Privacy Policy
Last Updated: May 2, 2026
1. Introduction
Riverbend Advisory, LLC ("Riverbend Advisory," "we," "us," or "our") operates Cyber Service Search (the "Platform") as part of the State Civilian Cyber Corps Initiative ("SC3I"), a fiscally sponsored project of the Center for Critical Infrastructure Security, Inc. ("CCIS"), a Maryland 501(c)(3) nonprofit organization. The Platform is an online directory that connects organizations, like nonprofits, small municipalities, tribal governments, and small businesses ("Buyer Organizations"), with IT managed service providers (MSPs), managed security service providers (MSSPs), and security consultants ("Providers") that want to serve those organizations.
This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you visit www.cyberservicesearch.org, use the Platform, or otherwise interact with us.
The Platform is intended for business use by organizations and their authorized representatives within the United States. We do not target or knowingly collect personal data from consumers acting in an individual capacity, nor do we target individuals under the age of eighteen (18) or users outside the United States.
2. Personal Data We Collect
We collect the following categories of information depending on how you interact with the Platform:
2.1 Personal Data You Provide
Identifiers: When you verify your email to access the provider directory, we collect your email address. When a Provider submits a listing request, we collect the contact person's name, email address, and phone number.
Provider representative contact: We collect contact information from provider contacts, such as name, business email, and business phone number.
Communications: If you contact us via email or through the Platform, we collect the content of those communications to respond to your inquiries.
We do not collect sensitive personal data.
2.2 Personal Collected Automatically
Internet or network activity: When you browse the Platform, we collect a limited set of technical and usage information through Plausible Analytics, a privacy-friendly analytics service. This includes approximate geolocation (city/region-level location) derived from your IP address but not stored in raw, identifying form, browser type and version, device type, pages viewed, referring URLs, and approximate session duration. Plausible does not use cookies, does not assign you a persistent visitor ID, and does not track you across other websites. We also log search queries entered on the Platform to improve search quality.
While you are signed in to the directory, your authentication session is stored in your browser's sessionStorage (not a cookie). sessionStorage is cleared automatically when you close your browser, so closing the browser signs you out.
3. How We Use Your Personal Data
We use collected information for the following purposes:
Operating the Platform: including, verifying user access via email OTP, displaying provider listings, delivering AI-powered search results, processing and reviewing provider submissions, and maintaining platform security.
Improving the Platform: including, analyzing usage patterns, optimizing search results and matching, debugging technical issues, and understanding which services are most relevant to users.
Communications: Responding to inquiries, sending service-related notices (such as provider listing approval notifications), and occasional updates about the Platform. You may opt out of non-essential communications at any time.
Security and integrity: Detecting and preventing scraping, fraud, unauthorized access, and other misuse of the Platform.
Legal compliance: Complying with applicable laws and responding to lawful requests from government authorities.
4. Disclosures of Personal Data
We do not sell your personal data, and we do not share your information for cross-context behavioral advertising.
We disclose limited information to our service providers:
| Service Provider | Information Shared | Purpose |
|---|---|---|
| Supabase (database and authentication) | Contact information | Storage and authentication |
| Netlify (hosting) | Internet or network activity | Hosting and monitoring |
| Google (communications; AI search) | communications | AI search queries and results |
| Plausible Analytics (privacy-friendly analytics) | Anonymized page views, referrers, approximate location | Aggregate platform usage analysis |
| Resend (transactional email) | Email address | Communication |
| Cloudflare (security and performance) | Browser and device information | Security monitoring and analytics |
We may also disclose information in the following circumstances:
Legal compliance: We may disclose information if required by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of our users or the public.
Business transfers: If Riverbend Advisory or the Platform is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will provide notice before information becomes subject to a different privacy policy.
CCIS: As our fiscal sponsor, CCIS may have access to aggregated or de-identified Platform data for oversight and reporting purposes as required by the fiscal sponsorship arrangement. CCIS does not receive individual user data for its own purposes.
5. Data Retention
We retain personal data only as long as reasonably necessary for the purposes described in this Privacy Policy or otherwise disclosed at the time of collection. Factors we consider when determining the retention period include, whether you continue to use the Platform, applicable legal requirements and statutes of limitations, and audit or reporting requirements.
