PRIVACY
NOTICE

Who We Are & Our ICO Registration

Levantis Cyber Limited ("Levantis Cyber", "we", "us", "our") is a company registered in England and Wales, providing penetration testing, red team operations, human security services, and related cyber security advisory services.

We are registered with the Information Commissioner's Office (ICO) and appear on the UK Data Protection Register as a Data Controller of personal information.

This Privacy Notice explains how we collect, use, store, share, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller Contact Details

As Data Controller, we are responsible for deciding how and why personal data is processed. If you have any questions, concerns, or requests relating to this Notice or your personal data, please contact us:

Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity data: full name, job title, and professional role.
• Contact data: email address, telephone number, company name, and business address.
• Communication data: messages and enquiries submitted via our contact form, email correspondence, and telephone calls.
• Technical data: IP address, browser type, device information, and pages visited — collected automatically when you use our website.
• Marketing preferences: your preferences regarding marketing and service communications from us.
• Engagement data: information exchanged during the delivery of contracted services, including scoping documentation and assessment findings.

We do not intentionally collect special category data (such as health information, biometric data, racial or ethnic origin, or political opinions) and ask that you do not submit such information through our website or contact form.

How We Collect Personal Data

• Direct interactions: when you complete our contact form, email us, call us, or engage with us at events.
• Automated technologies: when you visit our website, we automatically collect technical data via cookies and similar technologies. See our Cookie Policy for full details.
• Third parties: we may receive data from publicly available sources (such as LinkedIn or company websites) in the context of business development, or from referral partners.

Lawful Basis for Processing

We process personal data only where we have a lawful basis under Article 6 of UK GDPR:

• Consent (Art. 6(1)(a)): where you have provided explicit consent — for example, via the consent checkbox on our contact form — to be contacted about our services or to receive marketing communications.
• Contract (Art. 6(1)(b)): where processing is necessary to perform a contract with you, or to take pre-contractual steps at your request.
• Legitimate interests (Art. 6(1)(f)): where we have a legitimate business interest that is not overridden by your rights — for example, responding to general enquiries, maintaining business records, and improving our website.
• Legal obligation (Art. 6(1)(c)): where processing is required to comply with a legal or regulatory obligation.

How We Use Personal Data

• To respond to enquiries and scoping requests.
• To deliver contracted cyber security services and produce associated deliverables.
• To send service updates, relevant content, and event information where you have consented.
• To manage our business relationship and maintain accurate records.
• To improve our website and services.
• To comply with our legal and regulatory obligations.
• To protect our legitimate business interests and enforce our contractual rights.

Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share data in limited circumstances:

• Service providers: trusted third parties who process data on our behalf (such as cloud hosting, email, and CRM platforms), bound by data processing agreements.
• Professional advisors: lawyers, accountants, and insurers where necessary.
• Regulatory authorities: where required by law, regulation, or court order.
• Business transfers: in the event of a merger, acquisition, or sale of assets, subject to appropriate safeguards.

Where we transfer data outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised by the UK ICO.

Data Retention

• Contact and enquiry data: up to 24 months from last contact, unless a contract is entered into.
• Client engagement data: for the duration of the contract and up to 7 years thereafter for legal and financial record-keeping purposes.
• Marketing preferences: until you withdraw consent or opt out.
• Website analytics data: in accordance with our cookie settings, typically 12–26 months.

When data is no longer required it is securely deleted or anonymised.

Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of your data, subject to certain legal exceptions.
• Right to restriction: to request that we restrict processing in certain circumstances.
• Right to data portability: to receive your data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making: not to be subject to solely automated decisions that produce significant effects.

To exercise any of these rights, contact us at privacy@levantiscyber.com. We will respond within one calendar month. We may need to verify your identity before processing your request.

Data Security

As a cyber security company, security is fundamental to our operations. We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Role-based access controls and least-privilege principles.
• Regular security assessments of our own systems and infrastructure.
• Staff awareness and data protection training.
• Documented incident response procedures for personal data breaches.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform affected individuals without undue delay.

Cookies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device that help us understand how you use our website and improve your experience.

We use the following categories of cookies:

• Strictly necessary cookies: essential for the website to function correctly. These cannot be disabled.
• Analytics cookies: help us understand visitor behaviour so we can improve our website. These are only placed with your consent.
• Functional cookies: enable enhanced functionality and personalisation. These are only placed with your consent.
• Marketing cookies: used to track visitors across websites to display relevant content. These are only placed with your consent.

You can manage your cookie preferences at any time via your browser settings. For full details of the cookies we use, how to opt out, and third-party cookies, please see our Cookie Policy.

Complaints & the ICO

If you are not satisfied with how we have handled your personal data or responded to a request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

If you are based in the EU, you may also lodge a complaint with the data protection supervisory authority in your country of residence or place of work.

We would always appreciate the opportunity to address your concerns directly before you approach the ICO, so please contact us first at privacy@levantiscyber.com.

Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The date at the top of this page shows when it was last updated.

Where changes are material, we will take reasonable steps to notify you — for example, by placing a notice on our website or contacting you directly where we hold your contact details.