Privacy Notice (policy)
This Privacy Notice was last updated on 09.05.2025.
This Privacy Notice informs you who we are, how we collect, use, secure and share personal information collected by us when you visit our website, enquire about or buy services from us, send personal information to, or receive personal information from us, communications, (including marketing messages), register or attend our events or webinars, visit our offices and through any other interactions we have with you. This Privacy Notice also informs you how you can exercise your rights.
NormCyber Limited (‘NormCyber’, ‘we’, ‘us’, and ‘our’) is committed to respecting and protecting the privacy of individuals and to fully complying with all the requirements of the UK GDPR and all other applicable data protection laws and regulations.
If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided elsewhere in this Privacy Notice.
Data Protection Officer
We have appointed a Data Protection Officer (DPO). If you wish to contact our DPO you can do so via: dpo@normcyber.com
This Privacy Notice applies to all our data subjects (an individual about whom we hold personal information) except Job Applicants/Candidate and our employees.
If you are providing personal information to us as an employee, please refer to our Employee Privacy Notice found within our Employee Handbook.
If you are providing personal information to us as part of our recruitment process for employment, please see our Job Applicants/Candidate/HR Privacy Notice.
What is personal information?
Personal information is anything that enables you to be identified or identifiable. Personal information is also called “personal data”. We collectively refer to handling, collecting, protecting, storing or otherwise using your personal information as ‘processing’.
If you fail to provide personal information
Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you or provide you with services you have requested.
Collecting (obtaining) your Personal Information
Most of the personal information we process is provided to us directly by you, for example for one or more of the following reasons:
- You have made an enquiry or information request to
- You have ordered services from
- You have requested to attend or have attended our
- You have subscribed to one or more of our e-
- You have visited our website and consented to our use of cookies or similar technologies
- You have provided a business card or other contact information
- You have participated in our competitions or prize draws
We may also obtain your personal information indirectly, such as from:
- Public registers/records.
- Social
- Lead generation providers
- Data brokers
- Using CCTV
- Event organisers
The personal information we collect about you
We may collect and otherwise process different kinds of personal data about you which we have grouped together as follows:
- Contact Data includes postal and email address and telephone
- Identity Data includes names and similar identifiers
- Financial Data includes bank account and payment card
- Marketing and Communications Data includes your preferences in receiving marketing from us and our partners and your communication preferences.
- Transaction Data includes details about payments to and from you and other details of products, goods and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and
- Usage Data includes information about how you use our products, services and
Lawful Bases (legal grounds) for Processing Personal Information
Our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it.
We will normally collect personal data from you on one or more of the following lawful bases:
- Consent: We may process your personal information after you have consented (agreed) to us doing Your consent may have been obtained by us, or by third parties on our behalf. You have the right to withdraw your consent at any time.
- Contract: We may process your personal information when we need to deliver a contractual service to you or because you have asked us to do something before entering into a contract (e.g., provide a quote).
- Legal obligation: We may process your personal information when we need to comply with a legal obligation.
- Legitimate interest: We may process your personal information when we need to for our or another’s legitimate interests, where these interests are not overridden by your rights.
Purpose(s) for Processing Personal Information
We have set out below a description of all the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Please note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground(s) we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose/Activity | Type of data | Lawful basis for processing |
| To register a new client/customer |
|
|
| To process and deliver an order or request |
|
|
| To manage our customer and business relationships |
|
|
| To provide marketing materials |
|
|
| To promote prize draws and competitions. |
|
|
| To administer and manage our website |
|
|
| To ensure you are able to attend an event. |
|
|
| To develop our businesses and services |
|
|
| To comply with our legal obligations |
|
|
Using your Personal Information for Marketing Purposes
We will only use your personal information for marketing purposes in accordance with applicable legal requirements.
If you choose to unsubscribe, we may retain some of your personal information to identify you, so that we can continue to honour your request and ensure that we do not continue to provide you with marketing materials.
We will not share your information with any third parties for the purposes of direct marketing.
Sharing your Personal Information
We may share your personal information with third parties (other organisations or individuals) for:
- The purpose(s) for which the information was
- The purposes listed under ‘Purpose(s) for Processing Personal Information’.
- As agreed between
We share personal information with third parties that act as data processors to provide elements of our service by processing personal information on our instructions (see ‘Data Processors’ below).
It is our policy to only share your personal information with third parties that are legally or contractually bound to protect your personal information to the same standards as we are, and that will flow those same standards to their subcontractors.
In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share your personal information.
