Privacy Policy
1. Who We Are
Wood Cyber Security Services Ltd ("Wood Cyber", "we", "us", "our") is a cybersecurity services company registered in England and Wales.
Company registration number: 17186515
Registered address: Available on request
ICO registration number: ZC147774
Contact: queries@woodcyber.com
We are the data controller for personal data collected through this website. Where we process personal data on behalf of our clients during service delivery, we act as a data processor and the client remains the data controller.
This policy covers personal data collected via our website and personal data we may encounter incidentally during the delivery of our cybersecurity services. It is written in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Personal Data We Collect
2.1 Website enquiries
When you submit our contact form, we collect:
- First and last name
- Email address
- Company or organisation name
- The content of your message
- Your selected service of interest
2.2 Technical and security data
When you visit our website, Cloudflare's Turnstile service processes your IP address and browser characteristics to verify you are a human visitor. This processing is carried out by Cloudflare, Inc. under their own privacy policy. We do not receive or store this data directly.
2.3 Service delivery — incidental PII
During the delivery of vulnerability scanning, authenticated system scanning, and related cybersecurity services, our tools and personnel may incidentally encounter personal data held within client systems. This may include, but is not limited to:
- User account names and email addresses visible in system logs or configuration files
- Names associated with device ownership or software licences
- IP addresses attributed to individual users
- Any personal data present in file shares, databases, or system outputs that are within scope of the assessment
We do not deliberately seek out, collect, or retain personal data encountered in this way. Where such data appears in scan outputs or reports, it is treated with strict confidentiality and handled in accordance with our obligations as a data processor.
3. How We Use Your Personal Data
| Purpose | Data used | Legal basis (UK GDPR) |
|---|---|---|
| Responding to your website enquiry | Name, email, company, message | Art. 6(1)(f) — Legitimate interests (to respond to business enquiries) |
| Delivering contracted cybersecurity services | Client contact details, service scope information | Art. 6(1)(b) — Performance of a contract |
| Processing incidental PII encountered during scanning | Data encountered within client systems in scope | Art. 6(1)(b) — Performance of a contract (processed on behalf of the client as data processor) |
| Complying with legal obligations | Business records, correspondence | Art. 6(1)(c) — Legal obligation |
| Bot and fraud prevention on our website | IP address, browser characteristics (via Cloudflare) | Art. 6(1)(f) — Legitimate interests (to protect our website and users) |
4. Third-Party Services
We use a small number of third-party services in the operation of this website. These services may process personal data as described below.
EmailJS
Contact form submissions are transmitted via EmailJS (EmailJS.com). When you submit the contact form, your name, email address, company name, and message are passed through EmailJS servers to deliver the enquiry to our mailbox. EmailJS acts as a data processor on our behalf. For details of how EmailJS handles data, please refer to their privacy policy at emailjs.com.
Cloudflare (Turnstile)
We use Cloudflare Turnstile on our contact form to prevent automated submissions. Cloudflare processes IP address and browser signals to verify human visitors. Cloudflare acts as an independent data controller for this processing. For details, please refer to Cloudflare's privacy policy at cloudflare.com/privacypolicy.
Microsoft 365
Enquiries submitted via the contact form are received into a Microsoft 365 shared mailbox. Microsoft processes this data as a data processor under our Microsoft 365 agreement. Microsoft's data processing terms are governed by the Microsoft Product Terms and Data Protection Addendum.
5. Data Processor Responsibilities (Service Delivery)
Where Wood Cyber delivers cybersecurity services to a client organisation, we process data on that client's systems on their behalf. In this capacity, we act as a data processor and the client is the data controller.
We commit to the following in relation to personal data encountered during service delivery:
- We will only process personal data to the extent necessary to perform the agreed service
- We will not access, extract, copy, or retain personal data beyond what is incidental to the technical assessment
- Scan outputs and reports will be handled confidentially and shared only with the client
- We will notify the client promptly if we identify what appears to be a personal data breach within their systems
- We will securely delete or return all client data upon completion of the engagement, as agreed
- Sub-processors will only be engaged with the client's prior agreement
Business clients may request a Data Processing Agreement (DPA) to formalise these obligations under Article 28 UK GDPR. Our standard DPA is available here or by contacting us at queries@woodcyber.com.
6. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Website enquiry (no engagement follows) | 12 months | To allow for follow-up and record of contact |
| Client correspondence and contracts | 6 years from end of engagement | Legal obligations and limitation periods |
| Scan reports and deliverables | As agreed with the client; default 12 months | To support remediation follow-up; then securely deleted |
| Financial records | 7 years | HMRC and Companies Act requirements |
7. International Data Transfers
EmailJS and Cloudflare are US-based companies. Where personal data is transferred outside the UK, we rely on appropriate safeguards, which may include Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), or adequacy decisions where applicable. Both services operate under frameworks that provide appropriate protection for UK personal data.
8. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — you may request a copy of the personal data we hold about you
- Right to rectification — you may ask us to correct inaccurate or incomplete data
- Right to erasure — you may ask us to delete your personal data where we no longer have a lawful basis to hold it
- Right to restriction — you may ask us to restrict processing of your data in certain circumstances
- Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request your data in a portable format
- Right to object — you may object to processing based on legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds
- Rights related to automated decision-making — we do not carry out solely automated decision-making that produces legal or similarly significant effects
To exercise any of these rights, please contact us at queries@woodcyber.com. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.
9. Cookies
This website does not use tracking or analytics cookies. The only cookies that may be set are those placed by Cloudflare's Turnstile service on the contact form page, for the purposes of bot detection. These are strictly functional and do not track you across other websites.
We do not use Google Analytics, Meta Pixel, or any other advertising or tracking technologies.
10. Data Security
As a cybersecurity company, data security is central to everything we do. We apply appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include encrypted communications, access controls, and secure handling of client deliverables.
In the event of a personal data breach affecting individuals whose data we control, we will notify the Information Commissioner's Office (ICO) within 72 hours where required, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
11. Complaints
If you have concerns about how we handle your personal data, please contact us in the first instance at queries@woodcyber.com and we will do our best to resolve the matter.
You also have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 · ico.org.uk
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or best practice. The date at the top of this page will always reflect when it was last updated. We encourage you to review this policy periodically.
Material changes that affect how we process your personal data will be communicated directly where we hold your contact details.