When personal data is no longer needed and no legal retention obligation applies, we securely delete or de-identify it.
6. Your Rights and Choices
Depending on your jurisdiction, you may have certain rights regarding your information, including:
Access and correction: You may request to know the categories of personal data we hold about you, request copies of it, or ask us to correct inaccurate personal data
Deletion: You may request that we delete the personal data we have collected from you. We will comply with deletion requests unless we have a legal obligation to retain the information.
Opt out of communications: You may opt out of non-essential emails by clicking "unsubscribe" or the similar option in any email or by contacting us at [email protected].
To exercise your privacy rights, you can email [email protected]. We will confirm receipt of your request and respond to your request within the time limits prescribed by law. We may require additional information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your request.
In certain jurisdictions, you have the right to appeal to us a decision we’ve made to refuse to take action in response to your exercise of one of the rights above. In order to submit an appeal to us, you can contact us at [email protected] with the subject line "Privacy Request Appeal" and information relevant to the appeal in the email.
We will not discriminate against you for exercising any of these rights.
7. Cookies and Similar Tracking Technologies
The Platform is designed to minimize use of cookies and persistent identifiers.
Authentication storage (sessionStorage): When you sign in via magic link, we store an authentication session in your browser's sessionStorage. This is not a cookie. sessionStorage is automatically cleared when you close your browser tab, so closing the browser signs you out. Without this storage, you would need to re-authenticate on every page navigation.
Analytics: We use Plausible Analytics, which is cookieless. Plausible does not set any cookies, does not assign a persistent visitor ID, and does not track you across other websites.
No advertising or behavioral tracking: We do not use advertising cookies and do not engage in cross-context behavioral tracking.
Managing storage: You can clear sessionStorage at any time by closing your browser tab or via your browser's developer tools. Doing so will sign you out and require re-authentication.
8. Data Security
We implement reasonable security measures designed to protect your personal data from unauthorized access, destruction, use, modification, and disclosure, such as encryption of data at rest and in transit (TLS/SSL), magic-link email authentication (no stored passwords), browser-session storage that clears when you close the browser, access controls limiting who can view user data, and regular review of our infrastructure and service providers.
No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information.
9. Third-Party Links
The Platform contains links to third-party websites, including Provider websites. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform. We are not responsible for the privacy practices of third parties, including Providers listed on the Platform.
10. AI-Powered Search
The Platform uses AI technology (currently Google Gemini) to power its search feature. When you use AI search, your query is sent to the AI service provider along with a de-identified or anonymized version of our provider catalog to generate relevant results. Search queries are not associated with your personal identity when sent to the AI provider. We do not use your search queries to train AI models. The AI service provider's use of data is governed by its own terms and privacy policy.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will post the revised policy on the Platform with an updated "Last Updated" date. For significant changes, we may also provide notice via the Platform's homepage. We encourage you to review this Privacy Policy periodically.
12. Contact Information
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:
Cyber Service Search
Email: [email protected]
Website: www.cyberservicesearch.org
13. California Residents
At or before the time of collection of your Personal Information, you have the right to know the categories of Personal Information and Sensitive Personal Information to be collected (see Section 2 - Personal Data We Collect), the purposes for the collection and use of your Personal Information (see Section 3 - How We Use Your Personal Data), whether your Personal Information is "sold" or "shared" as defined under California law (see Section 4 - Disclosures of Personal Data), and how long your Personal Data is retained [see Section 5 - Data Retention). To review that information, you see the relevant sections above. In addition, to understand your rights with respect to your Personal Information and how to exercise those rights, see Section 6 - Your Rights and Choices.
You can designate an authorized agent to submit requests on your behalf. In order to do that, please provide the agent with written permission, signed by you, authorizing the agent to submit the request on your behalf. The agent must provide us with that written permission as part of the request. We may contact you to verify your identity directly, as well as the authorized agent’s permission, before we send a response to the request. Requests from an authorized agent to exercise rights under data protection law on your behalf must be submitted through the designated methods listed above.