breachology Ltd, a company registered in England and Wales with registered number 13660085, whose registered office is at Suite B Earlsdon Park, 53-55 Butts Road, Coventry, England, CV1 3BH collects, uses and is responsible for certain personal information about you. When we do so we are regulated under The General Data Protection Regulation 2016/679 (“GDPR”) and the UK Data Protection Act 2018 (“DPA”) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Throughout this policy, “breachology” refers to breachology Ltd (also referred to as “we”, “us”, or “our”). For the purpose of this policy, breachology “websites” includes any of our websites such as the main breachology website (www.breachology.com).

breachology is committed to protecting your privacy. This commitment reflects the value we place on earning and keeping the trust of our clients, business partners and others who share their personal information with us. This policy sets out the basis by which personal data will be processed by us and your rights.

For information on how our websites uses cookies, please visit our cookie policy page. By visiting our websites, you accept and consent to the practices described in this policy. If you don’t accept the terms of this policy, please refrain from using our websites. 

Our websites may contain links to other websites. If you leave our websites via a link or otherwise you will be subject to the privacy policies of those websites. We do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Collection of your information

We may collect and process personal information in the following ways:

  • When we perform services for our clients.
  • When you order a service from us.
  • When you contact us in relation to our services.
  • When you visit any of our websites.
  • When you submit our online forms, including but not limited to:
    • The client details form
    • The testing authorisation form
    • Providing engagement feedback
    • Returning scoping questionnaires.
  • When you interact with us on social media platforms or other public forums.
  • When you book or attend a breachology seminar, event or training.
  • When you visit our office.
  • When you apply for a position at breachology.
  • If you contact us with a query or complaint.

Information we may collect

When you contact us to request information about breachology or our services, we ask that you provide accurate information that enables us to respond to your request. Whenever you provide personal information to us, we use it for the purposes for which it was provided to us as stated at the point of collection or as obvious from the context of collection.

When we provide the services described above for our clients, we may collect personal information such as:

  • Contact information, such as your name, email address, postal address, phone number and mobile phone number
  • Usernames and passwords
  • Communication preferences
  • Other relevant information, such as occupation, job title and office location;
  • Any other information which might be material or necessary to accomplish the purpose of the engagement

We may also collect information when you visit our websites, including but not limited to your IP address, location, time of access, the browser you use, your operating system and the pages you visit.

We only obtain information from third parties if this is permitted by law. We may also use legal public sources to obtain information about you.

How we may use your personal information

In addition to using your information to fulfil our contract to provide you with requested products or services, we may also use your information in the following ways, provided that, where we are required to obtain your consent to use your information, you have provided such consent:

  • to monitor and improve our products, services and our websites;
  • to provide you with information about other products and services we offer that are similar to those that you have already purchased or enquired about or that we feel may be of interest to you;
  • to notify you about changes to our services;
  • to administer our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to inform and invite you to company events and activities;
  • to enable us to comply with any legal or regulatory requirements.

The basis on which we collect your information

We collect most of your information on the grounds of: (i) legitimate interests (for example, to send you direct marketing about products and services similar to those you have purchased from us or negotiated or enquired about, or to help us administer the website); and (ii) fulfilment of a contract with you (for example, to provide you with products or services you have purchased from us).

If we require your personal data for fulfilment of a contract with you (for example, to provide services or products to you or to receive payment from you), we may be unable to fulfil the contract without your personal data.

Where we rely on legitimate interests, our legitimate interests are the promotion of the products and services offered by breachology and the provision of information in respect of products and services you have already purchased from us or in which you have expressed an interest in purchasing.

If we are unable to rely on legitimate interests, fulfilment of a contract or any other grounds set out in the GDPR to process your personal data, we will obtain consent from you to the processing. If you give us your consent, you can withdraw it at any time by clicking on the “unsubscribe” link or following other instructions in the email we send to you, or by emailing dataprotection@breachology.com. Withdrawal of your consent won’t affect any processing we have carried out in respect of your personal data prior to you withdrawing consent.

Retention of your information

How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for no more than the time required to fulfil the purposes described in this privacy policy unless a longer retention period is permitted by law. We have implemented appropriate measures to ensure your personal information is securely destroyed in a timely and consistent manner when no longer required.

