Skip to main content
Legal

Privacy Policy

Last Updated: 2026-02-07

At Amberlock, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you visit our website, use our services, or interact with us in any way.

Privacy Policy

Effective Date: 7 February 2026

Last Updated: 7 February 2026

1. Introduction

Amberlock Ltd ("Amberlock", "we", "us", or "our") is committed to protecting your privacy and personal data. We are a cybersecurity company registered in the United Kingdom.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website at amberlock.co.uk, use our services, or interact with us in any capacity. This policy applies to all personal data processed by Amberlock, whether collected online or offline.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.

2. Information We Collect

We collect and process various types of personal information depending on how you interact with us:

2.1 Personal Information You Provide

We collect information you voluntarily provide to us, including:

  • Contact Information: Name, email address, phone number, job title, company name, and postal address
  • Account Information: Username, password, and authentication credentials for client portals or services
  • Business Information: Company details, industry sector, business requirements, and organisational structure
  • Communication Data: Information contained in enquiries, support requests, consultation notes, and correspondence
  • Service Delivery Data: Information necessary to deliver our cybersecurity services, including network configurations, system logs, vulnerability scan data, security assessment findings, and incident response details
  • Payment Information: Billing address and payment details (processed securely through third-party payment processors)
  • Marketing Preferences: Your consent to receive marketing communications and communication preferences

2.2 Information Collected Automatically

When you visit our website, we automatically collect certain information:

  • Technical Information: IP address, browser type and version, operating system, device information, and screen resolution
  • Usage Data: Pages visited, time spent on pages, clickstream data, referral source, and navigation patterns
  • Location Data: General geographic location based on IP address
  • Cookie Data: Information collected through cookies and similar technologies (see Section 10)

2.3 Information from Third Parties

We may receive personal information from:

  • Business partners and referral sources
  • Publicly available sources such as company websites and business directories
  • Third-party service providers who support our business operations
  • Professional advisors and consultants

2.4 Special Categories of Data

We do not ordinarily process special categories of personal data (such as health data, biometric data, or data concerning criminal convictions). If such processing becomes necessary for specific service delivery, we will obtain your explicit consent or ensure another lawful basis exists, and implement additional safeguards.

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Delivery

  • Providing cybersecurity services including penetration testing, vulnerability assessments, security audits, and incident response
  • Managing client relationships and service contracts
  • Delivering technical support and customer service
  • Administering client portals and secure communications platforms
  • Conducting security research to improve our services

3.2 Communication

  • Responding to enquiries, requests, and complaints
  • Providing service updates, security alerts, and technical notifications
  • Sending administrative information related to your account or services
  • Facilitating communication between our team members and clients

3.3 Business Operations

  • Processing payments and maintaining financial records
  • Managing supplier and partner relationships
  • Conducting internal business analytics and service improvement
  • Maintaining business continuity and disaster recovery capabilities
  • Protecting our legal rights and defending against legal claims

3.4 Compliance and Legal Obligations

  • Complying with legal and regulatory requirements
  • Responding to lawful requests from law enforcement and regulatory bodies
  • Preventing fraud, money laundering, and other criminal activities
  • Enforcing our terms of service and contractual agreements

3.5 Marketing and Business Development

  • Sending marketing communications about our services (with your consent or where we have a legitimate interest)
  • Conducting market research and customer satisfaction surveys
  • Hosting events, webinars, and training sessions
  • Developing new services and improving existing offerings

4. Legal Basis for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

4.1 Contract (Article 6(1)(b))

Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract. This applies when we deliver cybersecurity services, manage your account, or process payments.

4.2 Legitimate Interests (Article 6(1)(f))

Processing is necessary for our legitimate business interests, provided these are not overridden by your rights and interests. Our legitimate interests include:

  • Providing effective customer service and support
  • Improving our website, services, and business operations
  • Conducting direct marketing to existing clients about similar services
  • Protecting our business from fraud and security threats
  • Managing business relationships and supplier contracts
  • Conducting data analytics to better understand our client base

4.3 Consent (Article 6(1)(a))

Processing is based on your freely given, specific, informed, and unambiguous consent. This applies to marketing communications sent to new prospects, non-essential cookies, and any processing not covered by another legal basis. You may withdraw consent at any time.

4.4 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations to which we are subject, such as tax reporting, responding to lawful requests from authorities, or regulatory compliance requirements.

4.5 Vital Interests (Article 6(1)(d))

In rare circumstances, processing may be necessary to protect someone's vital interests, such as in emergency situations involving cyber incidents that pose immediate safety risks.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share your information with the following categories of recipients:

5.1 Service Providers and Sub-Processors

We engage carefully selected third-party service providers who process data on our behalf:

  • Cloud hosting providers (for website and data storage)
  • IT service providers (for email, collaboration tools, and infrastructure)
  • Payment processors and financial institutions
  • Professional advisors (lawyers, accountants, auditors, insurers)
  • Marketing and communications platforms
  • Analytics providers
  • Security and monitoring services

All service providers are bound by data processing agreements and required to implement appropriate security measures. They may only process your data for specified purposes and according to our instructions.

