Privacy Policy
How we collect, use and protect your personal data
Last Updated: 20 April 2026 • Version 1.1
Who we are
SME Cyber Solutions Ltd is a company registered in England and Wales (company number 16090305) with its registered office at 4 Manor Crescent, Liverpool, L25 8RA. We provide agentic AI solutions, Cyber Essentials certification support, ethical hacking and cyber security software to small and medium businesses.
We are the data controller for personal data collected through our website at smecybersolutions.com and our automated agent platform at brain.smecybersolutions.com. We are registered with the Information Commissioner's Office under reference ZB860789.
How to contact us about privacy
Our Data Protection Officer is Neil Campbell. You can reach him on privacy matters at . You can also write to us at the registered office address above.
If you are unhappy with how we have handled your personal data, you can complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. We would appreciate the chance to resolve your concern first.
What this policy covers
This policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with and what rights you have. It covers our public website, our automated enquiry handling platform and the onboarding process for new clients.
Detailed information about cookies and similar technologies used on our website is set out in our separate Cookie Policy. This Privacy Policy summarises the cookie position at a high level and cross-references the Cookie Policy for specifics.
This policy does not cover third-party websites we link to. Those have their own privacy policies and we are not responsible for them.
The information we collect
Information you give us directly
When you submit a form on our website or send us an enquiry, we collect the information you provide. This typically includes your name, email address, phone number (if you share it), the name of your business and whatever you tell us in the free-text part of the enquiry.
When you become a client and go through our onboarding wizard, we collect additional technical information about your business: contact details for your technical staff, information about your domain, email authentication setup, DNS configuration, hosting provider and existing security tooling. This information is necessary for us to deliver the service you have engaged us for and is treated with particular care, including encryption at rest.
Information we collect automatically
When you use our free security scanner tools, we record the domain or IP address you submit along with the time of submission and your own IP address. This is kept to rate-limit the tools, prevent abuse and maintain availability of the service for other users.
When you interact with a form protected by reCAPTCHA (specifically our free security tools and our Grow London enquiry form), Google processes your IP address, browser characteristics and interaction signals to determine whether the submission is from a human or a bot. This is a security measure described in more detail below.
When you visit our website, and only if you accept non-essential cookies through our consent banner, we collect analytics information about your visit through Google Analytics and Ahrefs Web Analytics. See the Cookie Policy for details.
Information we do not collect
We do not knowingly collect personal data from children under 13. We do not collect special category data as defined under Article 9 of the UK GDPR (for example data about your health, ethnicity, political opinions or biometric identifiers). If you believe you have submitted information in one of these categories through one of our forms, please contact our DPO so we can delete it.
Why we use your data and our lawful basis
We use your data for the following purposes. For each purpose, we identify our lawful basis under Article 6 of the UK GDPR.
| Purpose | Lawful basis | What this looks like in practice |
|---|---|---|
| Responding to enquiries you send us | Legitimate interests, Article 6(1)(f) | Receiving, reading and replying to the enquiry you submitted |
| Delivering services to clients | Contract, Article 6(1)(b) | Onboarding, service delivery, support and invoicing |
| Keeping records for tax and accounting | Legal obligation, Article 6(1)(c) | Retaining transactional records for 6 years (Companies Act 2006, HMRC rules) |
| Running security scanner tools safely | Legitimate interests, Article 6(1)(f) | Logging tool use to prevent abuse and maintain availability |
| Protecting forms from bots and abuse | Legitimate interests, Article 6(1)(f) | Using Google reCAPTCHA on forms to distinguish humans from automated submissions |
| Measuring and improving our website | Consent, Article 6(1)(a) | Analytics and traffic measurement, only if you accept the consent banner |
| Meeting our regulatory obligations | Legal obligation, Article 6(1)(c) | Responding to rights requests, co-operating with the ICO, maintaining records |
For the legitimate interests purposes above, we have completed a legitimate interests assessment that balances our interest in running the business against your rights. The assessment is available on request.
How long we keep your data
We keep different data for different periods depending on what the data is and why we hold it. When the period expires, the data is deleted by automated processes running daily.
| What | How long |
|---|---|
| Raw enquiry submissions | 30 days from submission |
| Contact records for prospective clients (leads) | 24 months from your last contact with us |
| Contact records for active clients | For the duration of our relationship |
| Contact records for former clients | 6 years after the relationship ends (legal record-keeping) |
| Security scanner tool logs | 90 days from the log entry |
| Rate-limit records | 30 days from the relevant activity |
| Onboarding intake (while in progress) | Until the onboarding wizard is complete |
| Onboarding intake (completed, archived) | 12 months from archive date |
| Agent platform activity logs | 30 days, rolling |
| Rights request correspondence | 3 years after closure, for audit |
Who we share your data with
We share your data only with the service providers we need to run our systems. We remain the data controller; they act as processors under written contracts that include UK GDPR data protection terms.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| IONOS SE | Hosting our servers and databases | Germany | UK-EU adequacy decision |
| Mistral AI | AI processing of enquiry content for triage and classification | France | UK-EU adequacy decision |
| Google LLC | Analytics (GA4), tag management (GTM) and bot detection (reCAPTCHA) | United States | Standard Contractual Clauses with UK Addendum |
| Ahrefs Pte Ltd | Web analytics for SEO insight | Singapore | Standard Contractual Clauses with UK Addendum |
We do not sell your data, we do not rent it and we do not share it with marketing partners.
