Select Page

Privacy notice

Here is some information regarding data protection and privacy for visitors to this website and users of our service. It will explain how we collect and process your personal data. It will give you more detail on our data protection practices. 

We are CybSafe. Our address is  5 New St Square, London EC4A 3TW, United Kingdom. We have a designated Data Protection Officer (DPO) who may be contacted directly at dpo@cybsafe.com regarding any data protection and privacy matters.

You will be referred in this Privacy Notice to as a Data Subject and the information about you is known as Personal Data. For the purposes of privacy laws, we are the processor of personal data unless expressly specified otherwise. We believe everybody deserves to live in a safe and secure digital world. So we’re here to radically transform the human aspect of cyber security. This is our mission. We take data protection seriously and follow the law and industry best practices to keep your personal data secure. As a data subject you have certain rights in relation to data privacy.

Specifically, you have the right to:

  • request information about the personal data that is processed by us, 
  • rectification of inaccurate personal data records,
  • demand deletion or restriction of processing, and the right to object to processing based on legitimate interest under certain circumstances,
  • revoke any consent to processing that has been given by the user to us, 
  • data portability, which means a right to get the personal data and transfer these to another controller as long as this does not negatively affect the rights and freedoms of others; and
  • lodge a complaint to the supervisory authority regarding the processing of personal data relating to him or her, if a  user considers that the processing of personal data infringes the legal framework of privacy law. A full list of EU regulators is available here, and the contact details of the UK regulator, the ICO, is here.

Sometimes we use third parties to help us provide our service. In order to facilitate our contractual obligations we use third party applications such as 

  • administration & support service (cloud)  providers such as Amazon Web Services (a subsidiary of Amazon Inc) and
  • analytical service companies such as Google LLC

We will only transfer personal data to third parties that we have confidence in. We carefully choose them to ensure that the personal data is processed in accordance with current privacy legislation. The personal data collected is stored and processed inside the EU/EEA, or such third country that is considered by the European Commission to have an adequate level of protection, or processed by such suppliers that have entered into such binding agreements that fully complies with the lawfulness of third country transfers or to other supplies where adequate safeguards are in place to protect the rights of the data subjects whose data is transferred. To obtain documentation regarding such adequate safeguards, please email dpo@cybsafe.com (for info, our EU representative is info@priviness.eu)

We will not sell personal data to third parties.

Data that is processed with the purpose of aggregated analysis or market research is always made unidentifiable. Such personal data cannot be used to identify an individual. Therefore, such data is not considered personal data.

We prioritise  personal data integrity and privacy and therefore work actively so that the personal data is processed with utmost care. We are proud to take measures which aim to make sure that the personal data is  processed safely and in accordance with this Privacy Notice and privacy laws (notably the GDPR) .

To view more information regarding our processing of personal data concerning you, please choose from below the category which most closely describes your relationship with CybSafe.

Please select the data subject category that fits you:

As a user of the CybSafe platform we hold the following information about you:

  • Name
  • Email address of user
  • Name and email address of family or friend member to which user sends awareness module links
  • Password (hashed) 
  • Employer
  • Tenure of employment and other self-reported user characteristics
  • Employee role type
  • Location (country and time zone)
  • SSO Profile Picture
  • Language
  • Phone number
  • Responses to sentiment and culture surveys
  • Goals and recorded progress against goals
  • Responses to phishing exercises and learning module tests
  • Risk score derived from interactions with platform
  • IP Address
  • MAC Address
  • Employee number (SCIM only)
  • Employee type (SCIM only)
  • IMEI number
  • Any personal data accessed by the Services by means of third party data source integrations activated by CybSafe’s customer.
  • User identifiers on third party accounts integrated with CybSafe

This data may come directly from you or from your employer (directly or indirectly via one of their service providers).  We hold and process this data for the legitimate interest of fulfilling a business-to-business contract  and data processing agreement with your employer. If you have any detailed questions regarding these agreements, please contact appropriate organisational contact. 

For the purposes of this contract, processing includes updating, securing,  troubleshooting,  adding new features, as well as providing customer support!.  We also use this  data to operate our business which includes analysing our performance, determining what new features to prioritise, meeting our legal obligations and generally improving and developing our products. We only use anonymised data for analysis of trends or product success metrics. 

We will retain this data only for the duration of our contract with your employer and in any event we will delete this information within 90 days of the termination of that contract.

In addition to the third parties mentioned above, and in furtherance of our contractual obligations with your employer we use third party applications such as 

  • customer support and management systems such as Intercom Inc and HubSpot Ltd,
  • email service and performance measurement systems such as SendGrid (part of Twilio Inc),
  • platform error reporting systems such as Sentry (a trading name of Functional Software Inc),
  • advanced platform intelligence systems such as Amplitude Inc,
  • IP and network analytics services such as IPData LLC; and
  • automation between preexisting systems such as Zapier Inc.
  • In certain opt-in cases, machine learning services for the purposes of automation of phishing emails such as Open AI Ireland Ltd. For the avoidance of doubt, your data will not be used to train Open AI’s AI models or algorithms.

All transfers are bound by the rules of GDPR either because the organisation is based in the EU or because the destination country has adequacy (UK and/ or EU-US Privacy Framework)

We offer preview, beta or other free-of-charge products and features (“beta”) also called Free Service, Early Access, pilot, limited release, non production and trial; to enable you to evaluate them while providing CybSafe with data about your use of the product, including feedback and device and usage data. As a result, beta can sometimes collect additional data. If you participate in beta, we may contact you about your feedback or your interest in continuing to use the product after general release. You can opt-out of this at any time. 

