Privacy Policy

1. Who we are

Wolds Cyber Ltd (“we”, “us”, “our”) is an independent cyber security consultancy. We provide Cyber Essentials and Cyber Essentials Plus certification support, security assessments, and related services to small and medium-sized businesses.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Wolds Cyber Ltd is the data controller for the personal data described in this policy — meaning we decide why and how that data is processed.

We have not appointed a statutory Data Protection Officer, as we are not required to under Article 37 of the UK GDPR. Questions about this policy or your personal data can be sent to the email address above.

This policy covers personal data we handle as a controller — for example, when you enquire about our services. Where we process data on behalf of a client during an engagement (for instance, data we encounter while carrying out a security assessment), we usually act as a processor under a separate written agreement, and the client’s own privacy policy governs that data. This website privacy policy does not cover that processing.

2. What personal data we collect

We only collect personal data that we need. Depending on how you interact with us, this may include:

Category	What it includes
Identity and contact details	Your name, business email address, telephone number, and the name of the organisation you represent.
Enquiry details	The content of your message and any information you choose to share about your organisation, its IT, or its security requirements.
Lead-form data	The same contact and enquiry details, where you submit them through a paid-advertising lead-generation form on a third-party platform (see section 11).
Technical and usage data	Information collected automatically when you visit the website — such as IP address, browser type, device information, and pages viewed. The exact technical data depends on the analytics and hosting tools in use (see sections 9 and 10).

We do not intentionally collect special category data (such as health, ethnicity, or political opinions) through this website. Please do not include sensitive personal information in enquiry messages unless it is necessary, and never include other people’s personal data without a lawful reason to do so.

We do not knowingly collect data from children. Our services are aimed at businesses.

3. How we collect your data

We collect personal data in the following ways:

• The website contact form — when you complete and submit a form on this website.
• Direct enquiries — when you email or telephone us, or reply to one of our messages.
• Paid-advertising lead forms — when you submit your details through a lead-generation form hosted on an advertising platform we use (for example, Meta/Facebook Lead Ads or LinkedIn Lead Gen Forms). Those platforms collect the information you provide and pass it to us. See section 11.
• Automatically — through cookies and similar technologies, and through our hosting and analytics tools, when you browse the website (see sections 9 and 10).

4. Our lawful bases for processing

Under Article 6 of the UK GDPR we must have a lawful basis for processing your personal data. The basis we rely on depends on the activity:

What we do	Lawful basis
Responding to your enquiry and taking steps to provide a quote or service you have asked about	Steps prior to a contract / contract — Article 6(1)(b)
Following up on a business enquiry, keeping records of our dealings with you, preventing misuse of the website, and improving our services	Legitimate interests — Article 6(1)(f). Our legitimate interest is running and growing a business and communicating with people who have contacted us, balanced against your rights.
Setting non-essential cookies and analytics, and sending marketing where consent is required	Consent — Article 6(1)(a), in line with PECR. You can withdraw consent at any time.
Meeting legal and regulatory obligations (for example, retaining records for tax or to defend legal claims)	Legal obligation — Article 6(1)(c)

Where we rely on legitimate interests, you have the right to object (see section 12). Where we rely on consent, you can withdraw it at any time without affecting processing carried out before withdrawal.

5. How we use your data

We use the personal data we collect to:

• respond to your enquiry and answer your questions;
• prepare and discuss quotes, scopes of work, and proposals;
• provide and administer the services you engage us for;
• keep records of our communications and business relationship;
• protect the website and our systems against misuse, fraud, and security threats;
• understand how the website is used so we can improve it; and
• comply with our legal and regulatory obligations.

We do not sell your personal data, and we do not use it for automated decision-making that produces legal or similarly significant effects about you.

6. Who we share your data with

We do not share your personal data with third parties for their own marketing. We do share it, only as necessary, with service providers who help us run our business. These providers act as our processors and may only use the data on our instructions under a written contract that meets Article 28 of the UK GDPR. They include:

• our website hosting and content-delivery provider;
• our email and business-productivity provider;
• our analytics provider, where analytics are in use;
• the advertising platforms that host our lead-generation forms (see section 11); and
• professional advisers (such as our accountant) where reasonably required.

We may also disclose personal data where we are required to by law, by a regulator, or by a court, or where disclosure is necessary to establish, exercise, or defend legal claims.