We may disclose your data where required by law, for example in response to a valid request from a law enforcement or regulatory authority. We will only do so where the request is properly constituted and will challenge requests we consider inappropriate.
International transfers
Our primary hosting and AI processing both take place within the European Union, which is covered by the UK-EU adequacy decision and requires no additional safeguards. Where we use analytics or security providers based outside adequate territories, transfers are covered by the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, as noted in the table above.
Cookies and tracking
Our website uses cookies and similar technologies. A consent banner on first visit blocks all non-essential cookies until you make an explicit choice. If you accept, analytics cookies load. If you reject, only strictly necessary storage is used.
A separate Cookie Policy provides the detailed breakdown including cookie names, durations and specific purposes. The summary below names the categories and providers at the level appropriate for this policy.
| Category | Provider | Purpose | Consent needed? |
|---|---|---|---|
| Strictly necessary | SME Cyber Solutions | Recording your consent preference | No |
| Analytics | Google (Analytics 4, Tag Manager) | Understanding how visitors use the site | Yes |
| SEO analytics | Ahrefs | Search performance and referral analysis | Yes |
You can withdraw consent at any time by reopening the consent banner (a link is available in the site footer) and changing your choices. Withdrawing consent does not affect processing that took place while consent was active.
We also use Google Search Console and Bing Webmaster Tools, which report on how our pages appear in Google and Microsoft search results. These are aggregate data feeds provided to us by the search engines and do not involve cookies on your device.
Form security and reCAPTCHA
We use Google reCAPTCHA on forms that are particularly targeted by automated abuse: our free security scanner tools and our Grow London enquiry form. reCAPTCHA analyses how you interact with the page to determine whether you are a human or a bot, which lets us protect these forms without requiring you to solve puzzles or identify images.
reCAPTCHA is provided by Google LLC. When you visit a page where reCAPTCHA is loaded, Google receives your IP address, browser characteristics and information about your interaction with the page. Google uses this solely for bot detection on our behalf, under its service-specific terms.
We treat reCAPTCHA as a security measure necessary to protect our forms from abuse and so to protect the personal data submitted through them. It is engaged on the legitimate interests basis set out earlier, not on consent, in line with our position that form protection is essential to the secure operation of the service.
If you object to reCAPTCHA being loaded on pages you visit, please contact our DPO so we can discuss options. We recognise that the sitewide load of the reCAPTCHA library is broader than strictly form-level protection, and we are reviewing whether to scope the library to only the pages that host protected forms.
Your rights
Under UK GDPR, you have the following rights in relation to your personal data.
- The right to be informed, which this policy is designed to satisfy
- The right of access, to see what personal data we hold about you
- The right to rectification, to correct inaccurate or incomplete data
- The right to erasure, also known as the right to be forgotten, subject to the legal retention requirements set out above
- The right to restrict processing while you challenge its accuracy or our lawful basis
- The right to data portability, to receive your data in a structured machine-readable format
- The right to object to processing based on legitimate interests
- Rights relating to automated decision-making and profiling
To exercise any of these rights, email our DPO at . We will respond within one calendar month of receiving your request. If the request is complex or we receive a high volume of requests, we may extend this by a further two months and will tell you if we do.
We may ask you to verify your identity before we act on a request. This is to protect your data from someone who might impersonate you.
There is no fee for rights requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act. We have not yet charged a fee or refused a request on these grounds.
Security
We take security seriously. It is core to our business. Specific measures include encrypted storage for sensitive onboarding data using authenticated encryption, access controls on our servers restricted to the DPO, atomic file-write patterns to prevent corruption, daily automated retention purges with audit logging, rate limiting on public forms, consent-gated tracking and separation of encryption keys from the data they protect.
No security posture is perfect. If we ever suffer a breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and will contact you directly if the breach is high risk.
Marketing
We do not currently send marketing emails. If we begin to in future, we will update this policy, describe the lawful basis (which will be either your consent or the soft opt-in exception for existing customers) and provide an unsubscribe mechanism in every message. You will have the right to object at any time.
Automated decision-making
We do not make decisions about you based solely on automated processing. Our agent platform performs automated triage and classification of inbound enquiries to help us respond efficiently, but no decision with legal or similarly significant effect is taken on that basis alone without human review. reCAPTCHA produces a bot-likelihood score, but a score indicating likely bot activity does not on its own deny service; it flags the submission for review.
Changes to this policy
We may update this policy from time to time. When we do, we will update the version number and date at the top of the page. Significant changes will be notified where we can reasonably do so, for example via a notice on the website. The current policy is always available at smecybersolutions.com/privacy-policy.
Questions about this policy?
If you have any questions about how we handle your data, contact our Data Protection Officer: