Information

Data Protection Officer

Email: dpo@phantaqsm.eu

Phone: +31 70 123 4567

Response Time: Within 30 days

Privacy Inquiries

General: privacy@phantaqsm.eu

Security: security@phantaqsm.eu

Compliance: compliance@phantaqsm.eu

Supervisory Authority

If you're not satisfied with our response, you can contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl