Skip to content
Prepared beats reactive  Incident Response Activation & Advisory for UK SMEs
Security Advisory & Incident Intake+44 (0)33 0122 4448
Download IR checklist Book a readiness call
Privacy & GDPR · Legal

Privacy & GDPR Policy

DefendVista Ltd is a UK cybersecurity consultancy. We hold personal data as part of running the website and responding to enquiries. We collect the minimum data needed to do our job, we do not sell it, and we do not share it with anyone who does not need it.

This policy explains what data we hold, why we hold it, and what your rights are under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Last reviewed: March 2025 · UK GDPR compliant
Your rights at a glance

Eight rights you have over your personal data.

To exercise any of these, contact us at [email protected]. We will respond within one calendar month.

Right to access

Request a copy of the personal data we hold about you, known as a Subject Access Request (SAR).

Right to rectification

Ask us to correct inaccurate data or complete incomplete data we hold about you.

Right to erasure

Request deletion of your personal data where there is no overriding legal reason to keep it.

Right to restrict processing

Ask us to pause processing your data while a dispute about its accuracy or our lawful basis is resolved.

Right to portability

Receive the data you gave us in a structured, commonly used format to transfer to another service where applicable.

Right to object

Object to processing based on legitimate interests. We will stop unless we can demonstrate a compelling legitimate ground.

Rights re: automated decisions

We do not use automated decision-making or profiling that has legal or significant effects on individuals.

Right to complain

Complain to the ICO at ico.org.uk or by calling 0303 123 1113 if you believe we have mishandled your data.

Section 01

Who we are and how to contact us

DefendVista Ltd is the data controller for personal data collected through this website and in connection with our cybersecurity consultancy services. We are registered with the Information Commissioner's Office (ICO) under registration number ZC101247.

For all privacy and data protection enquiries, please contact us at [email protected] or by post to DefendVista Ltd, 124 City Road, London, EC1V 2NX.

We aim to respond to all privacy requests within one calendar month. If your request is complex or you have submitted several requests, we may extend this by a further two months. We will tell you if this is the case.

Section 02

What personal data we collect

We collect only the data necessary for the purpose it is collected. Below is a summary of the categories of personal data we may hold.

Category Data held Source
Contact and identity Full name, organisation name, job title (if provided) Contact form, direct email, phone call
Contact details Email address, phone number (if provided) Contact form, direct enquiry
Enquiry content The message you submit, enquiry type, sector, and any supporting detail you choose to share Contact form
Consent record A record of consent given when submitting the contact form Contact form checkbox
Technical and usage data IP address, browser type, pages visited, referring URL, approximate location (country/region) Cloudflare, server logs, analytics (if enabled)
Incident response data Operational and technical details shared during an active engagement; may include information about third parties Phone, email, direct engagement
What we do not collect

We do not collect special category data (health, ethnicity, beliefs, biometric data) through this website. We do not use advertising trackers, social login integrations, or marketing pixels as a standard practice.

Section 03

How we collect personal data

We collect personal data through the following channels:

  • The contact form on this website. When you submit an enquiry, we collect your name, organisation, email, optional phone number, the nature of your enquiry, your sector, and your message, together with a record of your consent.
  • Direct email and telephone contact. When you email [email protected] or call our advisory line, we may retain a record of that communication and the details you provide.
  • Incident response engagements. When we provide active incident response support, we collect the technical and operational information necessary to deliver that service.
  • Website technology. Cloudflare processes your IP address and request metadata as part of security and content delivery. Server logs and, where enabled, analytics tools may record usage data. See Section 10 for details on cookies.
Section 04

Why we process your personal data

Purpose Lawful basis Detail
Responding to enquiries Consent & Legitimate interests You have asked us to get in touch. Our legitimate interest is to respond to business enquiries in a professional manner.
Providing consultancy services Contract performance Processing is necessary to perform or prepare to perform a contract for cybersecurity services.
Incident response support Contract & Vital interests Technical and operational data is processed to deliver the service you have engaged us to provide.
Operating the website securely Legitimate interests We have a legitimate interest in protecting the site from abuse, malicious traffic, and security threats.
Legal and regulatory compliance Legal obligation Certain records may be retained to comply with company law, tax obligations, or regulatory requirements.
Improving our service Legitimate interests Aggregated and anonymised usage data may be used to understand how the website is used and how we can improve it.

Where we rely on legitimate interests, we have considered those interests against your rights and freedoms. You have the right to object to processing carried out on this basis. See Section 12 for how to contact us.

Section 05

Who we share your data with

We do not sell, rent, or trade personal data. We share data only where necessary to operate our business or deliver a service.

  • Cloudflare, Inc. handles DNS, DDoS protection, and content delivery. Your IP address and request data passes through Cloudflare infrastructure. Cloudflare operates under Standard Contractual Clauses for transfers outside the UK. See cloudflare.com/privacypolicy.
  • Website hosting and platform. Our website runs on a WordPress and Elementor stack. The hosting provider processes server logs and technical data necessary to deliver the website.
  • Email service provider. Emails sent to and from our domain are processed by our email provider in the ordinary course of communication.
  • Professional advisers. Where required, we may share information with legal or accountancy advisers who are bound by professional confidentiality obligations.
  • Law enforcement or regulators. We will disclose personal data where we are legally required to do so or where necessary to protect the rights or safety of individuals.
Sub-processors

We keep a record of third-party processors who handle personal data on our behalf. You may request details of current sub-processors by contacting [email protected].

Section 06

International data transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. The primary transfer occurs via Cloudflare, which relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (UK IDTA) as the transfer mechanism.

We do not transfer personal data to countries or territories without adequate protection unless appropriate safeguards are in place. You may request details of the specific mechanisms used for any transfer by contacting [email protected].

Section 07

How long we keep your data

We retain personal data only for as long as is necessary for the purpose it was collected, unless a longer retention period is required by law.

Data type Retention period Reason
Contact form enquiries 12 months from last contact, unless a commercial relationship continues To manage the enquiry and any follow-up
Active client records Duration of engagement plus 6 years Legal and contractual obligation; limitation period for claims
Incident response records Duration of engagement plus 6 years Evidence preservation; legal and insurance requirements
Consent records 3 years from date of consent To demonstrate lawful basis for processing
Website technical logs Up to 90 days Security monitoring and abuse prevention
Financial and accounting records 6 years from end of financial year Companies Act 2006 and HMRC requirements

At the end of the applicable retention period, personal data is securely deleted or anonymised. You may request early deletion in accordance with your right to erasure (Section 8), unless we have a legal obligation to retain it.

Section 08

Your rights under UK GDPR

You have the following rights in relation to your personal data. These are summarised in the cards at the top of this page. In full:

  • Right of access. You may request a copy of the personal data we hold about you. We will respond within one month. We will not charge a fee for a reasonable request.
  • Right to rectification. If the data we hold about you is inaccurate or incomplete, you can ask us to correct it.
  • Right to erasure. You may ask us to delete your personal data. We will comply unless we have a legitimate reason to retain it, such as a legal obligation or the need to defend a legal claim.
  • Right to restrict processing. You may ask us to pause processing while a dispute about accuracy or lawful basis is resolved.
  • Right to data portability. Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
  • Right to object. You may object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
  • Rights in relation to automated decisions. We do not carry out solely automated decision-making that produces legal or similarly significant effects.
  • Right to withdraw consent. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will ask you to verify your identity before we process your request. We will respond within one calendar month.

Section 09

Marketing communications

We do not currently send marketing emails, newsletters, or promotional communications as a routine practice. If we introduce a mailing list or similar in the future, we will only contact you for marketing purposes where you have given explicit consent or where we have a legitimate interest under the rules applicable to business-to-business communications.

You may withdraw consent or object to marketing at any time by contacting [email protected].

Section 10

Cookies and website tracking

This website uses cookies and similar technologies. Our full cookie policy is available at defendvista.com/cookies and covers the types of cookies used, their purpose, and how to manage or withdraw consent.

In summary, we use:

  • Strictly necessary cookies. Required for the website to function. These include Cloudflare security cookies, WordPress session handling, and load balancing cookies. These do not require consent.
  • Functional cookies. Used for features such as remembering preferences. These may require consent depending on configuration.
  • Analytics cookies. Where analytics is enabled on a page, usage data may be collected. We do not use advertising-heavy analytics practices as a default.

You may manage cookie preferences through your browser settings or any consent mechanism displayed on the website. Disabling certain cookies may affect site functionality.

Section 11

How we protect your data

DefendVista is a cybersecurity firm. We apply the same discipline to our own data handling that we recommend to clients.

  • Access to personal data is restricted to staff who need it to do their job, with least-privilege access controls applied.
  • All data in transit is protected by TLS encryption. Data at rest is held on access-controlled infrastructure.
  • Multi-factor authentication is enforced on accounts with access to personal data.
  • We have a documented data breach response procedure aligned with the ICO's 72-hour notification requirement.
  • We review our security controls and data processing practices on a regular basis.
Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will notify affected individuals without undue delay where required.

Section 12

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, legal obligations, or the services we offer. The date at the top of this page shows when the policy was last reviewed.

For significant changes, we will take reasonable steps to notify affected individuals. We encourage you to review this page periodically.

Contact us or make a complaint

For any privacy-related request, including Subject Access Requests, rectification, erasure, or complaints about how we have handled your data, please contact us using the details below. We take all privacy matters seriously and will respond within one calendar month.

DefendVista Ltd
Privacy contact: [email protected]
General enquiries: [email protected]
Post: 124 City Road, London, EC1V 2NX

If you are not satisfied with our response, or believe we have breached UK GDPR, you have the right to complain to the Information Commissioner's Office (ICO).

Email [email protected] ICO complaints portal →

ICO helpline: 0303 123 1113 · ico.org.uk