In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Sharing your information

We may share your contact details with our employees, officers and consultants and with subcontractors, business partners and other suppliers who are engaged in relation to any contract which we have entered into with you or your employer. 

We may disclose your personal information to third parties, if:

  • the third-party contracts with us to provide certain services you have requested and requires your personal information in order to do so
  • we sell or buy any business or asset, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
  • we are under a duty to disclose or share your personal data in order to comply with any legal obligation.

We do not rent, sell or otherwise disclose personal information with unaffiliated third parties for their own marketing use.

Security measures to protect your information

The security of your personal information is extremely important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorised access, use or disclosure, using security technologies and procedures, such as encryption and limited access.

Our service providers and agents are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorised purpose.

Your rights

Subject to certain exemptions, there are a number of rights available to you under the GDPR. You can exercise your rights in respect to your personal data by contacting us, the details below.

Subject to legal considerations we will make every reasonable effort to honour your request promptly, or inform you if we require further information in order to fulfil your request.

We may ask you for additional information to confirm your identity before disclosing the personal information requested. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive or repetitive.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Right to access

You have the right to ask us to confirm that we process your personal data, as well as to have access to and receive copies of your personal data.

We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may charge you if you request more than one copy of the same information.

We will provide the information requested as soon as possible and in any event within one month of receiving the request. We will let you know if we need more information to comply with the request or to confirm your identity.

Right to rectification

You have a right to request that we correct your personal information where it is inaccurate, incomplete or out of date.

We will comply with your request within one month of receiving it, unless we do not feel it is appropriate to us to do so in which case we will let you know why. 

Right to erasure

You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.

Right to restrict processing

You have the right to restrict the processing of your personal information, but only where:

  • its accuracy is contested, to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

Right to data portability

Where breachology acts as a Data Controller, you have the right to data portability, which requires us to provide personal information to you in a commonly used, machine-readable format. This right only applies:

  • to personal data you provide to us
  • where processing is based on your consent or for performance of a contract to which you are a party
  • where we carry out the processing by automated means

We will provide the information requested as soon as possible and in any event within one month of receiving the request. We will let you know if we need more information to comply with the request or to confirm your identity.

Right to object

You have the right to object the processing of your personal information at any time, but only where that processing has our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

Automated decision making

When you visit our websites, we may automatically collect technical information including IP address, login information, information regarding your visit such as URL data and services you viewed or searched for, operating system and browser type.

We may also collect details of your visits to our site including but not limited to traffic data, location data, weblogs, operating systems, browser usage or other communication data. Our sites also uses cookies. We collect information not to identify individual users but to gain useful knowledge about how our site is used in order that we can keep improving it for our users. Further information is available in our Cookie Policy.

Marketing communications

We may use your personal information to send you updates about our events and services, including promotions or new services.

We have a legitimate interest in processing your personal information for promotional purposes. This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal information with respect and will never share it with other organisations for marketing purposes.

You have the right to opt out of receiving marketing communications at any time by contacting us, the details below.

Where we store your personal data

We store personal data on systems located in the United Kingdom (UK) and the European Economic Area (EEA).

We may sometimes transfer your personal information to countries or organisations that are located outside of the UK / EEA such as our service providers and subcontractors. We will only transfer personal data to a country which has been assessed as providing an adequate level of protection of personal data or to other countries where we are satisfied that the transfer complies with data protection laws and personal data will be secure. For further information, please contact us; our contact details are below.

It may also be processed by staff operating outside the UK / EEA who work for us or one of our suppliers. We take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

You also have a right to contact us for more information about the safeguards we have put in place to ensure the adequate protection of your personal information when this is transferred as mentioned above.

Changes to our privacy policy

This privacy policy was last updated in February 2024. We may update it from time to time. We encourage you to periodically review our privacy policy to see any updates or changes.

Contact us

If you have any concerns about our use of your personal information, you can make a complaint to us by contacting our Data Protection Officer (dataprotection@breachology.com), or alternatively contact us at:

Data Protection
breachology Ltd
Suite B Earlsdon Park
53-55 Butts Road
Coventry
England
CV1 3BH

If you have questions, comments or requests regarding your personal information or this Privacy Policy, please get in touch using the contact details above.

You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

If you are based in the UK, you can contact the Information Commissioner’s Office helpline on 0303 123 1113, please refer to the ICO website for more information (https://ico.org.uk/make-a-complaint/).