Privacy Policy

We may collect and process the following categories of personal data:

• Identity Data: first name, last name, username or similar identifier, job title. • Contact Data: email address, telephone number, business address. • Technical Data: IP address, browser type and version, time zone setting, browser plug-in types, operating system and platform, and other technology on the devices you use to access our website. • Usage Data: information about how you use our website, products, and services. • Marketing & Communications Data: your preferences in receiving marketing from us and your communication preferences. • Training & Assessment Data: responses to security awareness training modules, phishing simulation results, and risk scores generated through our platform.

We collect data through the following means:

• Direct interactions: when you fill in forms, request a demo, start a free trial, contact our sales team, or correspond with us by email or otherwise. • Automated technologies: as you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns using cookies, server logs, and similar technologies. • Third parties: we may receive personal data about you from analytics providers, advertising networks, and search information providers.

We will only process your personal data where we have a lawful basis to do so under applicable data protection law, including the UK GDPR and the Data Protection Act 2018. The legal bases we rely on include:

• Performance of a contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract. • Legitimate interests: where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. • Legal obligation: where processing is necessary to comply with a legal obligation. • Consent: where you have given clear consent for us to process your personal data for a specific purpose. You may withdraw consent at any time.

We use your personal data for the following purposes:

• To register you as a new customer or platform user. • To deliver and manage our security awareness training and phishing simulation services. • To process and respond to enquiries, demo requests, and free trial sign-ups. • To manage our relationship with you, including notifying you of changes to our terms or policies. • To administer and protect our business and website (including troubleshooting, data analysis, testing, and system maintenance). • To deliver relevant website content and measure the effectiveness of our marketing. • To comply with legal and regulatory obligations.

We do not sell your personal data. We may share your data with:

• Service providers: third-party vendors who provide IT, system administration, and other services on our behalf, bound by appropriate data processing agreements. • Professional advisers: lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services. • Regulators and authorities: where required by law or to protect the rights, property, or safety of DefensityOne Limited, our customers, or others. • Business transfers: in connection with any merger, acquisition, or sale of all or a portion of our assets.

All third parties are required to respect the security of your personal data and to treat it in accordance with applicable law.

Some of our external third-party service providers are based outside the UK or European Economic Area (EEA). Where we transfer personal data outside the UK/EEA, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards, such as standard contractual clauses approved by the UK Information Commissioner's Office (ICO) or the European Commission.

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

In general, we retain customer account data for the duration of the contractual relationship plus 7 years thereafter.

Under UK GDPR and applicable data protection law, you have the following rights in relation to your personal data:

• Right of access: to request a copy of the personal data we hold about you. • Right to rectification: to request correction of inaccurate or incomplete data. • Right to erasure: to request deletion of your personal data in certain circumstances. • Right to restrict processing: to request that we restrict the processing of your data in certain circumstances. • Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format. • Right to object: to object to processing based on legitimate interests or for direct marketing purposes. • Rights related to automated decision-making: not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, please contact our Data Protection Officer (DPO) using the details in Section 12.

Our website uses cookies and similar tracking technologies to distinguish you from other users and to improve your experience. Cookies are small text files placed on your device.

We use the following types of cookies: • Strictly necessary cookies: required for the operation of our website. • Analytical/performance cookies: allow us to recognise and count visitors and see how they move around our website. • Functionality cookies: used to recognise you when you return to our website. • Targeting cookies: record your visit to our website, the pages you have visited, and the links you have followed.

You can set your browser to refuse all or some browser cookies. However, if you disable or refuse cookies, some parts of our website may become inaccessible or not function properly.

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

DefensityOne Limited has appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy.

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a concern about how we handle your personal data, please contact our DPO:

Data Protection Officer DefensityOne Limited Email: dpo@defensityone.com

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. Where changes are significant, we will provide a more prominent notice. We encourage you to review this policy periodically.