Cymorg Privacy policy Last Updated: February 2024

Cymorg Incorporated, 7536 Kessel St, Forest Hills, New York, 11375, USA

Please ensure you read the privacy notice in full.

Cymorg (“Cymorg”, “we”, “us”, or “our”) provides gamified business simulations, on a platform (“Cymorg Platform”), for learning and development purposes, for a specific business or an employer (and thereby, for individuals that play the simulation games, at the request of the business/employer).

This Cymorg Platform is different from our static website (“Cymorg Website”), which is, that is open to public and provides information about our company and services we offer.

Cymorg cares about the security and privacy of any personal data that is entrusted to us.

Please note, any data obtained in the “Cymorg Platform” is pseudonymized and no personal data/information is used for any automated decision making or profiling by Cymorg. The system employs non-sensitive personally identifiable information (PII), exclusively encompassing usernames, such as employee numbers, student roll numbers, or comparable identifiers.

We collect certain personal data only on our “Cymorg Website,” provided by you, with your consent.

This privacy notice sets out how Cymorg collects and uses information about you when you use our products and services (“services”) through the ‘Cymorg Platform” and when you visit our static website “Cymorg Website” i.e. This notice explains the choices that you can make about the way that we use your information.

Your privacy protection is important to us. This is why we have adopted the following pivotal legislation: EU’s General Data Protection Regulation 2016/679 (“GDPR”), UK General Data Protection Regulation (“UK GDPR”) and the California Consumer Privacy Act 2018 (“CCPA”). This privacy notice relates to all personal data we process and addresses the legislation mentioned.

For all data privacy matters, please contact our Data Protection Officer (DPO), at

Cymorg’s Privacy Policy applies to all visitors to the Cymorg website ( and to anyone who uses Cymorg’s products or services through the Cymorg Platform (“you” and “your”). This Privacy Policy applies to Cymorg’s collection, use, storage, processing, transmission, and transfer of your information, as well as creation of information pertaining to you, whether online or offline. Cymorg may update, revise, modify or amend this Privacy Policy at any time. You should check this page periodically for updates, revisions, modifications, or amendments. The last change to this Privacy Policy was on the date that appears on the top of this Privacy Policy.

Here are some definitions.

In this policy, we use definitions from the GDPR unless otherwise stated.

GDPR’ means either or both EU GDPR and UK GDPR. We will use this when there is little or no difference in the wording of the relevant law for the context.

Personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified, directly or indirectly from that information alone or in conjunction with other information ‘in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Financial Information” means Personal Information of a financial nature, such as your credit card number.

Other Business Parties” means parties other than you that contract with Cymorg either to provide products and services to Cymorg in connection with products or services that Cymorg provides to you or that engage Cymorg to assist in its provision of products or services to you (e.g., your business or your employer). Other Business Parties may include your fellow students or employees.

Personal Information” means information about you that Cymorg collects about you that may be used, alone or in combination with other information, to identify you as a specific individual.

Unrelated Parties” means persons or entities other than you, Cymorg, or Other Business Parties.

Why we collect your personal data.

So that we can help you, we need your data and here we tie in our legal reasons for needing to collect your data.

Our legal bases for controlling or processing personal data, when you access our static Cymorg website – are:

  • Article 6.1(a) GDPR (Consent): You provide informed consent to us or have a reasonable expectation that we will use your information in a certain way – for example, to engage in our community discussions, or to hear about new services or offers. You can withdraw your consent at any time by request to
  • Article 6.1(c) GDPR (Legal Obligation): The necessity to meet compliance with our legal obligations; and/or
  • Article 6.1(f) GDPR (Legitimate Interest): Where it is in our legitimate interests to do so. We only rely on ‘legitimate interests’ as the legal basis for processing by us, or third parties we use, for these purposes:

Where we rely on a specific basis for processing your information and you wish to object to that processing, you must be aware that it might not be possible for you to continue using our services.

How we collect personal data.

Here we give you examples of ways that you interact with us and the resulting data we may collect!

Cymorg collects information from you whenever you visit or use the static website (, some of which you provide voluntarily and some of which is collected automatically. In addition, Cymorg may receive information about you from Other Business Parties.

This can be information that you provide through our website, over the phone, through email, including when you:

  • request support.
  • request information or materials.
  • when you interact with our services.
  • participate in surveys or evaluations.
  • participate in promotions, contests, or giveaways.
  • apply for employment.
  • submit questions or comments; or
  • submit content or posts on our forums or other interactive webpages.
  • when you fill in a form or otherwise submit your personal information.

For a complete register of process information, please contact

Any data obtained in the Cymorg Platform is pseudonymized and no personal data/information is used for any automated decision making or profiling by Cymorg. We ensure that the information we collect and use is confined to this purpose. We are committed to transparency in this.

How we use personal data.

Here we let you know how we use your personal data to provide and maintain our services. We may need to pass your personal data on to third-party service providers contracted to Cymorg in the course of providing you services. We do this because there are services, such as our chat features, which will not work unless we are able to make these transfers. Any third parties we share your data with are obliged to keep your personal data secure and use it only for necessary service delivery.

The Cymorg website ( ) may use your information for the following purposes:

  • Providing and maintaining our website, as well as monitoring the usage of our website.
  • For data analysis to identify usage trends and to evaluate and improve our Service, products, services, and marketing efforts.
  • Managing your account. Your Personal Data can enable access to multiple functions of our Service that are available to registered users.
  • Respond to your inquiries and provide you customer support and to foster communication and collaboration among you, Cymorg and Other Business Parties.
  • Analyze how Cymorg’s website, products and services are being accessed and used to improve Cymorg’s website performance and delivery and to improve Cymorg’s products and services, including training and quality assurance.
  • To prevent misuse of Cymorg’s websites and apps by you or others.
  • To contact you. Cymorg will contact you by email, phone, SMS, or another form of electronic communication related to the functions, products, services, or security updates when necessary or reasonable.
  • To update you with news, general information, exclusive offers, new services, and events.
  • Testimonials and customer feedback collection. If you share a testimonial or review about your experience using our Service, it will be shared or otherwise used on the website.
  • Dispute resolution and site protection. Your information will be used in the instance of a legal dispute to resolve issues related to our website.
  • Enforce Cymorg’s Terms of Use and Terms and Conditions as may be required or permitted by legal, regulatory, industry self-regulatory, insurance, audit, or security requirements applicable to you, Cymorg or any Other Business Party

If you are using the Cymorg Platform in your capacity as a student of an Other Business Party that is subject to the U.S. federal Family Educational Rights and Privacy Act (FERPA) (“Covered Educational Institution”), to the extent that your Personal Information is an “education record” under FERPA, it will be subject to FERPA. If you want to assert your rights under FERPA, you should contact your Covered Educational Institution.

Cymorg will share the information you provide while using our Cymorg website, only with your explicit consent. Your information may be shared to a third-party for reasons including:

  • Analytics information. Your information might be shared with online analytics tools to track and analyze website traffic.
  • Improving our Service. Your information might be shared with third-party service providers to improve our Service and/or interactions with providers.
  • Marketing initiatives. Your information will be used for generating and sending newsletters, email marketing efforts, advertisements, and more.
  • Corporate transactions. Any other entity which buys us, or part of our business, will have the right to continue to use your Personal Data, but subject to the terms of this Privacy Policy.
  • Compliance and harm prevention: (i) to comply with applicable law; (ii) to enforce our contractual rights; (iii) to protect the Services, rights, privacy, safety, and property of Cymorg, you, or others; and (iv) to respond to legal requests which may include authorities outside your country.

Any third party we share your information with must disclose the purpose for which they intend to use your information. They must retain your information only for the duration disclosed when requesting or receiving said information. The third-party service provider must not further collect, sell, or use your personal information except as necessary to perform the specified purpose.

We seek to enter into Data Processing Agreements with our third-party service providers to ensure they only process your data as instructed by us. If you obtain products or services directly from us on behalf of others, we will ensure those third-party service providers have a Data Processing Agreement (DPA) with us.

If you choose to provide such information during registration or otherwise, you are giving Cymorg permission to use, share, and store that information in a manner consistent with this Privacy Policy.

Your information may be disclosed for additional legal reasons, including:

  • Complying with applicable laws, regulations, or court orders.
  • Responding to claims that your use of our Service violates third-party rights.
  • Enforcing agreements, you make with us, including this Privacy Policy.

How we store personal data.

Here we outline our processes for data storage in the Cymorg Platform, how we will protect your data and keep it only for as long as needed!

We will process (collect, store and use) the information you provide in a manner compatible with GDPR. We maintain physical, organizational, and technical safeguards for all personal data we hold. We will endeavor to keep your information accurate and up to date, and not keep it for longer than is necessary. We are required to retain certain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept are governed by specific business sector requirements and agreed practices. Personal data can be held in addition to these periods depending on individual business needs.

