Privacy Policy

Hyperonex Consultancy Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or engage our services.

1. Who We Are

Hyperonex Ltd is a registered company in England and Wales. We are the data controller responsible for your personal data.

Data Protection Officer:
Email: compliance@hyperonex.co.uk

2. Information We Collect

We may collect and process the following categories of personal data:

2.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, job title, and company name when you complete our contact form or request consultations
• Enquiry Details: Information about your organisation, security requirements, and project scope
• Communication Records: Correspondence via email, phone, or meetings
• Training Participants: Employee names, email addresses, and training progress data for our cyber awareness programmes
• Consultancy Clients: Business information, system documentation, and security assessment data under contractual agreements

2.2 Information Collected Automatically

• Technical Data: IP address, browser type and version, time zone setting, browser plug-in types, operating system and platform
• Usage Data: Information about how you use our website, including pages visited, time spent, and navigation paths
• Cookie Data: See our Cookie Policy for detailed information

2.3 Special Category Data

As a cyber security consultancy, we do not typically process special category personal data (as defined under UK GDPR Article 9). However, during security assessments or training, we may incidentally encounter such data within client systems. This is always processed under strict contractual confidentiality and security measures.

3. How We Use Your Information

We process your personal data for the following lawful bases and purposes:

3.1 Contractual Performance (Article 6(1)(b) UK GDPR)

• Providing cyber security consultancy services
• Delivering security awareness training programmes
• Fulfilling our obligations under service agreements
• Managing client accounts and project delivery

3.2 Legitimate Interests (Article 6(1)(f) UK GDPR)

• Responding to enquiries and providing quotes
• Website analytics and performance improvement
• Network and information security
• Direct marketing to existing clients (with opt-out rights)
• Fraud prevention and detection

3.3 Legal Obligation (Article 6(1)(c) UK GDPR)

• Compliance with financial regulations and tax laws
• Responding to legal requests from regulatory authorities
• Maintaining records for insurance and professional indemnity

3.4 Consent (Article 6(1)(a) UK GDPR)

• Sending marketing communications to prospective clients
• Using non-essential cookies (see Cookie Policy)
• Sharing testimonials or case studies (with explicit permission)

4. Data Sharing and Third Parties

We do not sell your personal data. We may share your information with:

4.1 Service Providers

• Cloud Hosting: Website hosting and data storage providers (AWS UK/EU regions)
• Email Services: Secure email delivery and marketing platforms
• Analytics: Privacy-focused analytics providers (Plausible Analytics - no personal data)
• Payment Processors: For invoice payments (Stripe, bank transfer systems)

4.2 Professional Advisers

• Legal advisers, accountants, and insurance providers (under confidentiality agreements)
• Professional accreditation bodies (for certification purposes only)

4.3 Legal and Regulatory

• Law enforcement agencies, regulators, or courts when legally required

4.4 International Transfers

We primarily process data within the UK and European Economic Area (EEA). Where data is transferred outside these regions (e.g., US-based cloud services), we ensure adequate protection through:

• UK/EU Standard Contractual Clauses (SCCs)
• Adequacy decisions (where applicable)
• Additional technical safeguards (encryption, access controls)

5. Data Security

As cyber security professionals, we implement industry-leading security measures:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
• Monitoring: 24/7 security monitoring, intrusion detection, and automated threat response
• Backups: Encrypted, geographically distributed backups with regular recovery testing
• Staff Training: All personnel undergo security clearance and regular awareness training
• Physical Security: Secure office premises with access control and surveillance

In the event of a personal data breach, we will notify affected individuals without undue delay where there is a high risk to rights and freedoms, and report to relevant supervisory authorities as required by law.

6. Data Retention

We retain personal data only as long as necessary for the purposes collected:

Data Category	Retention Period
Enquiry records (non-clients)	2 years from last contact
Client contracts and project data	7 years after contract completion (legal requirement)
Training records	Duration of contract + 3 years
Website analytics	26 months (anonymised after 14 months)
Financial records	6 years (HMRC requirement)
Marketing consents	Until consent withdrawn or 2 years inactivity

7. Your Data Protection Rights

Under UK GDPR, you have the following rights:

7.1 Right to Access (Article 15)

Request a copy of your personal data and information about how we process it.

7.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure ('Right to be Forgotten') (Article 17)

Request deletion of your personal data where there is no compelling reason for continued processing.

7.4 Right to Restrict Processing (Article 18)

Request limitation of processing in specific circumstances (e.g., while contesting accuracy).

7.5 Right to Data Portability (Article 20)

Receive your data in a structured, commonly used, machine-readable format and transmit to another controller.

7.6 Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing at any time.

7.7 Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling with legal or significant effects.

7.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting lawful processing before withdrawal.

Exercising Your Rights: Email compliance@hyperonex.co.uk with your request. We respond within one month (extendable to three months for complex requests). We may require identity verification.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

Essential Cookies: Required for website functionality (cannot be disabled)
Analytics Cookies: Help us understand website usage (privacy-preserving, no personal identifiers)
Marketing Cookies: Only set with explicit consent

9. Children's Privacy

Our services are directed at business professionals and organisations. We do not knowingly collect personal data from individuals under 16 years of age. If you believe we have inadvertently collected such data, please contact us immediately for deletion.

10. Links to Third-Party Websites

Our website may contain links to external sites (e.g., LinkedIn, professional bodies). We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review their privacy policies before providing personal data.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. Material changes will be notified via:

• Prominent notice on our website
• Direct email communication to active clients
• Updated "Last updated" date at the top of this policy

We recommend reviewing this policy regularly.

12. Complaints and Supervisory Authority

If you have concerns about our data handling practices, please contact our Data Protection Officer first. If you remain dissatisfied, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

UK Supervisory Authority:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113

13. Contact Us

For any questions about this Privacy Policy or our data practices: