Privacy Policy

1. Introduction

CheckSec Limited ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and security assessment platform services ("Services").

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller for the personal data we process about you.

2. Contact Information

3. Information We Collect

3.1 Personal Information You Provide

• Business contact information (name, work email address, job title, company name)
• Account registration details and user credentials
• Company information (company size, industry sector, VAT number)
• Contact information when you reach out to us
• Security assessment data, vulnerability reports, and project documentation you upload
• Communications, support tickets, and feedback
• Marketing preferences and consent records

3.2 Information We Collect Automatically

• Log data (IP address, browser type, pages visited, access times)
• Device information (operating system, device identifiers, screen resolution)
• Platform usage analytics (features used, report generation frequency, API calls)
• Session recordings for security and support purposes (with notice)
• Cookies and similar tracking technologies (see our Cookie Policy)
• Security event logs and authentication records

4. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract (Article 6(1)(b) UK GDPR):
  • Providing access to our security assessment platform
  • Managing user accounts and authentication
  • Delivering customer support and technical assistance
• Legitimate Interest (Article 6(1)(f) UK GDPR):
  • Improving platform security and preventing fraud
  • Analysing usage patterns to enhance our services
  • Sending service-related communications
  • Maintaining business records and audit trails
• Consent (Article 6(1)(a) UK GDPR):
  • Marketing communications and newsletters
  • Optional analytics and product improvement features
• Legal Obligation (Article 6(1)(c) UK GDPR):
  • Complying with tax and accounting requirements
  • Responding to lawful requests from authorities
  • Maintaining records as required by law

5. How We Use Your Information

• Provide, maintain, and improve our Services
• Process transactions and manage accounts
• Communicate with you about our Services
• Provide customer support and technical assistance
• Send marketing communications (with your consent)
• Detect and prevent fraud and security threats
• Comply with legal obligations
• Analyse usage patterns to improve our platform

6. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: With carefully selected third-party processors including:
  • Cloud infrastructure providers (AWS/Azure for hosting)
  • Email service providers for transactional emails
  • Customer support and ticketing systems
  • Analytics providers (with appropriate safeguards)
  All processors are bound by data processing agreements and appropriate security measures.
• Legal Requirements: When required by law, court order, or to:
  • Comply with legal obligations
  • Protect our rights, property, or safety
  • Investigate potential violations of our terms
• Business Transfers: In connection with mergers, acquisitions, or asset sales, with appropriate confidentiality agreements
• Within Your Organisation: With authorised users within your company account
• Consent: With your explicit permission for any other purposes

7. International Data Transfers

Your data may be transferred to and processed in countries outside the UK. We ensure adequate protection through approved transfer mechanisms such as Standard Contractual Clauses or adequacy decisions.

8. Data Security

As a security-focused company, we implement comprehensive security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control, multi-factor authentication, and principle of least privilege
• Infrastructure Security: SOC 2 compliant cloud infrastructure with regular security audits
• Application Security: Regular penetration testing, vulnerability scanning, and secure coding practices
• Monitoring: 24/7 security monitoring, intrusion detection, and incident response procedures
• Employee Training: Regular security awareness training for all staff
• Data Isolation: Logical separation of customer data with strong access boundaries

While we implement industry-leading security measures, no method of transmission over the internet is 100% secure. We continuously improve our security posture and promptly address any identified vulnerabilities.

9. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

• Account Data: Duration of subscription plus 7 years for legal and tax compliance
• Security Assessment Data: 3 years after project completion (unless you request earlier deletion)
• Support Tickets: 2 years after resolution for service improvement
• Marketing Data: Until consent is withdrawn or 3 years of inactivity
• Security Logs: 1 year for security and compliance purposes
• Backup Data: Maximum 90 days in encrypted backups

You may request deletion of your data at any time, subject to our legal obligations to retain certain records.

10. Your Rights

Under UK GDPR, you have the following rights:

• Access: Request copies of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Restriction: Request limitation of processing
• Portability: Request transfer of your data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where applicable

To exercise these rights, contact us at privacy@checksec.com. We will respond within one month.

11. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. For detailed information, please see our Cookie Policy.

12. Children's Privacy

Our Services are business-to-business and not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

13. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or through our platform. Your continued use of our Services after changes become effective constitutes acceptance of the updated policy.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the ICO within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach poses a high risk
• Document all breaches and maintain records as required by UK GDPR
• Take immediate action to mitigate risks and prevent future occurrences

15. Complaints

If you have concerns about how we handle your personal data:

1. First, contact our Data Protection Officer at dpo@checksec.com
2. We will acknowledge your complaint within 48 hours
3. We aim to resolve all complaints within 30 days
4. If you're not satisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO)

16. Business-to-Business Nature of Services

CheckSec provides services exclusively to businesses and organisations. We do not offer services to individual consumers. All personal data we process relates to individuals acting in their professional capacity as representatives of business customers.

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: