Paragon Cyber Advisory Ltd ("Paragon", "we", "us", "our") is committed to protecting your personal data and your right to privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and the rights you have in relation to it — in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Please read this policy carefully. If you have any questions, our Data Protection contact is available at [email protected].
Who We Are
Paragon Cyber Advisory Ltd is a company registered in England and Wales (Company No. 14729031), with registered office at 12 Canary Wharf, London, E14 5AB. We are registered with the Information Commissioner's Office (ICO) under registration number ZB654321.
Paragon Cyber Advisory is the data controller for personal data processed in connection with our website, services, and commercial relationships. This means we determine the purposes and means of processing your personal data.
Where we process personal data on behalf of our clients as part of delivering cybersecurity, GRC, or AI governance services, we do so as a data processor under the terms of a written data processing agreement. Those processing activities are governed by the relevant client agreement and are separate from this policy.
Data We Collect
We collect personal data in the following circumstances:
| Category | Examples | Source |
|---|---|---|
| Identity data | First name, last name, job title, organisation name | Directly from you |
| Contact data | Email address, telephone number, postal address | Directly from you |
| Transaction data | Details of services purchased, digital kits downloaded, payment records (last 4 digits only — full card data is processed by our payment processor) | Directly from you |
| Usage data | Pages visited, links clicked, session duration, referrer URL, browser/OS type | Automatically (cookies & analytics) |
| Technical data | IP address, device identifier, cookie identifiers | Automatically |
| Communication data | Content of enquiry forms, emails, and consultation requests you send us | Directly from you |
| Marketing preferences | Whether you have opted in or out of marketing communications | Directly from you |
| Professional data | Company size, industry sector, security maturity level (provided during consultations) | Directly from you |
We do not intentionally collect any special category data (e.g. health, race, political opinions, biometric data) or criminal conviction data. If you inadvertently include such data in a communication to us, we will delete it as soon as we identify it.
We do not collect or store full payment card details. All card transactions are processed by our PCI DSS-compliant payment processor. We receive only a transaction confirmation and the last four digits of the card number for reference purposes.
How We Use Your Data
We use your personal data for the following purposes:
- Delivering services: To provide cybersecurity consulting, managed security, GRC, training, and digital product services you have engaged us for.
- Processing transactions: To process orders for digital kits, send download links, and manage payment records.
- Responding to enquiries: To respond to consultation requests, contact form submissions, and support queries.
- Sending service communications: To send order confirmations, product update notifications, and essential account information.
- Marketing communications: To send you information about our services, insights, and events — only where you have consented or we have a legitimate interest and you have not opted out.
- Improving our website: To analyse usage patterns, identify technical issues, and improve the user experience of our website and digital products.
- Legal and compliance obligations: To comply with legal obligations including tax and accounting requirements, fraud prevention, and regulatory reporting.
- Security monitoring: To protect our systems and detect/investigate potential security incidents.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. Our analytics and lead-scoring tools inform human decision-making only and do not trigger automated actions affecting your rights.
Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for every processing activity. The table below sets out which basis we rely on for each purpose:
| Purpose | Lawful Basis |
|---|---|
| Delivering contracted services | Contract |
| Processing digital product purchases | Contract |
| Responding to consultation enquiries | Legitimate Interest |
| Sending service/account communications | Contract Legal Obligation |
| Marketing to existing customers (similar services) | Legitimate Interest |
| Marketing to new contacts who have opted in | |
| Website analytics and improvement | Legitimate Interest |
| Tax, accounting, and financial records | Legal Obligation |
| Fraud prevention and security monitoring | Legitimate Interest Legal Obligation |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to confirm that our interests are not overridden by your rights and freedoms. You can request a copy of our LIA by emailing [email protected].
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent for marketing, use the unsubscribe link in any email we send you or contact us directly.
Data Sharing
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We share data only where necessary and only with the following categories of recipient:
- Service providers and processors: Third parties who provide services on our behalf under written data processing agreements, including cloud hosting (AWS UK region), email delivery (Mailgun), CRM (HubSpot, EU data residency), payment processing (Stripe), and website analytics (self-hosted Plausible).
- Professional advisors: Solicitors, accountants, and insurers who need access to data in the course of their professional services to us.
- Regulatory and law enforcement bodies: Where required by applicable law, court order, or regulatory authority — for example the ICO, HMRC, or the Financial Conduct Authority.
- Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred as part of that transaction. We will notify you in advance if this occurs and your data will remain subject to the protections in this policy.
All third-party processors are subject to written data processing agreements requiring them to protect your data to at least the standard required by UK GDPR. We conduct due diligence on all processors before appointment and review these arrangements periodically.
International Data Transfers
We primarily store and process your data in the United Kingdom. Some of our third-party processors operate in, or route data through, countries outside the UK. Where this occurs, we ensure that appropriate safeguards are in place:
- Adequacy decisions: Where the UK Government has made an adequacy decision for the recipient country (e.g. EEA member states), no additional safeguards are required.
