Privacy Policy

Last Update: 15 February 2025

Privacy Policy

1. INTRODUCTION

1.1 Important Information and Who We Are

Welcome to Security Phoenix Ltd’s (“Phoenix Security”, “we”, “us” or “our”) Privacy and Data Protection Policy (“Privacy Policy”). We are committed to protecting and respecting your privacy and personal data in compliance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and all other applicable UK laws.

This Policy explains who we are, what data we collect and why, how we use and share it, your data protection rights, and how to contact us.

Applies to: Customers, suppliers, business contacts, employees, staff members, volunteers, third parties connected to our customers, and any other individuals whose personal data we process.

1.2 Who Is Your Data Controller

• Controller: Security Phoenix Ltd (registered in England & Wales)
• Address: 124 City Road, London, EC1V 2NX, United Kingdom
• Email: privacy@phoenix.security
• Phone: +44 (0)20 3195 3879

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), but please allow us to address your concerns first.

2. SCOPE & RESPONSIBILITIES

2.1 Scope

This Policy covers all personal data collected or processed by us via our website, platform, services (including support), recruitment, staff/volunteer management, events, and all other interactions with Phoenix Security.

2.2 Record of Processing Activities (RoPA)

We maintain a detailed RoPA as required by Article 30 UK GDPR, documenting all categories of processing, purposes, data subjects, recipients, and retention periods.

2.3 Processors’ Responsibilities

Where we engage processors, we ensure via GDPR-compliant Data Processing Agreements that they:

• Process personal data only on our documented instructions.
• Implement appropriate technical and organisational measures.
• Ensure confidentiality and security of personal data.
• Notify us of any personal data breach without undue delay.
• Assist us in responding to data subject requests and audits.

3. WHAT WE COLLECT

3.1 Staff, Volunteers & Job-Applicants

• Identity & contact details (name, address, email, phone)
• Date of birth, National Insurance number, gender
• Photographs/ID documents; proof of address
• Marital status; emergency contacts
• Employment & education history; right-to-work checks
• Criminal convictions (DBS); security clearance data
• Performance records; IT-use monitoring
• Salary, pension, payroll, tax details; health/fit-note records

3.2 End Users & Visitors

• Account registration data (name, email, company, role)
• Usage data (logs, IP address, device/browser type)
• Payment & transactional information
• Support interactions (email/chat transcripts)
• Cookies & analytics data

3.3 Aggregated & Anonymised Data

• Non-identifying insights (e.g., device mix, geographic trends) are used solely in anonymised form for product improvement and research.

4. LAWFUL BASES & PURPOSES

We process personal data only when we have a lawful basis under Article 6 UK GDPR, and for special categories only with additional safeguards under Article 9 where applicable.

• Legitimate Interests Assessment: We document and record balancing tests to ensure your rights are not overridden.
• Consent: Collected via clear opt-in mechanisms; you can withdraw consent as easily as given.

5. DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

For any new high-risk processing (e.g., large-scale profiling, special category data), we conduct DPIAs under Article 35 UK GDPR and implement required mitigation measures.

6. DATA RETENTION

We retain personal data only for the longer of:

1. The period required by applicable law, and where deemed necessary for HR, recruitment, or contractual reasons.
2. An additional 90 days thereafter.

Specific retention schedules (e.g., recruitment records, account data, support logs) are documented in our internal retention policy.

7. DATA SUBJECT RIGHTS

You have the right to:

• Access your personal data (Art 15)
• Rectify inaccuracies (Art 16)
• Erase data (“right to be forgotten,” Art 17)
• Restrict processing (Art 18)
• Object to processing (Art 21)
• Port your data (Art 20)
• Withdraw consent (Art 7)

Requests are free, verified for identity as needed, and answered within one month (Art 12–15). We may extend by two further months for complex requests, notifying you accordingly.

8. COOKIES & TRACKING

Our cookie banner and policy (Article 13(2)(c)) clearly distinguish:

• Essential cookies (strictly necessary)
• Analytics cookies (e.g., Google Analytics)
• Marketing cookies

You can manage preferences at any time.

9. INTERNATIONAL TRANSFERS

Where personal data is transferred outside the UK or EEA, we use UK-approved Standard Contractual Clauses (Art 46) or rely on an adequacy decision if applicable.

10. CHILDREN’S DATA

We do not knowingly collect or process personal data of children under 18. If we become aware of such processing, we will delete it without undue delay.

11. DATA SECURITY & BREACH HANDLING

• Security measures: Encryption in transit and at rest; multi-factor authentication; strict access controls; regular security assessments (Art 32).
• Breach notification: We notify the ICO within 72 hours of a notifiable breach (Art 33) and, where required, inform data subjects without undue delay (Art 34).

12. BREACH & VULNERABILITY DISCLOSURE

If you discover a security vulnerability, please follow our Vulnerability Disclosure Policy at https://phoenix.security/vulnerability-disclosure/. We will acknowledge, investigate, and respond in line with our Breach Disclosure procedures.

13. SUBPROCESSORS & THIRD PARTIES

We share personal data only with:

• Processors & sub-processors (full list available on request)
• Professional advisers: auditors, insurers, legal counsel
• Regulators & law enforcement: where required by law
• Group companies: for administrative, HR, and IT purposes

California Privacy Rights: California residents may request details of any sharing with third parties for marketing purposes.

14. CHANGES TO THIS POLICY

We review this Policy at least annually. Material changes will be notified by email or a prominent notice on our platform. Continued use of our services constitutes acceptance of any amendments.

15. CONTACT & COMPLAINTS

For questions or to exercise your rights, contact:

• Email: privacy@phoenix.security
• Post: 124 City Road, London, EC1V 2NX, United Kingdom
• Phone: +44 (0)20 3195 3879

You may also lodge a complaint with the ICO at:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: https://www.ico.org.uk/make-a-complaint