Privacy Policy

Effective date: 10 November 2025

shsecurity.digital (the “Site”) is owned and operated by SH ITSec Ltd. SH ITSec Ltd is the data controller for personal data processed via the Site and our services.

How to contact us

Email: contact@shsecurity.digital

What this policy covers

This notice explains what personal data we collect, how we use it, our legal bases, who we share it with, how long we keep it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

Data we collect

• Contact and enquiry data (e.g. name, email, phone, company, message content) when you use our contact or breach forms.
• Client engagement data necessary to deliver DFIR and assessment services (e.g. stakeholder details, logs/artefacts you provide).
• Technical data such as IP address, user agent, and basic analytics generated by your device when you browse the Site.
• Operational correspondence (e.g. emails, meeting notes) relating to sales, onboarding, and support.

How we use your data (purposes & legal bases)

• Responding to enquiries and providing quotes — legitimate interests and/or pre-contract steps.
• Delivering services (DFIR, vulnerability assessments, retainers) — contract performance.
• Security, fraud prevention, and incident handling — legitimate interests and, where applicable, legal obligations.
• Business operations (billing, accounting, compliance) — legal obligations and legitimate interests.
• Improving our Site and services (basic, privacy-respecting analytics) — legitimate interests or consent where required.

Cookies and similar technologies

We aim to keep cookies to a minimum. Essential cookies enable the Site to function. Optional analytics cookies (if used) help us understand usage. Where required, we will request your consent and provide controls via a cookie banner.

Sharing your data

We do not sell your personal data. We may share it with:

• Service providers (e.g. secure hosting, email, ticketing) under contract with appropriate safeguards.
• Incident-response tooling providers where needed to deliver DFIR work you instruct us to perform.
• Professional advisers (legal, accounting) and authorities where required by law.

International transfers

Where personal data is transferred outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement/addendum, or an adequacy decision, as applicable.

How long we keep your data

We retain personal data only as long as necessary for the purposes above, including legal/accounting requirements. Enquiry records are usually kept up to 24 months. Client engagement records are typically kept for up to 7 years unless a different period is required by contract or law.

Your rights

Under UK data protection law you may have the right to:

• Access a copy of your personal data;
• Correct inaccurate or incomplete data;
• Erase certain data or restrict its processing;
• Object to processing based on legitimate interests;
• Data portability (where applicable);
• Withdraw consent at any time (where processing is based on consent).

To exercise these rights, contact us at contact@shsecurity.digital. We may need to verify your identity. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

Security

We apply technical and organisational measures appropriate to the risk, including access controls, encryption where suitable, and least-privilege practices. No method is 100% secure; we continually improve our controls.

Children

Our Site and services are not directed to children. We do not knowingly collect personal data from children.

Third-party links

The Site may link to third-party sites and services. Their privacy practices are governed by their own policies.

Changes to this notice

We may update this policy from time to time. Changes will be posted on this page with an updated effective date.

Contact

For any questions or requests about this policy or your personal data, email contact@shsecurity.digital.