Transfers of information over the internet and mobile networks can never occur without any risk, so all transfers are made on the own risk of the person transferring the data. It is important that users also take responsibility to ensure that their data is protected. It is the responsibility of the user that their login information is kept secret.

As Partner/Reseller of CybSafe we hold the following information about you:

  • Name
  • Contact details
  • Job title

We hold and process this data for the legitimate interest of fulfilling a business-to-business contract with your organisation.   

We will retain this data for up to seven  years from termination of the contract in case there are any queries, unless you request that we delete the data beforehand. At this point data will be irreversibly deleted. 

In addition to the third parties mentioned above, we also use  third party applications such as  Channeltivity LLC and  HubSpot Ltd. For more information on the third parties we use when hosting webinars, please see the Webinar and Conference Attendees and Registration tab. 

List of approved partners for resale to direct customers:

  1. Softcat Inc
  2. NCC Group Security Services Ltd
  3. Integrity360 Ltd
  4. QA Ltd 
  5. Bytes Ltd
  6. Norm Cyber Limited
  7. Crossword Cybersecurity Ltd
  8. ICA Consultancy Ltd
  9. YorCyberSec Limited
  10. ITC Global Ltd 
  11. Iris Networks 
  12. ITPS
  13. Nowcomm (Fournet Technologies Ltd)
  14. Waterstons Ltd
  15. Viadex

As a supplier to CybSafe we hold the following information about you:

  • Name
  • Contact details
  • Bank details

We hold and process this data for the legitimate interest of fulfilling a business-to-business contract with your organisation or to satisfy and manage a contract with you.

If we are unable to process this data, we would not be able to continue with our contract with you.

We will retain this data for up to seven years from termination of the contract in case there are any queries, unless you request that we delete the data beforehand. Any data relating to  financial transactions will be kept for seven years to conform to our legal obligations. At this point data will be irreversibly deleted. 

 As potential employee of CybSafe we hold the following information about you:

  • Contact details
  • Name
  • CV
  • Date of Birth
  • Qualifications
  • References
  • Social Media Profile
  • Salary Expectations
  • Right to work
  • Titles
  • Work Experience
  • Pictures and videos
  • Any free text personal data that you may provide in your application. 

This data may come directly from you or from a third party such as a referrer, LinkedIn or a recruitment agency. We hold and process this data as a Controller for the legitimate purpose of managing recruiting.The lawfulness of the processing of personal data is our legitimate interest to simplify and facilitate recruitment.

In order to facilitate our recruitment process we may share, store and process your personal data with third party software platforms, such as LinkedIn, TeamTailor and BambooHR. Please click on the link to the BambooHR privacy notice and this link for the TeamTailor privacy notice.

If we are unable to process this data, we would not be able to process your application.

In the case that we collect sensitive information such as race, ethnicity, religious or  political beliefs and disability or genetic information – it is with your consent and for the purposes of managing our diversity objectives. 

Should you be unsuccessful in your application we will retain this data for up to 2 years so that we may contact you regarding any future opportunities, unless you request that we delete the data beforehand. At this point the data is irreversibly deleted. 

As an email contact or prospective customer to CybSafe we hold the following information about you:

  • Name
  • Contact details
  • Job Title or Job description
  • Company
  • Location

We act as a Controller for the purposes of b2b marketing. This data may come directly from yourself or from Data as a Service providers.  We hold and process this data for the legitimate interest of communicating with you, either for standard business communications or for marketing. 

We will retain this data for up to three  years from our last contact with you, unless you request that we delete the data beforehand. At this point the data will be irreversibly deleted.

At various places on our website (and it’s subdomains) such as Contact Us , Behave Hub, Request a Demo or Get in Touch pages you may also choose to provide personal data that will allow us to manage our response to your request for further details of our products and services in our legitimate interests. In order to facilitate our communications with you we may use third party applications such as,  HubSpot Ltd We will retain these marketing details for up to three years. At this point the data is irreversibly deleted. 

Similarly, if you contact our DPO, you may choose to provide personal data that will allow us to manage our response to your enquiry relating to data protection and privacy matters – we will retain a log of your enquiry for up to six years in case of future related enquiries. At this point the data is irreversibly deleted. 

As an attendee, participant or guest speaker at one of our business conferences or Webinars we process the following  personal information about you:

  • Name
  • Contact details
  • Job Title or job description
  • Company
  • Qualifications

We hold and process this data for the legitimate interest of fulfilling a business-to-business contract with your organisation, or the processing is necessary for the performance of a contract or the process of negotiating a contract.  We do this as a controller of personal data. 

In order to facilitate our communications with you we may use third party applications such as,  HubSpot Ltd and Intercom Inc  online conference facilitators, such as Zoom or Microsoft Teams,

When we host a conference or webinar jointly with other companies (joint controllers) we may share the registrations and attendees with those companies in our legitimate interest, or for the purposes of negotiating a contract with your business. These joint controllers are responsible for the lawful processing of your personal data. Their privacy notices may be accessed by clicking on the company logo or request the relevant information notices directly from them.

Normally, this means we will retain your personal information for three years, unless you request that we delete it beforehand. At this point the data is irreversibly deleted.

Last updated: 01 April 2024