Privacy Policy — 786 Cyber

This Privacy Policy explains how 786 Cyber ("786 Cyber", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our platform at https://786cyber.com ("Services"). We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller Information

The data controller responsible for your personal data is:

786 Cyber
Website: https://786cyber.com
Email: privacy@786cyber.net

For any queries relating to this Privacy Policy or your personal data, please contact us at the email address above.

2. What Personal Data We Collect

2.1 Account Data

When you register for an account, we collect:

Full name and email address
Password (stored as a secure hash — we never store passwords in plain text)
Profile photo (if provided)
Account creation date and last login date
Authentication method (email/password or Google Sign-In)

2.2 Company / Organisation Profile Data

Organisation name, industry sector, employee count and device count
Geographic regions of operation, website URL, company logo
Contact name, email address, and phone number
Internet services and cloud providers in use
Existing compliance certifications (e.g. ISO 27001, Cyber Essentials)
Known vulnerabilities and risk concerns (as self-reported)
Date of last penetration test

2.3 Usage Data

IP address, browser type, operating system
Pages visited and features used within the platform
Session duration, timestamps, errors, and diagnostic information

2.4 Compliance and Security Data

Compliance questionnaire responses
AI-generated compliance roadmaps and recommendations
Policy documents you create or upload
Security controls and their implementation status
Audit evidence and supporting documentation

2.5 Payment Data

Billing name and address
Payment card details (processed and stored by Stripe — we do not store card numbers)
Transaction history, invoice records, and VAT number (where applicable)

2.6 Communications Data

If you contact us, we collect your name, email address, and the content of your communication.

3. How We Use Your Personal Data

Purpose	Description
Service delivery	To provide, operate, and maintain the 786 Cyber platform
Account management	To create and manage your user account and organisation
AI-powered features	To generate compliance roadmaps, policy suggestions, and security recommendations using the Claude API
Billing and payments	To process subscription payments and manage invoices
Customer support	To respond to your queries, support requests, and feedback
Security and fraud prevention	To detect, prevent, and investigate security incidents or misuse
Platform improvement	To analyse usage patterns and improve our Services (using aggregated/anonymised data where possible)
Legal compliance	To comply with our legal obligations under applicable law
Communications	To send service-related notifications, security alerts, and (where consented) marketing communications

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

Contract (Article 6(1)(b)): Processing necessary to perform our contract with you — including account creation, service delivery, and billing.
Legitimate Interests (Article 6(1)(f)): Processing for platform security, fraud prevention, product improvement, and customer support.
Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable law, including tax records and lawful authority requests.
Consent (Article 6(1)(a)): Where we rely on consent (e.g. marketing emails), you may withdraw consent at any time.

5. Data Retention

Data Category	Retention Period
Account data	Duration of account + 30 days after deletion
Organisation and compliance data	Duration of subscription + 30 days after termination
Payment and billing records	7 years (UK tax law requirement)
Usage and log data	90 days rolling
Support communications	3 years from date of last contact
Marketing consent records	Until consent is withdrawn + 1 year

After the applicable retention period, data is securely deleted or anonymised. You may request early deletion subject to our legal retention obligations.

6. Your Rights Under UK GDPR

Right of Access

Request a copy of your personal data. We respond within one month.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion where data is no longer necessary or processing is unlawful.

Right to Restriction

Request we restrict processing in certain circumstances.

Data Portability

Receive your data in a machine-readable format to transfer to another provider.

Right to Object

Object to processing based on legitimate interests, including direct marketing.

Automated Decisions

Not to be subject to decisions based solely on automated processing with significant effects.

To exercise any right, contact us at privacy@786cyber.net. We will respond within one calendar month. There is no charge except for manifestly unfounded or excessive requests.

6.9 Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Website: https://ico.org.uk

Phone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO.

7. Cookies

7.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our platform. We use cookies to ensure the platform functions correctly and to understand how it is used.

7.2 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential / Strictly Necessary	Required for the platform to function (e.g. authentication session cookies)	Session / up to 1 year
Functional	Remember your preferences (e.g. dark/light mode)	Up to 1 year
Analytics	Understand how users interact with the platform (anonymised)	Up to 2 years

7.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality. We display a cookie consent notice on your first visit and respect your preferences.

8. Third-Party Services and Sub-processors

Google Firebase (Google LLC)

Services used: Firebase Authentication, Firestore, Cloud Functions, Firebase Hosting, Firebase Storage

Data processed: Account data, organisation data, compliance data, usage logs

Location: United States (Standard Contractual Clauses in place)

Privacy policy: firebase.google.com/support/privacy

Anthropic (Claude API)

Services used: AI-powered compliance recommendations, policy generation, and security suggestions

Data processed: Compliance questionnaire responses and policy prompts (personal data minimised)

Location: United States (appropriate safeguards in place)

Privacy policy: anthropic.com/privacy

Stripe (Stripe Payments Europe, Ltd.)

Services used: Payment processing and subscription management

Data processed: Billing name, address, payment card details, transaction records

Location: European Economic Area / United States

Privacy policy: stripe.com/gb/privacy

We may use additional third-party tools for analytics, error monitoring, and customer support. A full list of sub-processors is available on request.

9. International Transfers of Personal Data

Some of our sub-processors (including Google Firebase and Anthropic) are based in the United States. Transfers outside the UK are conducted in accordance with UK GDPR requirements, specifically:

Standard Contractual Clauses (SCCs) approved for use with UK transfers
Transfer Impact Assessments (TIAs) conducted where required
Binding Corporate Rules where applicable

10. Data Security

We implement a range of technical and organisational security measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest (Firebase default encryption)
Role-based access controls within the platform
Firebase Authentication for secure login, including multi-factor authentication options
Regular review of security practices and sub-processor security assessments
Incident response procedures for data breaches

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

11. Children's Data

Our Services are intended for business use by adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or via an in-app notice. The "Last updated" date at the top of this page will always reflect the most recent revision.

We encourage you to review this policy periodically.

13. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

786 Cyber
Email: privacy@786cyber.net
Website: https://786cyber.com

This Privacy Policy was last reviewed and updated in April 2026.