We will not sell your personal information to any third party.
Data processors
Where we use data processors, we have contracts in place with them to ensure that they cannot do anything with personal information we have shared with them unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct them to.
These data processors may use sub-contractors (known as sub-processors) that have access to your personal data. If they do, they are required to have contracts in place with those sub-processors to ensure that they cannot do anything with personal information shared with them beyond what we have instructed our data processors to do with it.
The data processors which we mainly and routinely use* are:
- HubSpot
- Xero
- Ivanti
*The above list identifies those data processors that we routinely use. It does not identify each and every data processor we use.
Transfers of your personal information to outside the UK
Your personal information may be transferred (sent to or accessed from) outside the UK. Any such transfer will be only:
- To you; or
- To a recipient located in a country which provides an adequate level of protection for your personal information, (i.e., a country where the data protection standards are the same or better than in the UK), for example, a country in the European Union (EU), or European Economic Area (EEA); or
- To a recipient under a contractual agreement which satisfies UK legal requirements for the transfer of personal information, to ensure that appropriate safeguards are in place to protect your personal information in accordance with UK levels of data protection; or
- To a recipient under the UK-US Data Bridge; or
- When your personal information has first been anonymised The countries/areas to which we may transfer personal data* are:
EU/EEA: To a recipient located in a country which provides an adequate level of protection for your personal information.
*This does not mean that your personal data will definitely be transferred to any of these countries.
Retention (Storage) of Personal Information
We will retain your personal information only for as long as we need it for the purpose(s) for which it was collected, or as required to do so by law.
To determine the appropriate retention period for your personal information, we consider the amount, nature, and sensitivity of it, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process it and whether we can achieve those purposes through other means, as well as applicable legal requirements.
Examples of the periods for which personal information will be stored*
| Personal data | Retention period |
| Client/customer records | As required by any applicable statutory retention period, or where no statutory retention period applies, seven years after contractual relationship ends, or seven years from our last date of contact, whichever is the latest. |
| Business contacts records | As required by any applicable statutory retention period, or where no statutory retention period applies, three years after business relationship ends. |
*The above list, which gives examples, does not identify each and every period for which individuals’ personal data will be stored. Further information about our retention of Personal Information is set out in our Retention Policy. If you would like a copy of our Retention Policy, please contact us.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
- Your right of access: You have the right to ask us for copies of your personal This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
- Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
- Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.
- Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
- Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. You can read more about this right here.
- Your right to data portability: This only applies to information you have given You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
If you wish to exercise any of your rights, please contact us.
Security
We use appropriate technical and organisational measures to protect the personal data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data. Please be aware that, we cannot guarantee the security of all personal information transmitted to or by us.
Call Recording
We may record calls for quality/training purposes. Where we do so, individuals will be advised that the call will be recorded.
Social Media
We use the following social media platform(s):
- X
We may use these social media platform(s) to process your personal data for some of the purposes set out elsewhere in this Privacy Notice.
Artificial Intelligence (AI)
We use Artificial Intelligence (AI), which means that AI may be used to process your personal data. When we use AI, we do so in compliance with applicable data protection legislation; and regulatory guidance.
For more information on our use of AI when processing personal data contact our DPO via dpo@normcyber.com
Automated Profiling
We will not use your personal information for automated profiling.
Children’s personal information
We do not provide services directly to children or proactively collect their personal information.
Visiting our premises
When you visit our premises you will be required to provide your name and other personal information for security and safety reasons.
CCTV
Closed-circuit television (CCTV) operates at our premises for security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
Wi Fi
We provide Wi-Fi on site for the use of visitors. We’ll provide you with the address and password. We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited duration and date sent/received. The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
Attending an event of ours
If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.
We use this information to facilitate the event and provide you with an acceptable service. We also need this information so we can respond to you.
Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service. The lawful basis we rely on for processing your personal data is your consent under article 6(1)(a) of the UK GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
Our contact details
We can be contacted as follows:
- Email: dpo@normcyber.com
- Phone: 020 3666 0918
- Post: NormCyber Limited, Arena Business Centre, Lancaster Court, 8 Barnes Wallis Road, Fareham, PO15 5TU
Cookies
We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. For
information about the cookies and any other similar technologies we use, please see our cookies policy.
Your right to complain
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us and we’ll respond.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s office (ICO), the UK supervisory authority (data protection regulator). Please follow this link to see how to do that.
Updating
We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes, we will amend the revision date at the bottom of this page. The new modified or amended privacy policy will apply from that revision date.