This Privacy Policy explains how 786 Cyber Limited ("786 Cyber", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our platform at https://786cyber.com ("Services"). We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller Information
The data controller responsible for your personal data is:
For any queries relating to this Privacy Policy or your personal data, please contact us at the email address above.
2. What Personal Data We Collect
We collect personal data in the following categories:
2.1 Account Data
When you register for an account, we collect:
- Full name
- Email address
- Password (stored as a secure hash; we never store passwords in plain text)
- Profile photo (if provided)
- Account creation date and last login date
- Authentication method (email/password or Google Sign-In)
2.2 Company / Organisation Profile Data
When you set up an organisation on the platform, we collect:
- Organisation name and trading name
- Industry sector
- Employee count and device count
- Geographic regions of operation
- Website URL
- Company logo (uploaded by you)
- Contact name, email address, and phone number
- Internet services and cloud providers in use
- Existing compliance certifications (e.g. ISO 27001, Cyber Essentials)
- Known vulnerabilities and risk concerns (as self-reported)
- Date of last penetration test
2.3 Usage Data
When you use the Services, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Pages visited and features used within the platform
- Session duration and timestamps
- Errors and diagnostic information
- Device identifiers
2.4 Compliance and Security Data
When you use features such as the Compliance Wizard, Policy Vault, or Controls Vault, we process:
- Compliance questionnaire responses
- AI-generated compliance roadmaps and recommendations
- Policy documents you create or upload
- Security controls and their implementation status
- Audit evidence and supporting documentation
2.5 Payment Data
When you subscribe to a paid plan, we collect:
- Billing name and address
- Payment card details (processed and stored by Stripe; we do not store card numbers on our systems)
- Transaction history and invoice records
- VAT number (where applicable)
2.6 Communications Data
If you contact us via email, support channels, or feedback forms, we collect:
- Your name and email address
- The content of your communication
- Any attachments you send us
3. How We Use Your Personal Data
We use your personal data for the following purposes:
| Purpose | Description |
|---|---|
| Service delivery | To provide, operate, and maintain the 786 Cyber platform |
| Account management | To create and manage your user account and organisation |
| AI-powered features | To generate compliance roadmaps, policy suggestions, and security recommendations using the Claude API |
| Billing and payments | To process subscription payments and manage invoices |
| Customer support | To respond to your queries, support requests, and feedback |
| Security and fraud prevention | To detect, prevent, and investigate security incidents or misuse |
| Platform improvement | To analyse usage patterns and improve our Services (using aggregated/anonymised data where possible) |
| Legal compliance | To comply with our legal obligations under applicable law |
| Communications | To send you service-related notifications, security alerts, and (where consented) marketing communications |
4. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR:
Contract (Article 6(1)(b)): Processing necessary to perform our contract with you — including account creation, service delivery, and billing.
Legitimate Interests (Article 6(1)(f)): Processing for our legitimate business interests, including platform security, fraud prevention, product improvement, and customer support, where these interests are not overridden by your rights.
Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable law, including tax records, anti-money laundering obligations, and responding to lawful requests from authorities.
Consent (Article 6(1)(a)): Where we rely on your consent (e.g. for marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
5. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Organisation and compliance data | Duration of subscription + 30 days after termination |
| Payment and billing records | 7 years (UK tax law requirement) |
| Usage and log data | 90 days rolling |
| Support communications | 3 years from date of last contact |
| Marketing consent records | Until consent is withdrawn + 1 year |
After the applicable retention period, data is securely deleted or anonymised. You may request early deletion of your data subject to our legal retention obligations.
6. Your Rights Under UK GDPR
As a data subject, you have the following rights:
6.1 Right of Access
You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month.
6.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data we hold about you.
6.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
Note: we may be required to retain certain data to comply with legal obligations.
6.4 Right to Restriction of Processing
You have the right to request that we restrict processing of your data in certain circumstances, such as while a dispute about accuracy is resolved.
6.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
6.6 Right to Object
You have the right to object to processing of your personal data based on legitimate interests, including profiling. You also have the right to object to direct marketing at any time.
6.7 Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects. Our AI-generated outputs are recommendations only and are always subject to human review.
6.8 How to Exercise Your Rights
To exercise any of the above rights, please contact us at: privacy@786cyber.com
We will respond within one calendar month. We may need to verify your identity before processing your request. There is no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.
6.9 Right to Complain
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you contact the ICO.
7. Cookies
7.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our platform. We use cookies to ensure the platform functions correctly and to understand how it is used.
7.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential / Strictly Necessary | Required for the platform to function (e.g. authentication session cookies) | Session / up to 1 year |
| Functional | Remember your preferences (e.g. dark/light mode) | Up to 1 year |
| Analytics | Understand how users interact with the platform (anonymised) | Up to 2 years |
7.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the platform. We will display a cookie consent notice on your first visit and respect your preferences.
8. Third-Party Services and Sub-processors
We use the following third-party services to operate the platform:
8.1 Google Firebase (Google LLC)
Data processed: Account data, organisation data, compliance data, usage logs
Location: United States (with Standard Contractual Clauses in place)
Privacy policy: https://firebase.google.com/support/privacy
8.2 Anthropic (Claude API)
Data processed: Compliance questionnaire responses, policy requests, and prompts (we minimise personal data sent to the API)
Location: United States (with appropriate safeguards in place)
Privacy policy: https://www.anthropic.com/privacy
8.3 Stripe (Stripe Payments Europe, Ltd.)
Data processed: Billing name, address, payment card details, transaction records
Location: European Economic Area / United States
Privacy policy: https://stripe.com/gb/privacy
8.4 Other Services
We may use additional third-party tools for analytics, error monitoring, and customer support. We will update this section as new sub-processors are added. A full list is available on request.
9. International Transfers of Personal Data
Some of our sub-processors (including Google Firebase and Anthropic) are based in the United States. Transfers of personal data to the United States and other countries outside the UK are conducted in accordance with UK GDPR requirements, specifically:
- Reliance on Standard Contractual Clauses (SCCs) approved for use with UK transfers
- Transfer Impact Assessments (TIAs) conducted where required
- Binding Corporate Rules where applicable
By using the Services, you acknowledge that your data may be transferred to and processed in countries outside the UK. We take all reasonable steps to ensure such transfers are adequately protected.
10. Data Security
We implement a range of technical and organisational security measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest (Firebase default encryption)
- Role-based access controls within the platform
- Firebase Authentication for secure login, including multi-factor authentication options
- Regular review of security practices and sub-processor security assessments
- Incident response procedures for data breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
11. Children's Data
Our Services are intended for business use by adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or via an in-app notice. The "Last updated" date at the top of this page will always reflect the most recent revision.
We encourage you to review this policy periodically.
13. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
This Privacy Policy was last reviewed and updated in April 2026.