Private Options shield mark

Privacy Policy

How we handle confidential information, engagement data, and responsible research practices.

Private Options handles client information with the same rigor we apply to our security work. This policy summarizes how we protect data across research, advisory, and governance engagements.

Data Encryption & Security

Client data is protected in transit and at rest using strong encryption, access controls, monitoring, and periodic security review. We also apply data-minimization practices and restrict access to personnel with a legitimate business need.

Client Confidentiality

Confidentiality is foundational to every engagement. NDAs and internal handling controls apply to vulnerability data, assessment results, and any sensitive information shared with us or discovered during our work.

Responsible Research & Disclosure

Our research practices are designed to be lawful, ethical, and reviewable:

  • Responsible Disclosure: We follow coordinated disclosure practices and work with affected parties before publishing findings.
  • Ethical Boundaries: We do not conduct unauthorized testing or access systems without explicit permission.
  • AI Governance: Any AI-assisted work is governed with clear accountability, transparency, and review requirements.
  • Human Oversight: Material findings are reviewed by qualified human analysts before they are reported or published.

Data Handling for Security Engagements

When an engagement requires us to handle sensitive information, we follow a minimum-necessary approach:

  • Data Collection: We collect only the information necessary to perform the agreed scope of work.
  • Retention: We retain engagement data only for the period defined in the agreement or required by law.
  • Destruction: When retention obligations end, data is securely destroyed using established sanitization practices.
  • Access Controls: Access is limited to personnel directly supporting the engagement.

Third-Party Sharing

We do not sell or disclose client data or findings without explicit written consent, except where disclosure is legally required. When permitted, we will provide prompt notice.

Questions about this policy? Contact us.