Privacy Policy.

1. Who We Are

Proactive Security Investigations operates from the United Kingdom and provides professional cybersecurity services including cloud threat hunting, endpoint threat hunting, and digital forensic investigation.

For the purposes of UK data protection law, Proactive Security Investigations is the data controller for personal data collected through this website and in connection with our services.

You can contact us regarding data protection matters at: privacy@proactivesecurityinvestigations.co.uk

2. Data We Collect

We collect personal data in the following ways:

When you submit an enquiry or engagement request:

• Your name and the name of your organisation
• Your email address and telephone number
• Details about your IT environment (number of users, endpoints, cloud platforms)
• Any additional information you choose to provide in the notes field

When you email us directly:

• Your name, email address, and the content of your correspondence

When you visit our website:

• Standard server log data including your IP address, browser type, and pages visited
• This data is collected automatically and is not linked to your identity unless you also submit an enquiry

We do not collect any special category data (such as health, biometric, or criminal record information) through our website.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• To respond to your enquiry and discuss your requirements
• To provide and administer the services you engage us to deliver
• To issue invoices and manage payment for services
• To communicate with you about your engagement, including delivering your findings report
• To comply with our legal and regulatory obligations
• To improve our website and services

We will not use your personal data for unsolicited marketing without your explicit consent.

4. Legal Basis for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. Our bases are:

• Contract: where processing is necessary to provide the services you have requested or to take steps at your request before entering into a contract
• Legitimate interests: for responding to general enquiries, improving our services, and maintaining records of our work, where these interests are not overridden by your rights
• Legal obligation: where we are required to process data to comply with applicable law
• Consent: where you have explicitly consented to a specific use, such as receiving marketing communications

5. Data Sharing

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

We may share your data in the following limited circumstances:

• With technology partners and service providers who assist us in delivering our services, under strict contractual obligations to protect your data
• Where we are required to do so by law, court order, or regulatory authority
• In connection with legal proceedings or advice

6. Engagement and Investigation Data

When you commission an investigation or threat hunt, we may access and process data from within your IT environment including logs, telemetry, user activity data, and configuration information. This is necessary to perform the services you have requested.

In this context, your organisation is the data controller for any personal data within your environment, and Proactive Security Investigations acts as a data processor on your behalf. We will:

• Only process data within your environment for the purposes of delivering the agreed engagement
• Not retain copies of your environment data beyond the period necessary to complete the engagement and deliver your report
• Implement appropriate technical and organisational measures to protect any data we access
• Not transfer your environment data outside the UK without appropriate safeguards
• Notify you promptly if we become aware of any personal data breach affecting data we have processed on your behalf

A data processing agreement covering these obligations is included as part of our engagement terms.

7. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

• Enquiry data where no engagement proceeds: deleted or anonymised within 12 months
• Engagement records including correspondence and invoices: retained for 6 years following the end of the engagement, in line with standard UK commercial and tax record-keeping requirements
• Findings reports provided to you: we retain a copy for 3 years to enable us to assist with any follow-up queries
• Data accessed within your environment during an engagement: deleted within 30 days of delivering your final report
• Website log data: retained for up to 90 days

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: you can request a copy of the personal data we hold about you
• Right to rectification: you can ask us to correct inaccurate or incomplete data
• Right to erasure: you can ask us to delete your data in certain circumstances
• Right to restrict processing: you can ask us to limit how we use your data in certain circumstances
• Right to data portability: you can request your data in a structured, commonly used format
• Right to object: you can object to processing based on legitimate interests
• Rights related to automated decision-making: we do not make automated decisions with significant effects based solely on your personal data

To exercise any of these rights, contact us at privacy@proactivesecurityinvestigations.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data correctly. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

9. Cookies

Our website currently uses only essential functional cookies necessary for the site to operate. We do not use advertising, tracking, or analytics cookies.

If we introduce additional cookies in the future, we will update this policy and request your consent where required.

You can control and manage cookies through your browser settings. Disabling cookies will not affect your ability to use this website.

10. Security

We take the security of your personal data seriously. As a cybersecurity firm, we apply the same standards of care to protecting the data we hold about you as we do when investigating our clients' environments.

Our technical and organisational security measures include:

• Encryption of data in transit using TLS
• Access controls limiting who within our organisation can access personal data
• Secure handling and deletion procedures for engagement data
• Regular review of security practices

No method of transmission over the internet is completely secure. If you have concerns about the security of your data, please contact us.

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will update the date at the top of this page.

We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us:

For complaints or concerns about how we have handled your data, you may also contact the ICO at ico.org.uk/make-a-complaint.