Legal

Privacy Policy

How Custodian Consulting collects, uses, and protects your personal data — and the rights you hold under UK GDPR.

Last updated: 17 March 2026

This policy applies to personal data collected through the Custodian Consulting website at custodianconsulting.co.uk. It is written in plain English. If anything is unclear, please contact us at contact@custodianconsulting.co.uk.

01 —

Data Controller

The data controller for personal data collected via this website is:

Custodian Consulting Ltd

Registered in England & Wales

Email: contact@custodianconsulting.co.uk

As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is carried out in accordance with UK GDPR and the Data Protection Act 2018.

02 —

Data We Collect

We collect only the personal data necessary for the purposes described in this policy. The categories of data we may collect are:

Contact form submissions

  • Name — so we know who we are speaking with
  • Email address — so we can respond to your enquiry
  • Company name — to understand the organisational context of your request
  • Message content — the details of your enquiry or request

Technical data collected automatically

  • IP address and approximate geographic region (server logs, retained for up to 30 days)
  • Browser type and version, operating system
  • Pages visited and timestamps (where analytics are enabled — see Section 7)

We do not collect sensitive personal data (special category data under UK GDPR Article 9) and we do not collect payment card information through this website.

03 —

How We Use Your Data

We use the personal data you provide for the following purposes:

  • Responding to enquiries — to reply to messages submitted via our contact form or sent to our email address
  • Providing quotes and scoping information — to prepare and send fixed-price engagement proposals based on the requirements you describe
  • Service delivery — if you engage us, to fulfil the contracted penetration testing or security consultancy services
  • Compliance and legal obligations — to meet regulatory and contractual requirements, including record-keeping obligations
  • Website improvement — using aggregated, anonymised analytics data to improve the usability and content of this website

We do not use your personal data for automated decision-making or profiling.

04 —

Legal Basis for Processing

Under UK GDPR Article 6, we rely on the following lawful bases for processing your personal data:

  • Legitimate interests (Article 6(1)(f)) — responding to unsolicited enquiries submitted through our contact form. We have a legitimate interest in communicating with prospective clients, and this interest is not overridden by your rights and interests.
  • Contractual necessity (Article 6(1)(b)) — where you engage us to deliver services, processing is necessary to perform the contract between us.
  • Legal obligation (Article 6(1)(c)) — where we are required to retain records for tax, regulatory, or other legal purposes.

Where we rely on legitimate interests, you have the right to object to that processing. See Section 8 for details of your rights.

05 —

Data Retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law.

  • Enquiries that do not result in an engagement — retained for up to 12 months from the date of last contact, after which data is securely deleted
  • Client engagement records — retained for 6 years following completion of the engagement, in line with the Limitation Act 1980 and standard accounting obligations
  • Server access logs — retained for a maximum of 30 days, then automatically purged
  • Analytics data — where collected, retained in aggregated and anonymised form only; no individual-level retention beyond the session

When data is no longer required, it is deleted or anonymised securely. Paper records, if any, are shredded.

06 —

Third Parties & Data Sharing

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.

We may disclose your personal data only in the following limited circumstances:

  • Sub-contractors and associates — where a specific engagement requires specialist expertise, we may engage vetted sub-contractors under confidentiality agreements. They are permitted to process your data only as directed by us and for no other purpose.
  • Legal requirement — where we are required to disclose data by law, court order, or regulatory authority (for example, HMRC or a law enforcement agency acting under proper authority).
  • Business transfer — in the event of a merger, acquisition, or sale of the business, personal data may be transferred as part of that transaction. We will notify you in advance where required by law.

Any third party given access to personal data is required to treat it with the same level of protection we apply, and we carry out appropriate due diligence before engaging data processors.

International transfers

We do not routinely transfer personal data outside the United Kingdom. Where any such transfer is necessary, we ensure that an appropriate transfer mechanism is in place — such as the UK International Data Transfer Agreement (IDTA) or adequacy regulations — before transferring data.

07 —

Cookies

Cookies are small text files placed on your device by a website. We aim to keep our cookie usage to a minimum.

Strictly necessary cookies

Our website may set a small number of session cookies that are essential for the site to function correctly. These cookies do not collect personal data and cannot be disabled without affecting site functionality. They expire when you close your browser.

Analytics cookies

If we use analytics software, it may set cookies to measure page visits and traffic sources in aggregate. Where analytics are in use, data is anonymised before processing and is not shared with third-party advertising networks. No cross-site tracking takes place.

Third-party cookies

We do not embed third-party advertising scripts, social media tracking pixels, or marketing cookies on this website.

You can control and delete cookies through your browser settings. For guidance on managing cookies, visit aboutcookies.org.

08 —

Your Rights Under UK GDPR

You have the following rights in relation to your personal data. To exercise any of them, please contact us at contact@custodianconsulting.co.uk. We will respond within one calendar month of receiving your request.

Right of Access

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to Rectification

Ask us to correct inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data where there is no compelling reason for us to continue processing it.

Right to Restrict Processing

Ask us to suspend processing of your data in certain circumstances, for example while accuracy is contested.

Right to Portability

Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller.

Right to Object

Object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling grounds.

These rights are not absolute. In some circumstances, legal obligations may require us to retain or continue processing certain data. We will always explain clearly if we are unable to fulfil a request and why.

There is no charge for exercising your rights. If requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse the request, as permitted under UK GDPR Article 12(5).

09 —

Complaints & the ICO

If you believe we have not handled your personal data in accordance with UK GDPR or the Data Protection Act 2018, please contact us first at contact@custodianconsulting.co.uk. We take data protection seriously and will make every effort to resolve your concern promptly.

If you remain dissatisfied after contacting us, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF

You may also be entitled to seek a judicial remedy against us or the ICO in the courts of England and Wales.

10 —

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in law, our practices, or our services. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website after any changes constitutes acceptance of the updated policy.

Previous versions of this policy are available on request by emailing contact@custodianconsulting.co.uk.