We take your privacy very seriously. Please read this privacy statement (‘Policy’) carefully as it contains important information about how your personal information will be used.
1. About us. For the purposes of data protection legislation, the “controller” is Cyber Risk Score ltd (trading as Cyber Risk Score) incorporated in England and Wales under company number 12769595 and having its registered office address at Lumaneri House, Blythe Gate, Blythe Valley Park, Solihull. B90 8AH, i.e. this is the company who is responsible for, and controls the processing of, your personal data (“we”). If you would like to contact us in relation to this Policy please send an email to firstname.lastname@example.org.
2. Information we collect from you. When you do business with us or register for our services we collect certain personal information from you including:
2.1 your contact details (such as your name and email address);
2.2 your age range and gender;
2.3 details of your employment or work sector;
2.4 the types of personal information you keep on your electronic devices;
2.5 the types of activities you carry out online (for example, transactions, socialising and storing content);
2.6 other information in relation to your use of electronic devices (for example as part of our services we may scan your devices for security vulnerabilities and out of date software);
2.7 other personal aspects for us to calculate your online security score.
3. Information about you from other sources. Where you use our services as a result of your employer’s corporate subscription, we may receive personal information about you from your employer, for example your contact details. In providing you with an online security score, and to help protect you against fraud, we may cross check your personal information against data that is already available online in the public domain (for example on the internet or the “deep web”). This is to check whether your details may have been published online as a result of a past data breach.
4. Purposes and legal bases of processing.
4.1 Necessary processing. We may process your personal information for the following purposes on the legal basis that it is necessary for us to provide our services to you:
(a) to process your registration and identify you;
(b) to provide our services;
(c) to carry out billing and administration activities;
(d) to customise our services to you.
Accordingly, your failure to provide your personal information in relation to the above services may hinder or prevent us from providing our services to you.
4.2 We may process your personal information in order to detect and prevent fraud, and to carry out security vetting, on the legal basis that we have a legitimate interest to do so. We may process your personal information in order to detect and prevent fraud, and to carry out security vetting, on the legal basis that we have a legitimate interest to do so.
4.3 Marketing. We may process your personal information in order to let you know about our products or services that we consider may be of interest to you. We carry out this processing on the legal basis that we have a legitimate interest in marketing our services and only to the extent that we are permitted to do so by applicable direct marketing laws. Please see the section titled “Marketing” below for further information about our marketing activities and regarding your right to opt out.
4.4 Statistical or research purposes. We may anonymise your personal information and aggregate it with other information for the purposes of statistical or research purposes. We may provide such information to third parties after it has been anonymised so that it cannot be used to identify you.
4.5 Compliance with laws. We may process your personal information in order to comply with applicable laws (for example if we are required to cooperate with a police investigation pursuant to a court order).
5. Who we may provide your personal information to. We may provide your personal information to the following recipients for the purposes set out in this Policy:
5.1 other companies within our group;
5.2 our employees, consultants, agents and service providers;
5.3 law enforcement agencies in connection with any investigation to help prevent unlawful activity.
6. Information transfers. While we are based in Birmingham, we may transfer your personal information to a location (for example to a secure server) outside the European Economic Area, where we consider it necessary or desirable for the purposes set out in this Policy. In such cases, to safeguard your privacy rights, transfers will be made to recipients to which a European Commission adequacy decision applies (this is a decision from the Commission confirming that adequate safeguards are in place for the protection of personal data), or will be carried out under the standard contractual clauses for controller-to-processor transfers approved by the Commission on 5 February 2010 (Commission Decision C(2010)593), a copy of which is available to view on the Commission’s website (http://eur-lex.europa.eu/).
7. Data retention period. We carefully consider the personal data that we store, and we will not keep your information in a form which identifies you for longer than is necessary for the purposes set out in this Policy. You also have the rights referred to in clause 9 in relation to your personal information that we process.
8. Marketing. We may store your contact details, and carry out marketing profiling activities, for direct marketing purposes. Where you have given your consent, or where we are otherwise permitted to do so, we may contact you about our products or services that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by sending an email to
9. Your information rights. We draw your attention to your following rights under data protection law: (i) the right to request a copy of the information that we hold about you and supplementary details about that information; (ii) the right to have inaccurate personal data that we process about you rectified, (iii) the right (in certain circumstances) to have personal data that we process about you blocked, erased or destroyed; (iv) the right to object to the processing of your personal information in the ways described in clauses 4.2 (Security and fraud prevention), and 4.3 and 8 (Marketing); and (v) on or after 25 May 2018, the right to request a copy your personal data that you have provided to us, in a machine-readable format, in order for you to transmit those data to another organisation. Further information about your information rights is available on the ICO’s website: https://ico.org.uk/ .
10. How to contact us. We welcome your feedback and questions. If you would like to contact us in relation to this Policy please send an email to email@example.com.
11. UK information regulator. If you have a concern about the way we handle your personal data you have a right to raise this concern with the UK information regulator, the ICO: https://ico.org.uk.