We will process different forms of personal data for as long as it is necessary and proportionate for the purpose for which it has been supplied and we will store the personal data for the shortest amount of time possible, considering legal and service requirements.

All data is stored on servers that are in the Mumbai region in India. Cymorg products are web application platforms, therefore all the data is separated logically, rather than physically. Retained data can be anonymized upon client’s request. At the 7-year mark, data will be either deleted or archived. All stored passwords

Authorization of data is done via SSL protocol with validated private keys and secrets. Data is accessed by authorized personnel only: Cymorg Employees and Third-Party certified secure AWS contractors have all signed Privacy and Non-Disclosure Agreements.

The system employs non-sensitive personally identifiable information (PII), exclusively encompassing usernames, such as employee numbers, student roll numbers, or comparable identifiers. This data serves the purpose of user identification during both the login process and within the application. Upon request, the information can be anonymized through randomly generated placeholders. Users are granted access solely to their individual personal information and the associated simulation and report data. The security measures in place adhere to pertinent data protection and privacy regulations.

In accordance with the General Data Protection Regulation (GDPR), our user management process allows users to request anonymization by uploading a CSV file containing the list of individuals to be anonymized. Upon submission, the application commences the anonymization process for each user. The anonymization is executed asynchronously, entailing the removal of information across various data sources, The application provides confirmation of the initiation of the process upon submission, with the actual anonymization occurring in the background. It is important to note that the user interface does not offer real-time reports or results. Once the anonymization process concludes, user will be deactivated, usernames will no longer be visible on any pages within the application, and user avatars will be replaced with a designated deleted icon. Additionally, in-progress game sessions associated with the user will be made ‘stale,’ game names will be anonymized, and the user will be removed from all groups if previously part of any. The anonymization process substitutes usernames and game names with GUIDs prefixed with "DEL-" (e.g., DEL-9c0c7ad9-0925-4d73-87d5-b20aaddc15d1), ensuring compliance with GDPR guidelines.

All stored personal information is used only for the purpose of the client/user. Cymorg does not sell, rent, or lease any personal information.

Amazon Web Services (AWS) Cloud

As mentioned, all production servers and data are hosted in Amazon Web Services (AWS) Cloud. The IT infrastructure that AWS provides is in alignment with security best practices and IT security standards, including: SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018, ITAR, FIPS 140-2, MTCS Level 3

As well as several industry-specific standards, including:

  • Criminal Justice Information Services (CJIS)
  • Cloud Security Alliance (CSA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)

AWS Physical Security

All physical access to AWS facilities is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors are required to present identification and are signed in and continually escorted by authorized staff.

All physical access to data centers by AWS employees is logged and audited routinely.


We love to share, but you can opt out and we will not sell your information!

We have no interest in collecting any data beyond that needed to ensure our services work for you. If you are going to be contacted by us for marketing purposes, we will not rely solely on this privacy notice. We will endeavor to seek your consent appropriately. Cymorg does not sell data and has no intentions of doing so in the future.

All marketing activities must comply with our Privacy & Marketing Policy, its related procedure, and all applicable laws at all times.

Children and Personal Data.

You can help us to keep children safe!

At Cymorg we understand the importance of protecting the personal data of children under the age of sixteen. It is not our intention to collect personal data from a child. If you believe that a child has disclosed personal data or that we hold personal information about a child, please email us at

Data protection rights.

Here, we outline your GDPR rights for the data you share with us.

At any point while we are in possession of or we process your personal data, you have the following rights:

  • (GDPR) right of access – you have the right to request a copy of the information that we hold about you.
  • (GDPR) right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • (GDPR) right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • (GDPR) right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • (GDPR) right of portability – you have the right to have the data we hold about you transferred to another organization.
  • (GDPR) right to object – you have the right to object to certain types of processing such as direct marketing.
  • (GDPR) right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
  • (GDPR) right to judicial review: in the event that we refuse your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.

To exercise your data protection rights please contact our DPO at

We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your Personal Data. If you feel that you have not received a satisfactory response from us, you may have the right under applicable laws to consult with the data protection authority in your country.

For your protection, we may need to verify your identity with the organization that requested your access, before responding to your request. If we no longer need to process Personal Data about you to provide our Services or our Sites, we will not maintain, acquire, or process additional information to identify you for the purpose of responding to your request.


We may use cookies to help deliver a better experience on our static website ( only.

Cookies are defined as ‘small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.’

