CyConex
← Back to home
Legal

Privacy Policy

This Privacy Policy explains how CyConex collects, uses, stores, and protects personal data when you use our website and platform, in accordance with UK GDPR and the Data Protection Act 2018.

Last updated: 21 June 2026

1. Who we are

CyConex ("we", "us", "our") provides an agentic assurance platform for cyber and compliance assessments. We are the data controller for personal data collected through this marketing website and for account administration data relating to the CyConex service.

For data protection enquiries, contact us at admin@cyconex.com or via the contact form on www.cyconex.com.

2. Personal data we collect

We may collect and process the following categories of personal data:

  • Identity and contact data — such as your name, email address, organisation name, and job role.
  • Enquiry and communications data — information you provide when requesting a demo, contacting us, or corresponding with our team.
  • Account and usage data — information relating to users of the CyConex platform, including authentication identifiers, audit logs, and activity within authorised workspaces.
  • Evidence and assessment content — documents and metadata uploaded or connected to the platform as part of customer assurance activity. This may contain personal data where it appears in customer-uploaded materials.
  • Technical data — IP address, browser type, device information, and similar data collected through website and platform logs.
  • Cookie data — as described in our Cookie notice.

3. How we use personal data

We use personal data for the following purposes:

  • Responding to demo requests, sales enquiries, and support communications.
  • Providing, operating, securing, and improving the CyConex platform.
  • Managing customer accounts, organisations, projects, and user access.
  • Processing evidence and running assessments on instructions from our customers.
  • Maintaining audit logs, security monitoring, and service reliability.
  • Complying with legal obligations and enforcing our terms.
  • Sending service-related communications where necessary for platform operation.

4. Lawful bases for processing

Under UK GDPR, we rely on the following lawful bases depending on the activity:

  • Contract — where processing is necessary to provide the CyConex service or take steps at your request before entering a contract.
  • Legitimate interests — to respond to enquiries, operate and secure our website and platform, and develop our business, balanced against your rights and freedoms.
  • Consent — where you have given clear consent, for example for non-essential cookies where required.
  • Legal obligation — where we must retain or disclose information to comply with applicable law.

5. Marketing website enquiries

When you submit the demo request or contact form on this website, we collect your name, organisation, email address, and message so we can respond to your enquiry. We retain this information for as long as needed to handle your request and maintain a record of our communications, typically up to 24 months unless a longer period is required for ongoing commercial discussions or legal purposes.

By submitting the form, you acknowledge that we will process your personal data as described in this Privacy Policy.

6. Platform customer data

When organisations use CyConex, we process personal data on behalf of the customer organisation as a data processor in respect of evidence, assessment outputs, and related platform content, and as a data controller for certain account administration and billing data.

Customers are responsible for ensuring they have an appropriate lawful basis to upload evidence and personal data into the platform. A Data Processing Agreement is available to customers and describes our processor obligations in detail.

7. Data sharing and processors

We do not sell personal data. We share data only where necessary to operate the service, respond to enquiries, or comply with law. This may include:

  • Infrastructure providers hosting CyConex in UK Azure regions.
  • Email delivery providers used to send service and enquiry notifications.
  • Identity and authentication services supporting secure platform access.
  • Professional advisers or authorities where required by law.

We require processors to protect personal data through appropriate contractual safeguards and process data only on our instructions where acting as our processor.

8. International transfers

CyConex production services are hosted in the United Kingdom. We design the service so customer platform data is stored and processed within the UK. If limited transfers outside the UK become necessary — for example due to support tooling — we implement appropriate safeguards such as the UK International Data Transfer Agreement or equivalent mechanisms.

9. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Retention periods vary depending on whether data relates to website enquiries, platform accounts, evidence content, or logs. Customers may have additional contractual retention settings within their organisation workspaces.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption, audit logging, and secure development practices. Further detail is available on our Security & trust page and Data Processing Agreement.

11. Your rights

Under UK GDPR, you may have the following rights in relation to your personal data:

  • The right to access a copy of your personal data.
  • The right to rectification of inaccurate data.
  • The right to erasure in certain circumstances.
  • The right to restrict or object to processing in certain circumstances.
  • The right to data portability where applicable.
  • The right to withdraw consent where processing is based on consent.
  • The right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK.

To exercise your rights, contact us at admin@cyconex.com. We may need to verify your identity before responding.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be highlighted on this website where appropriate.