Privacy Policy

At Privci, we're committed to protecting privacy both within our platform and in how we handle your data. This policy explains how we collect, use, and protect information in our mission to strengthen human‑centred cybersecurity.

Last Updated: January 2026
Read Policy

Policy Overview

Overview
Data We Collect
How We Use Data
Data Sharing
Security Measures
Your Rights
Data Retention
Contact Us
1

Overview & Commitment

Privci Ltd ("we", "us", "our") is a behavioural cybersecurity company headquartered in London, UK. We operate the Human Vulnerability Scanner platform and related services.

Our Philosophy: As a company dedicated to improving human cybersecurity behaviour, we believe in practicing what we preach. Our privacy practices reflect the same ethical, transparent, and security‑first approach we advocate for our clients.

Scope of This Policy

This Privacy Policy applies to:

  • Visitors to our website (privci.com, privci.io)
  • Users of our Human Vulnerability Scanner platform
  • Participants in our behavioural research studies
  • Enterprise clients and their employees

Company Information

Company Name: Privci Ltd

Company Number: 13319659

Registered Address: 85 Great Portland Street, First Floor, London W1W 7LT, United Kingdom

Data Protection Officer: privacy@privci.com

2

Data We Collect

We collect different types of information depending on your relationship with Privci:

Website Visitors

  • Basic Information:  IP address, browser type, device information
  • Usage Data:  Pages visited, time spent, referral sources
  • Contact Information:  When you submit forms, we collect name, email, and company details

Platform Users (Human Vulnerability Scanner)

  • Account Information:  Email, username, organisation details
  • Behavioural Data:  Security‑related behaviours, training interactions, risk assessments
  • Technical Data:  System logs, API usage, security events
  • Research Data:  Anonymised behavioural patterns for research purposes

Important: Our platform is designed to focus on behavioural patterns rather than personal content. We do not read emails, monitor personal communications, or access sensitive personal data unless explicitly required for security analysis and with appropriate consent.

Enterprise Clients

  • Billing Information:  Payment details, subscription plans
  • Administrative Data:  User management information, organisational structure
  • Security Data:  Threat intelligence, risk assessment results
3

How We Use Your Data

We use collected data for specific, legitimate purposes aligned with our mission:

Service Delivery

To provide and maintain our Human Vulnerability Scanner platform and related services

Behavioural Analysis

To analyse security behaviours and provide personalised risk assessments

Research & Development

To improve our behavioural models and develop new cybersecurity interventions

Platform Improvement

To enhance user experience, fix bugs, and develop new features

Communication

To send important updates, security alerts, and service information

Training & Education

To provide personalised cybersecurity training and awareness content

Legal Basis for Processing

  • Contractual Necessity:  To provide services you've requested
  • Legitimate Interest:  For research, security, and service improvement
  • Consent:  For optional features and marketing communications
  • Legal Obligation:  To comply with legal and regulatory requirements
4

Data Sharing & Third Parties

We may share data with trusted third parties in limited circumstances:

Third Party Type Purpose Data Shared
Cloud Infrastructure
(AWS, Google Cloud)		 Hosting and infrastructure services Platform data, behavioural metrics
Payment Processors
(Stripe, PayPal)		 Payment processing and billing Billing information, subscription details
Research Partners
(Academic institutions)		 Behavioural cybersecurity research Anonymised, aggregated data only
Security Services
(Threat intelligence providers)		 Security monitoring and threat detection Security logs, threat indicators

Our Commitments

  • We never sell personal data to third parties
  • All third‑party relationships are governed by strict data processing agreements
  • We anonymise or pseudonymise data before sharing for research purposes
  • We comply with international data transfer regulations (including GDPR and UK GDPR)
5

Security Measures

As a cybersecurity company, we implement robust security measures:

Encryption

All data encrypted in transit (TLS 1.3+) and at rest (AES‑256)

Access Controls

Role‑based access, multi‑factor authentication, regular audits

Network Security

Firewalls, intrusion detection, DDoS protection, regular penetration testing

Monitoring & Logging

24/7 security monitoring, SIEM integration, anomaly detection

Our Security Standards: We adhere to NIST Cybersecurity Framework practices. We undergo regular third‑party security assessments and penetration testing to ensure our defences remain effective.

Incident Response

We maintain a comprehensive incident response plan and will notify affected parties and regulators in accordance with legal requirements if a data breach occurs.

6

Your Rights & Choices

You have rights regarding your personal data:

Right to Access

Request a copy of your personal data we hold

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Request deletion of your data under certain conditions

Right to Restrict

Limit how we use your data in specific circumstances

Right to Portability

Receive your data in a structured, commonly used format

Right to Object

Object to certain types of processing

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@privci.com. We will respond within 30 days and will not charge for legitimate requests.

7

Data Retention

We retain data only as long as necessary:

Data Type Retention Period Notes
Account Information While account active + 2 years Extended for enterprise compliance requirements
Behavioural Data 5 years Anonymised after 2 years for research
Security Logs 1 year Extended for investigation purposes
Billing Records 7 years Legal and tax compliance
Research Data Indefinite (anonymised) Used for longitudinal behavioural studies

Data is securely deleted or anonymised at the end of retention periods. Research data is maintained indefinitely in anonymised form to support longitudinal behavioural cybersecurity studies.

8

Contact & Updates

Contact Information

Privacy Inquiries

privacy@privci.com

Data Protection Officer

dpo@privci.com

Registered Office

85 Great Portland Street, First Floor
London W1W 7LT, United Kingdom

Policy Updates

We may update this policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or platform notifications. The "Last Updated" date at the top indicates when changes were made.

Questions? If you have questions about this policy or our privacy practices, please contact our Data Protection Officer. We're committed to transparency and will respond promptly to all inquiries.