7. International transfers

Our website is hosted in the United Kingdom via Cloudflare Pages (UK/EEA edge infrastructure). Routine enquiry and client data is processed in the UK. Some of our service providers (including advertising platforms and productivity tools) may process data outside the UK. Where that happens, we take steps to ensure your data receives a level of protection essentially equivalent to that under UK law — for example, by relying on UK “adequacy” regulations for the destination country, or by putting in place the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses where applicable.

8. How long we keep your data

We keep personal data only for as long as we need it for the purposes set out in this policy, and to meet our legal obligations. As a general guide:

Data	Retention
Enquiries and prospect data that do not lead to an engagement	Up to 24 months from last contact, after which data is deleted or anonymised (UK GDPR data-minimisation — Article 5(1)(e)).
Client records, engagement files, and transaction data	6 years after the end of the engagement. Basis: Limitation Act 1980 (standard limitation period for contract claims) and HMRC record-keeping requirements for VAT-registered businesses.
Financial and tax records	6 years, as required by HMRC and company law.
Website functional cookies	Session duration only (theme preference stored in localStorage — no expiry date but cleared with browser data).

When we no longer need personal data, we delete it securely or anonymise it.

9. How we keep your data secure

As a cyber security consultancy, protecting information is central to what we do. We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include encryption in transit (HTTPS across the website), access controls, and keeping the data we hold to the minimum necessary.

No method of transmission over the internet or of electronic storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required, and will inform you without undue delay where the breach is likely to result in a high risk to you.

10. Cookies and analytics

Cookies are small files placed on your device when you visit a website. Their use in the UK is governed by the Privacy and Electronic Communications Regulations 2003 (PECR) as well as the UK GDPR.

This website uses Cloudflare Web Analytics, a privacy-first, cookieless analytics service. It measures aggregate website usage (such as page views and referrers) without setting cookies, without storing or accessing any information on your device, and without collecting personal data or tracking you across other websites. We do not use Google Analytics, Meta Pixel, the LinkedIn Insight Tag, or any other cookie-based analytics or advertising tools. No non-essential cookies are set.

We use the following strictly necessary storage only:

• Theme preference — a localStorage entry (woldscyber_theme) stores your light/dark mode preference on your own device. It is never transmitted to our servers and contains no personal data.
• Chat session — a sessionStorage entry stores your current chat conversation in your browser session only. It is cleared when you close the tab and is never transmitted beyond our chat API endpoint. It contains only the messages you choose to send.

No cookie consent banner is required: Cloudflare Web Analytics is cookieless and stores nothing on your device, and the only browser storage we use (above) is strictly necessary. If we introduce cookie-based analytics or advertising tools in future, this policy will be updated and appropriate consent mechanisms put in place before any non-essential cookies are set.

11. Marketing and lead-generation forms

We run paid advertising on third-party platforms, which may include Meta (Facebook and Instagram) Lead Ads and LinkedIn Lead Gen Forms. If you choose to submit an enquiry through one of these forms, the platform collects the details you provide (such as your name, email, telephone number, company, and enquiry) and shares them with us so we can respond.

When you use one of these forms, the advertising platform processes your data under its own privacy terms as well as ours. We use the information only to respond to your enquiry and to discuss the services you have asked about, relying on the lawful bases set out in section 4. Lead enquiries are handled directly by email and are not processed through a third-party CRM at this time.

If we send you direct marketing by electronic means, we will do so in line with PECR — either with your consent or, for existing or negotiating business customers, on a “soft opt-in” basis for similar services. Every marketing message will include an easy way to opt out, and you can tell us to stop at any time by emailing hello@woldscyber.co.uk. You have an absolute right to object to direct marketing.

12. Your rights

Under the UK GDPR you have the following rights in relation to your personal data:

• Right to be informed — to know how your data is used (this policy).
• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to ask us to delete your data, where there is no overriding reason for us to keep it.
• Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
• Right to data portability — to receive certain data in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means.
• Right to object — to object to processing based on our legitimate interests, and an absolute right to object to direct marketing.
• Rights relating to automated decision-making — we do not carry out solely automated decision-making that has legal or similarly significant effects.

To exercise any of these rights, email us at hello@woldscyber.co.uk. We will respond within one calendar month. There is normally no charge, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive. We may need to verify your identity before acting on a request.

13. Complaints and the ICO

If you have a concern about how we handle your personal data, please contact us first at hello@woldscyber.co.uk so we can try to put it right.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator:

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

14. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or the law. The “last updated” date at the top of this page shows when it was last revised. Where changes are significant, we will take reasonable steps to bring them to your attention.

15. Contact us

For any question about this policy or your personal data, contact: