Privacy Policy

External Privacy Policy

Last Updated: 20 November 2024

 

1. Introduction

We ask that you read this Privacy Policy carefully as it contains important information on who we are, how and why we collect, store, use and share Personal Data, your rights in relation to your Personal Data and on how to contact us and supervisory authorities if you have a complaint.

This Privacy Policy does not cover any third-party websites which you may access from our website or by using our services. Such third-party websites will be governed by their own separate privacy policies.

If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.

2. Who we are and what we do

Who we are

We are CovertSwarm Limited (“CovertSwarm”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 12564314 and we have our registered office at International House, 36-38 Cornhill, London EC3V 3NG, United Kingdom. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO, in relation to our processing of Personal Data under registration number ZA888886.

What we do

CovertSwarm is a specialist red team of ethical hackers and penetration testers based in the UK. We are committed to protecting the privacy and security of the Personal Data we process about you.

Controller

Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

3. Who this privacy notice applies to

This privacy notice applies to you if:

  1. You visit our website
  2. You purchase goods or services from us
  3. You enquire about our products and/or services
  4. You sign up to receive newsletters and/or other promotional communications from us

4. What Personal Data is

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

5. Personal Data we collect

The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data we collect see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.

The personal information we collect about you may include (but is not limited to):

  • your name, business address and contact details including telephone number, job title and email address;
  • details of any feedback you give us by phone, email, post, submission of a form from our website or via social media;
  • information about the services we provide to you; and
  • technical data including Internet Protocol (IP) address details including your public browser type and version.

We use this personal information for various reasons including to:

  • create and manage your engagement with us;
  • verify your identity;
  • communicate with you when providing our services to you;
  • notify you of any changes to our services that may affect you;
  • improve our services; and
  • send you marketing material.

6. How we collect your Personal Data

We collect personal information about you when you access our website, contact us, send us feedback, purchase services from us or complete customer surveys. We collect this personal information from you either directly, such as when you contact us or purchase services, or indirectly, such as your browsing activity while on our website (see “Cookies” below).

7. Purposes, lawful bases and retention periods

We may process your information on the following lawful bases and for the following purposes (including but not limited to):

Categories of individuals Categories of Personal Data Purpose of Processing Lawful Basis Retention Period
Clients’ personnel Your name, business address and contact details including telephone number, job title and email address. To manage the services, we deliver to your organisation. It is in our legitimate interest to ensure we effectively deliver and manage the services we provide to your organisation. 6 years following the end of our relationship with your organisation.
Website visitors Technical data including Internet Protocol (IP) address details including your public browser type and version. Help us understand more about visitors to our website, the products and services you are interested in, so we can serve you better. Consent. Cookie specific (please see our Cookies Policy here).
Clients’ personnel Your name, business address and contact details including telephone number, job title and email address. For marketing communications. Consent. 6 years following the end of our relationship with your organisation.
Clients’ personnel/individuals that sign up to receive our newsletter Name, job title, work email address, work phone number, company you work for. To send you newsletters and other promotional material. It is in our legitimate interest to keep you updated on the services we provide to your organisation or that you may be interested in. Until you unsubscribe from our newsletter/receiving emails from us
Clients’ personnel Name, job title, work email address, work phone number, company you work for. Audit, quality control, performance management and monitoring. It is in our legitimate interest to ensure that we review how we deliver our services. 6 years following the end of our relationship with your organisation
Clients’ personnel Name, job title, work email address, work phone number, company you work for. Where our use of your personal information is necessary for us to comply with the law (not including contractual obligations, e.g. to comply with applicable data protection and information security laws and for requirements of the Financial Conduct Authority, Anti Money Laundering Regulations, accounting and taxation purposes and reporting requirements). Legal Obligation 6 years following the end of our relationship with your organisation (unless another legal retention applies)

 

8. Sharing your Personal Data

We may share your Personal Data with our carefully selected third parties, for example, we may use a supplier to provide services which support the services which we provide to you. In this case, we remain responsible for your personal data and will ensure we have a written agreement in place with any third party provider. We currently use third-party suppliers:

  • for invoice purposes
  • to set up direct debits and payments
  • for software for internal business purposes
  • for marketing and business development purposes

We may also share your Personal Data with:

  • law enforcement or other authorities if required by applicable law; and
  • third parties if there is a change in the ownership of CovertSwarm or any of our assets.

9. International Transfers

Your Personal Data may be processed outside of the UK/EEA. This is because some of the organisations we use to provide our service to may be based outside the UK/EEA or their servers and/or support services may be based outside the UK/EEA.

We will only transfer your personal information from countries in the UK or EU/EEA to countries outside of the UK or EU/EEA where:

  • the transfer is to a country (or an international organisation) that the UK government/European Commission has determined ensures an adequate level of protection (“Adequacy”);
  • an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses adopted by the UK Government or European Commission (whichever is applicable) have been put in place between the entity in the UK or EU/EEA and the entity located outside the UK or EU/EEA;
  • binding corporate rules have been implemented, where applicable; or where
  • the transfer is otherwise permitted by the law.

If you would like further information, please contact us (see ‘How to contact us’ below). We will not otherwise transfer your personal data outside of the UK or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.

9. Marketing

We would like to send you information about our services and special offers, which may be of interest to you. Where we have your consent or it is in our legitimate interests to do so, we may do this by post, email, telephone, text message (SMS) or automated call. Our marketing practices are all carries out on the basis of legitimate interests which you have the option to opt-out.

We will only ask whether you would like us to send you marketing messages when you tick the relevant box when submitting requests for assistance or information on any of the public web forms presented upon the www.covertswarm.com website.

If you have previously agreed to being contacted in this way, you can unsubscribe at any time by:

  • contacting us
  • using the ‘unsubscribe’ link in emails

It may take up to 10 business days for this to take place. For more information on your rights in relation to marketing, see ‘Your rights’ below.

10. Cookies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or another electronic device) when you use our website. Our website uses cookies. Please refer to our separate cookies policy to understand how we use cookies and how you can change your consent and preferences.

11. Your rights and how to complain

You have certain rights in relation to the processing of your Personal Data, including to:

  • Right to be informed: You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.
  • Right of access (commonly known as a “Subject Access Request”): You have the right to receive a copy of the Personal Data we hold about you.
  • Right to rectification: You have the right to have any incomplete or inaccurate information we hold about you corrected.
  • Right to erasure (commonly known as the right to be forgotten): You have the right to ask us to delete your Personal Data.
  • Right to object to processing: You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
  • Right to restrict processing: You have the right to restrict our use of your Personal Data.
  • Right to portability: You have the right to ask us to transfer your Personal Data to another party.
  • Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.
  • Right to withdraw consent: If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.
  • Right to lodge a complaint: You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

Contact us | ICO

Or by telephone on 0303 123 1113

For supervisory authorities in other countries within the EU see the link below:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to exercise your rights

You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.  

12. Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

​We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

13. How to contact us

Please contact us if you have any questions about this Privacy Policy or the information, we hold about you.

If you wish to contact us, please write to our Data Protection Manager at: Data Protection Manager, CovertSwarm, International House, 36-38 Cornhill, London EC3V 3NG, United Kingdom or email [email protected].

14. Changes to this privacy notice

This Privacy Policy was published on 1/Mar/2024.

​We may change this Privacy Policy (and any supplemental privacy notice), from time to time. Any changes will be posted on this page and, where appropriate, notified to you by email.

You can find previous versions of this notice here.