Privacy Notice.

1. Who we are

This Privacy Notice describes how Penz Ltd (trading as ThePenz, "we", "our", or "us"), a company registered in England and Wales with its registered office in London, processes personal data in connection with our website (thepenz.co.uk) and our cybersecurity, governance, risk and compliance services.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Penz Ltd is the data controller in respect of personal data we collect about visitors to our website, prospective clients, clients, suppliers, and contacts. Where we process personal data on behalf of a client (for example, when delivering a phishing simulation programme), we act as a data processor and our client remains the controller; the terms of that processing are set out in a separate Data Processing Agreement.

2. What information we collect

We collect and process the following categories of personal data:

Information you give us

When you contact us through our website form, by email, or by phone, you may provide us with:

• Your name, role and the company you represent
• Your work email address and (optionally) telephone number
• Information about your enquiry, business situation or the services you are interested in
• Any further information you choose to share during our discussions

Information we collect automatically

When you visit our website, our hosting infrastructure may automatically collect:

• Technical information including IP address (in truncated form), browser type and version, operating system, referring URL, and the pages you view
• Information collected via essential cookies (see our Cookie Notice)
• Information collected via optional analytics cookies, only if you have given consent

Information we collect during engagements

If you engage us for services, we may collect additional business information necessary to deliver those services. This may include the names and contact details of your colleagues, business processes, IT environment information, and (where directly relevant) limited categories of personal data within your operational systems. The specific categories will be set out in our engagement letter and any associated Data Processing Agreement.

3. How we use your information

We use your information for the following purposes:

• To respond to your enquiries and provide information about our services
• To deliver our services under an engagement letter, including project management, communication and invoicing
• To send relevant insights or updates where you have subscribed (for example, our monthly Notebook newsletter)
• To improve our website and the services we offer
• To meet our legal, regulatory and professional obligations, including record-keeping, anti-money-laundering checks where applicable, and responding to lawful requests from regulators
• To protect our business, including detecting and responding to security incidents, fraud, and unauthorised access

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Lawful bases for processing

Under the UK GDPR, we rely on the following lawful bases:

• Legitimate interests — to respond to enquiries, manage our business relationships, and protect our infrastructure. We have considered whether our legitimate interests are overridden by your rights and freedoms.
• Performance of a contract — to deliver services under an engagement letter or to take steps at your request before entering into such an engagement.
• Consent — for optional analytics cookies and for marketing communications such as our newsletter. You can withdraw consent at any time.
• Legal obligation — to comply with applicable laws, including tax, accounting, anti-money-laundering, and information-security obligations.

5. Who we share information with

We share personal data only with the following categories of recipient, and only to the extent necessary:

• Service providers who support our operations — for example, our cloud hosting provider (Microsoft Azure), our email provider, our accountancy firm, and our document management tooling. Each is bound by appropriate data protection terms.
• Professional advisers — including legal, audit and insurance providers, where necessary.
• Regulators and authorities — where we are legally required to disclose information.
• Successors — in the event of a sale, merger, reorganisation or transfer of our business or its assets.

We do not sell personal data, and we do not share it with third parties for their own marketing purposes.

6. How long we keep information

We retain personal data only for as long as necessary for the purposes for which it was collected, consistent with applicable legal and professional retention requirements:

• Enquiry data from prospective clients who do not engage us: typically 12 months after the last interaction.
• Engagement records: typically seven years after the end of the engagement, consistent with statutory and professional accountancy and audit retention requirements.
• Newsletter and marketing data: until you unsubscribe, after which we will retain a minimal record (your email address) on a suppression list to honour your unsubscribe request.
• Website server logs: typically 90 days.

Once retention periods expire, we securely delete or anonymise the data.

7. International transfers

Our infrastructure is hosted within the United Kingdom and the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA — for example, to certain support functions of our cloud providers — we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions with a UK adequacy decision.

8. How we protect your information

As a cybersecurity firm, we hold ourselves to a higher standard than most. We operate an internal information security management system aligned to ISO 27001:2022, with technical and organisational controls covering access management, encryption (in transit and at rest), endpoint protection, supplier assurance, incident response, and continuity. All staff complete regular security and privacy training. Suspected security incidents are treated under our internal Incident Response Plan and reportable incidents will be notified to the ICO and affected individuals in accordance with the UK GDPR.

9. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to ask us to correct inaccurate or incomplete data
• Right to erasure — to ask us to delete your personal data, subject to legal retention requirements
• Right to restrict processing — in certain circumstances
• Right to object — to processing based on legitimate interests, including direct marketing
• Right to data portability — for data we hold under a contract or with your consent
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at hello@thepenz.co.uk. We will respond within one calendar month and may need to verify your identity before complying.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk or 0303 123 1113. We would, however, appreciate the opportunity to address your concerns first.

10. Changes to this notice

We may update this Privacy Notice from time to time. The "Last reviewed" date at the top of this page indicates when this notice was most recently updated. Material changes will be flagged on this page and, where appropriate, communicated to clients directly.

11. How to contact us

For any questions about this Privacy Notice, your personal data, or how to exercise your rights: