Privacy Policy

We collect information in three ways:

Information you provide directly. When you submit our contact form, subscribe to our newsletter, or engage our services, you may provide: your full name, business email address, phone number, company name, and the content of your message.

Technical data collected automatically. When you visit our website, our web server logs may record your IP address, browser type, operating system, referring URL, pages visited, and timestamps. This data is collected for security monitoring, fraud prevention, and performance optimisation.

Cookies and local storage. We use a small number of essential cookies required for the website to function. We do not use advertising cookies or third-party tracking pixels. See Section 4 for full details.

We do not collect sensitive personal data (such as health, financial, or biometric data) and do not knowingly collect data from individuals under the age of 16.

We use the information we collect for the following purposes, each of which has a lawful basis under applicable data protection law:

Service delivery (Contractual necessity). To respond to your enquiries, provide quotations, deliver cybersecurity assessments, and fulfil any engagement you enter into with us.

Communications (Legitimate interest / Consent). To send you updates directly related to an active engagement, respond to support requests, and — where you have opted in — send our cybersecurity newsletter.

Website security and fraud prevention (Legitimate interest). To monitor for malicious traffic, detect and block automated attacks, and protect our infrastructure and other users.

Legal compliance (Legal obligation). To comply with applicable laws, regulatory requirements, and court orders, and to protect our legal rights.

Business improvement (Legitimate interest). To analyse how our website is used in aggregate (no individual profiling) in order to improve content and user experience.

We will never use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Our newsletter requires explicit opt-in consent. You will only receive it if you actively subscribe via our newsletter form. Each subscription requires email confirmation (double opt-in) — we send a confirmation link, and your address is not added to our list until you click it.

Every newsletter email includes a one-click unsubscribe link. You can also unsubscribe at any time by emailing mail@cybrdoc.com with the subject "Unsubscribe". We will remove you from all marketing communications within 48 hours.

We do not add subscribers from contact form submissions, quotation requests, or any other source without explicit separate consent.

Our email service provider processes your email address on our behalf under a Data Processing Agreement (DPA). We do not use email marketing platforms that sell or share your data.

We use only the minimum cookies necessary to operate our website. We do not use advertising cookies, behavioural tracking, social media tracking pixels, or third-party analytics platforms (such as Google Analytics).

Essential cookies only. Our website sets session cookies required for security features (CSRF protection) and, if you are an authorised administrator, for authentication via our secure admin panel. These cookies are strictly necessary — the website cannot function properly without them. No consent is required for strictly necessary cookies under PECR.

No third-party cookies. We do not embed third-party scripts that set their own cookies. There are no Facebook Pixel, Google Tag Manager, or similar trackers on this website.

How to control cookies. You can block or delete cookies through your browser settings at any time. Blocking essential cookies may impair certain website functions but will not affect your ability to read content.

We review our cookie usage regularly and update this policy when anything changes.

As a cybersecurity company, data protection is not an afterthought — it is central to how we operate. We apply the following technical and organisational measures to protect your personal data:

Encryption in transit. All traffic between your browser and our website is encrypted using TLS 1.2 or higher. We enforce HTTPS across all pages with HTTP Strict Transport Security (HSTS) headers.

Encryption at rest. Personal data stored in our database is held on encrypted storage volumes. Database access is restricted to authenticated server processes only — no direct public database access is permitted.

Access controls. Only authorised CybrDoc personnel with a legitimate need to access personal data (e.g., to respond to your enquiry) are granted access. All admin access is authenticated with strong credentials and logged in an immutable audit trail.

Input validation and injection prevention. All form submissions are validated and sanitised server-side. Our application is built with protection against SQL injection, XSS, CSRF, and other OWASP Top 10 attack vectors.

Vendor security. We only use service providers who maintain appropriate security standards and sign Data Processing Agreements (DPAs) with us.

Despite these measures, no internet transmission is 100% secure. If you believe your data has been compromised, contact us immediately at mail@cybrdoc.com.

We use a small number of carefully selected third-party services to operate our website and deliver our services. Each acts as a data processor on our behalf, bound by a Data Processing Agreement:

Hosting provider. Our website and database are hosted on infrastructure that processes IP addresses and access logs. We have a DPA in place with our hosting provider.

Email delivery. We use a transactional email service to send contact form acknowledgements, newsletter confirmation emails, and newsletter issues. Your email address is transmitted to this service for the purpose of delivery only.

Payment processing. If you engage our paid services, payment is processed by a PCI DSS-compliant payment processor. We do not store your payment card details at any point.

We do not use data brokers, advertising networks, or analytics platforms that aggregate your data with other sources. We do not sell, rent, or trade your personal information to any third party under any circumstances.

A current list of our sub-processors is available on request at mail@cybrdoc.com.

Depending on your location, you have rights under applicable data protection law (India's DPDP Act, the Australian Privacy Act, or the EU/UK GDPR). We will respond to all verified requests within 30 days:

Right of access (Article 15). You can request a copy of all personal data we hold about you, including the categories of data, the purposes of processing, and any recipients.

Right to rectification (Article 16). If any personal data we hold is inaccurate or incomplete, you have the right to have it corrected.

Right to erasure (Article 17). You can request deletion of your personal data. We will comply unless we have a legal obligation or legitimate interest that requires retention (e.g., records of a commercial contract).

Right to restrict processing (Article 18). You can ask us to restrict how we use your data while a dispute is resolved, rather than deleting it outright.

Right to data portability (Article 20). You can request a copy of data you provided to us in a commonly used, machine-readable format (JSON or CSV).

Right to object (Article 21). You can object to processing based on legitimate interest (e.g., direct marketing). We will stop unless we can demonstrate compelling grounds.

Right to withdraw consent (Article 7). Where processing is based on your consent (e.g., newsletter subscription), you can withdraw it at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint. If you are dissatisfied with our response, you may lodge a complaint with the relevant authority in your jurisdiction — for example, India's Data Protection Board, the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or the EU/UK supervisory authority for your country.

To exercise any of these rights, email mail@cybrdoc.com with the subject "Data Subject Request". We may need to verify your identity before processing your request.

We retain personal data for the minimum period necessary for the purpose it was collected, after which it is securely deleted or anonymised:

Contact form submissions. Retained for 24 months from the date of submission to allow follow-up on security enquiries and engagements. After this period, submissions are purged.

Newsletter subscriptions. Retained for as long as you remain subscribed. If you unsubscribe, your email address is deleted within 30 days. We retain a suppression record of unsubscribed addresses to ensure we do not re-add you.

Active client data. Personal data related to an ongoing or completed service engagement is retained for 6 years from the end of the engagement to meet our legal and contractual obligations, including tax and audit requirements.

Web server logs. Access logs containing IP addresses are retained for 90 days for security monitoring purposes, then permanently deleted.

Admin audit logs. Records of admin panel actions are retained for 12 months for security and accountability purposes.

You may request early deletion of your data subject to the exceptions noted in Section 7 above.

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our privacy team:

Email: mail@cybrdoc.com Subject line: "Privacy Policy Enquiry" (for general questions) or "Data Subject Request" (to exercise your rights)

We will acknowledge your email within 2 business days and provide a full response within 30 calendar days.

For escalated concerns or if you are unsatisfied with our response, you have the right to complain directly to the relevant supervisory authority in your jurisdiction.

We take all privacy concerns seriously and commit to resolving them promptly and transparently.