Privacy Policy
Diffidentia — Cybersecurity Consulting & Contracting
The short version: Diffidentia is a local-first security platform. Your configuration files, source code, vulnerability data, and credentials never leave your machine. We do not sell data. We do not run ads. We do not track you across the web.
1. Who we are
Diffidentia is a cybersecurity consulting and contracting firm founded by Michael Hogue-Rennie. We provide AI-powered security analysis, hands-on consulting engagements, and contract security engineering for organizations that need expert-level protection without a full-time hire.
Our principal product is the Diffidentia Security Analyzer Suite — a locally installed application that runs entirely on your own infrastructure using a local large language model.
For any privacy matter: privacy@diffidentia.ai ·
2. Information we collect on this website
This marketing website (diffidentia.ai) collects minimal information:
- Early access waitlist email. If you submit your email through the notification form we store it solely to notify you when the hosted version launches. We do not sell it, share it, or use it for any other purpose.
- Web server logs. Our hosting provider (Firebase Hosting / Google Cloud) logs standard request metadata — IP address, user agent, pages visited — retained for up to 30 days for security and debugging only.
- No cookies, no analytics, no tracking pixels. This website does not set cookies, load analytics scripts, or use any third-party tracking technology.
3. What we do not collect — the Diffidentia platform
The Diffidentia Security Analyzer Suite is locally installed. When you use it:
- Your firewall configs, network configs, and source code are processed entirely on your local machine using your local LLM. They are never transmitted to us.
- Your vulnerability scan data, asset inventory, and scan history are stored locally in your PostgreSQL database. We have no access to this database.
- API credentials for AWS, Azure, GCP, and SIEM platforms are held in a Fernet-encrypted local vault. The vault key is derived from your passphrase and is never stored or transmitted anywhere.
- SSH and WinRM credentials used by the patch agent are stored only in the local encrypted vault. They are never sent to Diffidentia.
- Google OAuth tokens used by the Workspace scanner are held in server memory only and discarded when the application restarts.
We have no servers that receive your security data. We have no technical ability to access your scans, findings, or configurations.
4. Consulting and contracting engagements
When you engage Diffidentia for consulting or contracting work:
- Scope of work documentation (statements of work, contracts, proposals) is retained for the duration of the engagement plus seven years for tax and legal compliance purposes.
- Contact information (name, email, phone, company) is used only to manage the engagement and communicate about deliverables.
- Client systems and data accessed during an engagement are governed by the confidentiality provisions in your signed Master Service Agreement. All findings and client data are treated as strictly confidential.
- We do not retain copies of client infrastructure data, credentials, or proprietary information beyond what is required to deliver agreed deliverables, and only with your explicit written permission.
5. How we use your email
If you join the early access waitlist, your email is used only to:
- Send one confirmation when you sign up
- Notify you when the hosted version of Diffidentia is available
To be removed: email privacy@diffidentia.ai with the subject "Remove me" — we will delete your address within 5 business days.
6. Third-party services
This website is hosted on Firebase Hosting (Google LLC). Google's privacy policy applies to hosting infrastructure: policies.google.com/privacy.
We do not use Google Analytics, Facebook Pixel, or any other analytics or advertising service on this website.
7. Data retention
| Data type | Retention period | Notes |
|---|---|---|
| Waitlist email addresses | Until product launch or removal request | One email on sign-up, one on launch |
| Web server logs | Up to 30 days | Retained by Firebase Hosting |
| Product scan data | Local to your machine | Diffidentia retains no copy |
| Engagement contact info | Duration of engagement + 7 years | Tax and legal compliance |
| Signed contracts and SOWs | 7 years after engagement closes | California business record requirements |
8. Your rights
Depending on where you are located you may have rights under applicable privacy law (GDPR, CCPA, and others) including:
- Right to know what personal data we hold about you
- Right to request deletion
- Right to correct inaccurate data
- Right to object to processing
- Right to data portability
To exercise any right: privacy@diffidentia.ai. We will respond within 30 days.
9. Security
Security is our business. The waitlist database is stored in Firestore with access restricted to service account credentials that are not publicly exposed. We do not store passwords or payment card information.
For consulting engagements, all client data handled by Diffidentia personnel is subject to the confidentiality provisions of the signed engagement agreement. Findings and deliverables are transmitted exclusively over encrypted channels.
10. Children
This website and product are directed at security professionals and organizations. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted information to us, contact privacy@diffidentia.ai and we will delete it promptly.
11. Changes to this policy
We may update this policy as the product or practice evolves. Material changes will be communicated by email to anyone on the waitlist. The "last updated" date at the top of this page always reflects the current version.
12. Contact
- Privacy: privacy@diffidentia.ai
- General: hello@diffidentia.ai