You can find out all about cookies, how to manage them and delete them, and how to manage your browser settings, at the UK ICO and

You can change or withdraw your consent to the cookies we use at any time by contacting the Privacy Team at

Please note that if you manage your consent or your browser and third-party settings to block cookies, some or all the Website and Services may not have full functionality and your user experience may be impacted.

If we provide social media links or interactions on our website, such as like or share buttons, and you interact with them, the social media organization may drop cookies and they will be covered by the Privacy Policy of that organization. We typically do not receive any personal data collected because of such interaction, although we may receive aggregated reports.

  • Strictly necessary cookies. Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.
  • Performance cookies. Performance cookies are used to see how visitors use the website, e.g., analytics cookies. Those cookies cannot be used to directly identify a certain visitor.
  • Targeting cookies. Targeting cookies are used to identify visitors between different websites, e.g., content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.
  • Functional cookies. Functionality cookies are used to remember visitor information on the website, e.g., language, time zone, enhanced content.

If you wish to withdraw consent you can contact the Privacy Team at


Your information’s security is important to us.

Cymorg utilizes a range of security measures to prevent the misuse, loss, or alteration of the information you have given us. However, because no security can ever be 100% guaranteed, Cymorg cannot guarantee you against the loss, misuse, or alteration of your Personal Information and you must access our service at your own risk.

Cymorg is additionally strongly committed to the security and privacy of the personal data that is entrusted to us. Data at rest and in transit is encrypted using Advanced AES 256 Encryption. User data is only used for the necessary purposes of the simulations.

Cymorg does not sell, rent, or lease any Personal Information. All production servers and data are hosted in Amazon Web Services (AWS) Cloud within the Mumbai region in India.

Cymorg is not responsible for the performance of websites operated by third parties or your interactions with them. When you leave this website, we recommend you review the privacy practices of other websites you interact with and determine the adequacy of those practices.

Our servers are being continuously monitored for uptime with immediate escalation to the authorized system administrators for any downtime. If a security incident is suspected to have resulted in a breach of personal information, notification of the affected entities will occur within 48 hours of the breach. Upon discovering a possible security breach, system administrators focus on investigating and containing the breach as well as addressing appropriate gaps to prevent the incident from reoccurring. Client will be continuously updated on the status of the investigation, containment, and follow-up actions.

When developing any software through our agile methodology, the project is divided into iterations. Our secure design standards are applied to each iteration, which will be implemented as part of the product requirements.

Our secure design strategy focuses on three principal areas for every iteration. Confidentiality - data is protected from unauthorized individuals/systems. Integrity - data remains complete and uncorrupted. Availability - data is accessible only by authorized users without interference. Additionally, we incorporate server-side session checks prior to allowing access to software updates to verify the authenticity of the user. Finally, we also verify security guards that are in place combined with automated testing and version control prior to any release.

Cymorg’s website may contain links to other websites. Some of them may collect your Personal Information and may apply their own policies on how your Personal Information is used. Please read all applicable policies of all websites you visit. Cymorg is not responsible for the privacy practices of anyone else’s website(s).

International Data Transfer.

Cymorg Platform products and offerings may connect you to the world.

Your data may be stored and processed in any country where we do business, or our service providers do business. We may transfer your data to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data across borders, we take measure to comply with applicable data protections law related to such transfer. Officials (such as law enforcement or security authorities in those countries may be entitled to access your data.

We comply with laws on the transfer of data between countries to help ensure your data is protected, wherever it may be.

Cymorg’s international transfer of personal data collected in the European Economic Area, the United Kingdom, and Switzerland is governed by Standard Contractual Clauses.

Updates to our Privacy Policy.

We are transparent about any updates made to this Policy.

Cymorg updates our privacy notice when necessary or in response to:

  • Feedback from our community, customers, relevant authority, industry, or other stakeholders.
  • Changes in our products or services; and/or
  • Data processing or policy changes.

The “last updated” date at the top of this privacy notice reflects when the most recent changes were made. We encourage you to periodically review this privacy notice for any amendments.

You can help keep data safe.

Responsible data handling is an important part of security!

Keeping your data secure also depends on you ensuring that your account’s security is maintained by using sufficiently complicated passwords and storing them safely with the addition of antivirus software and firewalls. You should ensure that you have sufficient security on your own systems, to keep any data you download or store on your own computer safe from unauthorized view.

How to contact us.

We love feedback, reach out to us!

If you have any questions about our privacy policy, please contact us by email at