Privacy Policy
Effective Date: 6 March 2026
CHMS Cyber Security Limited (“Company”, “we”, “us”, “our”) operates the CHMS Cyber Security website and services (“Service”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contents
1. Data Controller
CHMS Cyber Security Limited
85 Great Portland Street, First Floor, London, England, W1W 7LT
Company Number: 15650214
Email: [email protected]
For data protection enquiries, contact us at: [email protected]
2. Data We Collect
2.1 Account Data
When you register or contact us, we may collect:
- Full name
- Email address
- Organisation name
- Job title
- Password (hashed, never stored in plaintext)
2.2 Usage Data
When you use our website, we collect:
- Pages visited and time spent
- Interaction logs (features used, timestamps)
- Contact form submissions
- Service enquiry details
2.3 Technical Data
Automatically collected:
- IP address
- Browser type and version
- Device information and operating system
- Time zone and language preferences
- Cookies and similar technologies (see Section 9)
2.4 Data We Do NOT Collect
- We do not collect biometric data
- We do not collect special category data (as defined in Art. 9 UK GDPR)
- We do not monitor or record user keystrokes or screen activity
- We do not collect data from social media profiles without consent
3. How We Use Your Data
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing and operating our services | Performance of contract (Art. 6(1)(b)) |
| Responding to enquiries and support requests | Performance of contract (Art. 6(1)(b)) |
| Sending service notifications | Legitimate interest (Art. 6(1)(f)) |
| Improving our website and services | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (only with consent) | Consent (Art. 6(1)(a)) |
3.1 Legitimate Interest Assessments
Where we rely on legitimate interest as a lawful basis, we conduct balancing tests to ensure our interests do not override your rights and freedoms. You may request copies of these assessments by contacting [email protected].
3.2 What We Do Not Do
- We do not sell your personal data to third parties
- We do not share your data for advertising purposes without consent
4. Data Sharing
We share data only with:
4.1 Service Providers
- Hosting providers: For website and database hosting
- Analytics providers: For website usage analysis (with consent)
- Email service providers: For communication delivery
All service providers are bound by data processing agreements and evaluated for security practices.
4.2 Professional Advisors
Such as lawyers and auditors, where necessary for professional advice.
4.3 Legal Requirements
We may disclose data when required by:
- Court order or legal process
- Law enforcement request (verified and lawful)
- Regulatory requirements
We will notify you of such requests where legally permitted.
5. Data Security
5.1 Security Measures
- All data is encrypted in transit (TLS 1.2+) and at rest
- Access to systems is restricted to authorised personnel with multi-factor authentication
- We conduct regular security assessments of our infrastructure
- Customer data is logically isolated with access controls
5.2 Data Breach Response
In the event of a data breach, we will:
- Notify the ICO within 72 hours where required
- Notify affected users without undue delay
- Document the breach and remediation steps
5.3 Your Responsibility
While we implement strict security measures, internet transmissions are not entirely secure. Please keep your account credentials confidential and notify us immediately if you suspect unauthorised access.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 12 months after deletion |
| Contact form submissions | 24 months from submission |
| Service enquiries | Duration of engagement + 24 months |
| Marketing consent records | Duration of consent + 12 months |
| Website analytics | 26 months (Google Analytics default) |
You may request deletion of your data at any time (see Section 7). Some data may be retained where we have a legal obligation to do so.
7. Your Rights (UK GDPR)
Under the UK GDPR, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data (“right to be forgotten”).
Right to Restriction
Request that we limit processing of your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interest or for direct marketing.
Right to Withdraw Consent
Withdraw consent for marketing at any time.
To exercise any of these rights, contact: [email protected]
We will respond within one calendar month of receiving your request, as required by UK GDPR.
Right to Complain
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
8. International Transfers
Some of our service providers may operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions where applicable
- Supplementary measures where required
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals (Art. 22 UK GDPR).
Your personal data is not used in any automated decision making (a decision made solely by automated means without any human involvement).
11. Children
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
If you believe we have inadvertently collected information about a child, please contact us at [email protected].
12. Third-Party Links
Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal information.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email notification to registered users
- Prominent notice on our website
- Updated “Effective Date” at the top of this policy
We encourage you to review this policy periodically to stay informed about how we protect your data.
14. Contact Us
For any privacy-related questions or requests:
CHMS Cyber Security Limited
85 Great Portland Street, First Floor
London, England, W1W 7LT
Company Number: 15650214
Email: [email protected]
Website: https://chmscybersec.net