- UK International Data Transfer Agreements (IDTAs): For transfers to countries without an adequacy decision, we use IDTA-compliant contracts or the EU Standard Contractual Clauses with UK addendum.
- Binding corporate rules: Where applicable for intra-group transfers within a processor's organisation.
A full list of our processors and the safeguards applicable to international transfers is available on request from [email protected].
How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes for which it was collected, and to comply with legal obligations:
| Data Type | Retention Period | Reason |
|---|---|---|
| Client service records | 7 years after contract ends | Legal obligation (Companies Act / Tax) |
| Transaction and payment records | 7 years | HMRC / financial compliance |
| Digital product purchases | 3 years after last download | Licence management & support |
| Enquiry / consultation form data | 2 years if no contract results | Legitimate interest (business development) |
| Marketing contact records | Until opt-out or 3 years inactivity | Consent / legitimate interest |
| Website analytics data | 13 months (anonymised after) | Legitimate interest (site improvement) |
| Security logs (access, authentication) | 12 months | Security monitoring & incident response |
At the end of the applicable retention period, personal data is securely deleted or anonymised in accordance with our Data Retention and Disposal Policy. Where anonymised, the resulting data can no longer identify you and is no longer subject to this privacy policy.
Your Data Protection Rights
Under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month (extendable by a further two months for complex requests, with notice):
To exercise any of these rights, please contact us at [email protected] with the subject line "Data Rights Request". We may need to verify your identity before processing your request and will not charge a fee except in cases of manifestly unfounded or excessive requests.
Cookies & Similar Technologies
Our website uses cookies and similar technologies to ensure it works correctly, remember your preferences, and help us understand how visitors use the site. We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and require your consent for non-essential cookies.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
pca_session |
Maintains your session state. Required for secure areas and form submissions. | Session | |
pca_csrf |
CSRF token to prevent cross-site request forgery attacks. | Session | |
pca_consent |
Stores your cookie consent preferences so we don't ask every visit. | 1 year | |
_plausible |
First-party analytics via self-hosted Plausible. Counts page views and sessions. No cross-site tracking. IP addresses are not stored. | Not persistent (cookieless) | |
hs_* |
HubSpot tracking for form submissions and lead identification. Only set when you submit a form. | 13 months | |
_fbp |
Meta Pixel — measures effectiveness of advertising. Only set with your consent. | 90 days | |
_li_* |
LinkedIn Insight Tag — tracks conversions from LinkedIn advertising. Only set with your consent. | 30 days |
You can manage or withdraw your cookie consent at any time using our Cookie Settings panel. You can also control cookies through your browser settings — please note that disabling essential cookies may affect the functionality of this website.
For more information about cookies generally, visit aboutcookies.org or the ICO's guidance on cookies.
Security Measures
As a cybersecurity firm, information security is central to everything we do. We maintain rigorous technical and organisational measures to protect your personal data against accidental loss, unauthorised disclosure, or unlawful access:
- Encryption in transit: All data in transit is encrypted using TLS 1.3 or higher. Our website enforces HTTPS with HSTS.
- Encryption at rest: Databases and file stores holding personal data are AES-256 encrypted at rest.
- Access controls: Role-based access controls with least-privilege principles. All staff access to production systems requires MFA.
- Network segmentation: Customer-facing systems are isolated from internal systems via separate network zones with WAF protection.
- Vulnerability management: Quarterly penetration testing of all customer-facing infrastructure by an accredited third party. Monthly automated vulnerability scanning.
- Staff training: All staff complete annual data protection and security awareness training.
- Supplier security: All third-party processors are vetted against our Supplier Security Standard prior to engagement.
- Incident response: We maintain a documented Incident Response Plan and will notify you and the ICO of any personal data breach as required by UK GDPR (within 72 hours of becoming aware).
If you discover a potential security vulnerability on our website or services, please report it responsibly to [email protected] rather than publicly disclosing it. We operate a responsible disclosure programme.
Children's Privacy
Our website and services are directed at businesses and professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.
Changes to This Policy
We review this Privacy Policy at least annually and whenever there is a material change to our processing activities or applicable law. The "Last updated" date at the top of this page reflects the most recent revision.
If we make a material change — for example, a change to the types of data we collect, the purposes for which we use it, or the third parties we share it with — we will notify you by email (if we hold your email address) and/or by displaying a prominent notice on our website for at least 30 days before the change takes effect.
Previous versions of this policy are available on request. Continued use of our website or services after the effective date of any changes constitutes acceptance of the updated policy.
v2.4 (March 2025): Added digital products purchase processing, updated cookie table, IDTA transfer mechanism added.
v2.3 (October 2024): Updated processor list, added Plausible analytics detail.
v2.2 (April 2024): Added AI Governance service data processing. Revised retention schedule.
v2.1 (January 2024): Post-UK GDPR migration review. Full rewrite for clarity.
Contact & Complaints
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact our Data Protection representative:
Paragon Cyber Advisory Ltd
If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.