5.2 Business Partners

With your consent or where necessary for service delivery, we may share information with:

  • Technology partners who collaborate with us on service delivery
  • Referral partners and resellers
  • Client organisations (when providing services to their employees or systems)

5.3 Legal and Regulatory Authorities

We may disclose your information when required by law or to:

  • Comply with legal processes, court orders, or regulatory requests
  • Enforce our terms of service or other agreements
  • Protect the rights, property, or safety of Amberlock, our clients, or others
  • Detect, prevent, or address fraud, security, or technical issues
  • Respond to law enforcement requests with appropriate legal authority

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and ensure the acquiring party honours this Privacy Policy.

6. International Data Transfers

Amberlock is based in the United Kingdom, and we primarily store and process data within the UK. However, some of our service providers may be located in, or transfer data to, countries outside the UK.

6.1 Adequacy Decisions

Where we transfer data to countries recognised by the UK Government as providing adequate data protection (such as EEA countries, or countries with UK adequacy regulations), we rely on these adequacy decisions.

6.2 Standard Contractual Clauses

For transfers to countries without adequacy decisions, we implement appropriate safeguards, including:

  • UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the UK authorities
  • Binding Corporate Rules for multinational service providers
  • Certifications and codes of conduct recognised under UK GDPR

You have the right to obtain information about the safeguards we have implemented for international transfers. Please contact us using the details in Section 13 for further information.

7. Data Security

As a cybersecurity company, we take data security extremely seriously. We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

7.1 Technical Security Measures

  • Encryption: Data is encrypted in transit using TLS 1.3 or higher, and at rest using industry-standard encryption algorithms (AES-256 or equivalent)
  • Access Controls: Multi-factor authentication, role-based access controls, and the principle of least privilege
  • Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation
  • Endpoint Protection: Anti-malware, endpoint detection and response (EDR), and device encryption
  • Secure Development: Security-by-design principles, code reviews, and vulnerability scanning
  • Monitoring and Logging: Continuous security monitoring, logging, and security information and event management (SIEM)

7.2 Organisational Security Measures

  • Security Policies: Comprehensive information security policies and procedures aligned with ISO 27001
  • Staff Training: Regular security awareness training and specialised technical training for all employees
  • Background Checks: Appropriate vetting and background checks for personnel with access to sensitive data
  • Confidentiality Agreements: All staff and contractors are bound by confidentiality obligations
  • Vendor Management: Security assessments and due diligence for all third-party service providers
  • Regular Audits: Internal and external security audits, penetration testing, and compliance assessments

7.3 Incident Response

We maintain a documented incident response plan to ensure rapid detection, containment, and remediation of security incidents. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where required
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document all breaches and our response actions
  • Conduct post-incident reviews to prevent recurrence

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored electronically. You are responsible for maintaining the security of your passwords and authentication credentials.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

8.1 Retention Periods

  • Client Service Data: Duration of the service relationship plus 6 years (to comply with limitation periods for contractual claims)
  • Financial Records: 6 years from the end of the financial year (to comply with tax and accounting requirements)
  • Marketing Data: Until consent is withdrawn or 3 years of inactivity, whichever is sooner
  • Website Analytics: 26 months from collection
  • Communication Records: Duration of the business relationship plus 3 years
  • Security Assessment Data: As agreed in service contracts, typically 1-3 years for reference and compliance purposes

When personal data is no longer required, we securely delete or anonymise it using methods appropriate to the sensitivity of the data, including secure file deletion, media destruction, and cryptographic erasure.

9. Your Rights Under GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how we process it. This is commonly known as a Subject Access Request (SAR).

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

9.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary, you withdraw consent, or the data has been unlawfully processed. This right is not absolute and may not apply where we have a legal obligation to retain the data.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or have objected to processing.

9.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. You have an absolute right to object to direct marketing at any time.

9.7 Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. We do not generally engage in such automated decision-making.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.9 Exercising Your Rights

To exercise any of these rights, please contact us using the details in Section 13. We will respond within one month and may extend by up to two additional months for complex requests. We will verify your identity before fulfilling requests. If you are dissatisfied with how we handle your request, you have the right to lodge a complaint with the ICO (see Section 14).

10. Cookies Policy

Our website uses cookies and similar technologies to enhance your browsing experience and analyse website traffic.

10.1 Types of Cookies We Use

Essential Cookies: Strictly necessary for the website to function, including session management and security features. These cannot be disabled.

Analytics Cookies: Help us understand how visitors use our website by collecting aggregated and anonymised information about pages visited and interactions.

Functional Cookies: Enable enhanced functionality and personalisation such as remembering your preferences and language settings.

Marketing Cookies: May be used to build a profile of your interests and show relevant content. These are only set with your consent.

10.2 Managing Cookies

You can control cookies through our cookie consent banner when you first visit, through your browser settings, or via industry opt-out tools such as Your Online Choices. Blocking cookies may impact website functionality.

11. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. Our services are provided exclusively to businesses and professionals in a business-to-business context. If we become aware that we have collected personal data from a person under 18, we will take steps to delete such information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date, post the revised policy on our website, and notify you of material changes through prominent website notice or email. Your continued use of our services after changes are posted constitutes acceptance of the revised policy.

13. Contact Information

If you have any questions about this Privacy Policy or our data protection practices, please contact us:

Amberlock Ltd
Email: info@amberlock.co.uk
Website: www.amberlock.co.uk

We aim to respond to all enquiries within 5 business days and to fulfil data subject requests within one month as required by UK GDPR.

14. Supervisory Authority

You have the right to lodge a complaint with the UK's supervisory authority for data protection:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

While you have the right to lodge a complaint with the ICO, we encourage you to contact us first so we can attempt to resolve your concerns directly.