Legal

PRIVACY
policy.

How we handle the personal data you share with us through cybersecplus.com, and the rights you have over it. This is a generic template — review with legal counsel before publishing.

LAW
Last updated 14 May 2026 Jurisdiction United Kingdom (UK GDPR)

1. Who we are.

CyberSecPlus (“we”, “us”, “our”) is a penetration testing consultancy operating cybersecplus.com. For the purposes of UK and EU data protection law, we are the data controller for personal data submitted through this website.

Contact us at pentest@cybersecplus.com for any privacy-related question.

2. What we collect.

We only collect what you actively give us. Specifically:

  • Contact form submissions: name, work email, company name, optional phone number, the service you are interested in, and the free-text message you write. The contact form is handled by Formspree (privacy policy) on our behalf.
  • Direct messages: anything you email to pentest@cybersecplus.com or send via WhatsApp on the number listed on the contact page.
  • Engagement data: for clients under contract, the scope, credentials, target information, and findings exchanged during a penetration test. This is governed separately by the engagement agreement and NDA.

We do not use third-party advertising trackers, fingerprinting, or session-replay tools on this site. We do use Google Analytics 4 to understand aggregate site usage — see section 6 for details.

3. How we use it.

  • Respond to enquiries and schedule scoping calls.
  • Prepare proposals, statements of work, and invoices.
  • Deliver penetration testing services under contract.
  • Keep records required for tax, accounting, and regulatory obligations.

We do not sell your data, share it with advertisers, or use it for automated decision-making.

4. Legal basis.

Under UK GDPR, we rely on the following lawful bases:

  • Legitimate interests — responding to your enquiry and operating our business.
  • Contract — when you become a client, processing necessary to deliver the engagement.
  • Legal obligation — retention of financial records and responding to lawful requests.
  • Consent — where you have explicitly opted in, e.g. to receive follow-up communications. Consent can be withdrawn at any time.

5. Sharing & processors.

We use a small number of trusted third-party processors to operate the site and business:

  • Formspree — contact form delivery.
  • Google Analytics 4 — aggregate site analytics.
  • Email provider — receiving and storing correspondence sent to our addresses.
  • Hosting provider — serving this static website.

We share data with these processors only to the extent needed to provide the service, under written data-processing terms. We do not transfer personal data outside the UK or EEA unless protected by an adequacy decision or appropriate safeguards.

6. Cookies & tracking.

We use Google Analytics 4 (measurement ID G-FCWYN22646) to understand aggregate traffic patterns — pages visited, approximate location, device type, and referral source. Google Analytics may set cookies (_ga, _ga_*) and process your IP address. IP addresses are anonymised by Google before storage. See Google’s privacy policy and how Google uses data from sites that use its services.

You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, or by blocking cookies for googletagmanager.com in your browser.

We do not use any other analytics, advertising, or session-replay cookies. The Google Fonts stylesheet referenced at the top of each page is loaded from fonts.googleapis.com, which may briefly receive your IP address as part of the standard HTTP request, but does not set persistent cookies.

7. Retention.

  • Contact form messages and enquiry emails: up to 24 months from last contact, then deleted.
  • Client engagement records and reports: 7 years after engagement close, in line with UK record-keeping requirements.
  • Financial records: 6 years per HMRC requirements.

You can ask us to delete data earlier where we are not required to keep it.

8. Security.

We are a security firm. We practise what we sell.

  • Encryption in transit (TLS) for all communications.
  • Encryption at rest for stored engagement data.
  • Principle of least privilege for internal access.
  • Multi-factor authentication on all production systems.
  • Documented incident-response procedures, including breach notification within 72 hours where legally required.

9. Your rights.

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure (“right to be forgotten”), subject to our retention obligations.
  • Object to or restrict certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, without affecting prior lawful processing.

To exercise any of these rights, email pentest@cybersecplus.com. We respond within one month.

You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk.

10. Changes.

If we materially change this policy we will update the “last updated” date at the top. For significant changes affecting clients, we will notify you directly.

11. Contact.

Email: pentest@cybersecplus.com
WhatsApp: +44 7883 240451