Privacy Policy

Last updated 23/12/2025

CYJAX (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Notice explains how we collect, use, and safeguard your personal data when you use our Platform, services, visit our website, or interact with us. It also outlines your rights and how you can exercise them. Please read this notice carefully to understand our practices and your choices.

The Privacy Policy for Candidates can be found here

The Privacy Policy for Investors can be found here

CYJAX Platform, Services and Website

Who we are

CYJAX is a Threat Intelligence company that provides businesses with Threat Intelligence and alerting. We collect publicly available information from varying sources, enabling us to provide consultancy and advisory services to clients about the risks they face, and to help ensure their critical assets are secured. We do this through technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytic features that generate outputs in the form of alerts, reports or data feeds to enable business entities to conduct analysis of the threats they face.

1. Collection of personal data

We collect from several sources:

1.1 Information provided by you
  • name, business contact details - company, email address, phone number, job title,
  • Details submitted via forms, contracts, support interations, or event registrations.
1.2 Technical information

To ensure secure and effective website and platform navigation, we collect:

  • IP address, browser type & version, time zone, operating system.
  • Login details and plug-in information
  • information about your visit, including pages viewed and navigation paths.

Our Cookies Policy is available here.

You do not need to submit any personal information to use our website but certain areas allow you to provide details for access or communication.

1.3 Information we obtain from third party sources

We may receive information from:

  • Social media platforms, event sponsors or lead generation partners
  • Marketing and sales engagement service providers for legitimate business purposes.
1.4 Website Analytics and Advertising

We use:

  • Heat mapping and session recording tools (withopt-out options available).
  • Analytics technologies to understand visitor behaviour patterns
  • Security and performance monitoring services to protect and optimise our website.
  • Advertising technologies to deliver targeted ads based on interests and interactions.

2. How we use your information

We use your personal data for the following purposes:

  • Providing the Service: To give you with access to our website and platform, deliver threat intelligence services, and manage your account.
  • Improving Our Services: To analyse usage patterns, improve our platform’s performance, and enhance user experience.
  • Customer Support: To respond to your inquiries, resolve issues, and provide technical assistance.
  • Billing and Payments: To process your payments and manage your subscription.
  • Compliance and Security: To maintain the securit of our systems , prevent fraud, and comply with applicable legal requirements.
  • Marketing and Communications: To share product updates, event invitations, andrelevant information (with opt-out options available).
  • Advertising: To deliver targeted ads based on your interestsand interactions.
  • Business sale: f our business or assets are acquired, yourpersonal data will be transferred to the buyer.

3. Legal basis for processing personal data

When you supply any personal information to us, we have legal obligations towards you in the way we use it. We will always ensure that whenever personal data processed, industry standards and legal requirements are maintained.

The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. Several data elements are collected for multiple purposes, as the table below shows.

Purpose for collection Data collected Reason for collection Lawful basis for processing Data shared with Retention period
Account setup, Access &
Threat Intelligence Service Provision		 Name, company name, job title and email address To create and provide access to our Platform Contractual Performance Internal teams, authorised systems 1 month following end of contract
Threat Intelligence Services *Name, telephone, address/location, and email addresses, contact details, aliases, social media accounts, financial information e.g. credit card information, photographs, DOB * To provide Threat Intelligence services to clients to enable risk management to their business and potentially fraudulent activity Contractual Performance
Public interest
Legitimate Interests		 Internal teams, customers up to 4 years
Payments & invoicing Name, business address, email, phone & bank details / payment information To process payments, maintain records for accounting, tax & legal compliance Contractual performance
Statutory obligation
Legitimate interest		 Internal teams, Professional advisors 7 Years
Security Technical information, IP addresses, (login information) To protect our website, platform and infrastructure, trouble shoot issues and compile statistics Legitimate interest Internal teams 18 months
Analytics Technical information, IP addresses, login information (where applicable), To understand user behaviour, troubleshoot and improve website & platform performance Legitimate interest Internal teams 12 months
Platform improvements Device information, IP address, interaction, data (e.g. clicks, page views), email addresses To understand platform users interactions for service improvements Legitimate interest Internal teams, trusted partners 12 months
Marketing & Communications (Service Communications) Names, business contact details (company name, job title & usage history (where applicable) To communicate with you about services and new products during and shortly after your contract.
To evaluate customer satisfaction and improve our products and services		 Contractual Performance
Legitimate Interest (surveys)		 Internal teams, CRM providers, NPS provider, trusted partners 6 months following end of contract
Marketing & Communications (Marketing & professional engagement) Names, business contact details (company name, job title & usage history (where applicable) To share updates, articles, invitations, and information about services you have use, trialled, or may be interested in Legitimate Interest Internally, CRM provider and trusted third parties Reviewed annually; retained for up to 24 months from last transaction or until opt-out
Advertising Name, job title, business entity To deliver personalised ads and measure the effectiveness of marketing campaigns Legitimate Interest Internal teams, Advertising partners, trusted partners 24 months
Telecommunications Contact details, call recordings, communications logs To communicate with you Contractual Performance Internal teams & VOIP provider 30 days (voicemail) 12 months (analytics)

CYJAX acts as a Data Controller for its own information and as a Processor when acting under customer instructions. Customers as Data Controllers are responsible for compliance with applicable regulations.

3.1 Open source data*

We collect publicly available information from the internet and dark web to deliver threat intelligence services. This helps our customers identify vulnerabilities, detect breaches, protect critical assets, monitor exposure of sensitive data, and respond to direct threats.

Due to the volume and nature of this data, we rely on GDPR Article 14(a) and (b) exemptions, as notifying individuals would involve disproportionate effort. Additionally, where we cannot identify data subjects without processing further information, we rely on Article 11(1) UK GDPR, which permits processing without identification when it is not necessary for the purpose

http://www.privacy-regulation.eu/en/article-14-information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject-GDPR.htm

3.2 If our business is sold

We will share your information with the purchaser of our business and your personal information will be shared for this purpose. In this instance, we have a legitimate interest to ensure that our business can continue for the buyer. If you object to the use of your personal information in this way, the buyer will not be able to provide the services you have subscribed to. In some circumstances we will need to share your personal information if we are under a legal obligation to do so.

4. Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. When your data is no longer needed, we will securely delete or anonymise it

5. Security

CYJAX is dedicated to ensuring that all information is protected against unauthorised access, processed appropriately, and held securely in accordance with the UK and EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 as amended by the Data (Use & Access) Act 2025.

Our ISMS (information security management system) is certified to ISO/IEC 27001, demonstrating that we have the appropriate Framework in place to ensure that all our information assets and networks are secure. We limit access to users’ personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process users’ personal data on our instructions and they are subject to a duty of confidentiality.

6. International transfers and third party processing

We make every reasonable effort to store and process your information in the country where it was submitted. However, some of our service providers may operate outside the UK and European Economic Area (EEA). This means your data may occasionally be transferred internationally.

When data is transferred outside the UK or EEA, we apply the following safeguards:

• Transfers are only made to countries or territories recognised as providing an adequate level of protection under UK GDPR.

• Where adequacy does not apply, we use contracts approved by the relevant regulatory authorities to ensure equivalent protection and effective data controls.

• All third-party processors must meet our security standards and comply with our information management framework.

• Data is encrypted end-to-end during transit and at rest.

• Retention periods are clearly defined and regularly reviewed.

6.1 Third parties and sub processors

We may share data with carefully selected third parties to deliver services, such as hosting, invoicing system administration, and file management. If the third-party processes data on our behalf, we will ensure that the processor only has the information they require to perform their specific service and is only entitled to process personal data to our specific instructions.

If we need to transfer your personal information to another organisation for processing in countries that are not located in the United Kingdom, European Economic Area or listed as ‘adequate’ by the Information Commissioner’s Office, we will only do so if we have sufficient protections in place to safeguard information, including, where appropriate, contractual terms approved by the relevant regulatory authorities

7. Sharing

Any information you provide to CYJAX, or that CYJAX collects, will only be used within CYJAX or its trusted partners consistent with the purpose in which it was collected. It will not be shared with any third parties for commercial gain or sold.

The only other instances in which we would share this information is where we are obliged or permitted to by law, or consent has been given and/or in accordance with this Privacy Notice.

8. Links to other websites

From time to time, our website and Platform may contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

9. Changes to this Privacy Notice

We reserve the right to change this Privacy Notice at any time. Please refer to the date at the top of this page to determine when this Privacy Notice was last revised. Any changes to our Privacy Notice will become effective upon posting of the revised Privacy Notice on our website. By continuing to use our website and/or the Service following such changes, users will be deemed to have agreed to such changes.

10. Your rights

Under data protection laws in the European Union and the UK, you have certain rights in relation to your personal information. You have the right:

  • To be informed about how we collect and use your personal data.
  • To access your personal data and supplementary information.
  • To rectify inaccurate or incomplete personal data.
  • To request erasure (“right to be forgotten”) in certain circumstances.
  • To restrict processing in specific situations.
  • To data portability, allowing you to obtain and reuse your data across different services.
  • To object to processing, including the right to object to direct marketing at any time.
  • To withdraw consent for processing where consent is the legal basis, without affecting prior lawful processing.
  • To rights related to automated decision-making and profiling, where applicable.
  • To lodge a complaint with the Information Commissioner’s Office (ICO).

A full list of your rights under the General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.

We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. If this is the case, we will write to you to explain the reasons why.

11. How to contact Us

To exercise these rights or to raise a privacy-related concern, please contact:

• Email: privacy[at]CYJAX.com

• Postal Address: First Floor, 1 Des Roches Square, Witan Way, Witney, OXON OX28 4BE

• Phone: 020 7096 0668

If you are based in the EU, you may also contact our EU Representative (details below).

Requests will be acknowledged within three working days, and we aim to provide a full response within 30 calendar days, subject to applicable exemptions.

A cease-processing request will be acknowledged immediately with an automated confirmation stating our intention to comply.

11.1 EU Representative (GDPR Article 27)

Our appointed EURepresentative is:
Data Protection Limited, 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin,Ireland DO2 EK84
Email: cyjax[at]williansdps.com
Phone: 00 353 1 447 0402

You may contact our EURepresentative for any matters related to the processing of personal datawithin the EU.

For more information onapplicable regulations, please visit:
Information Commissioner’s Office (ICO)
CYJAX is registered with the ICO under reference ZA053004, as requiredby UK legislation.

11.2 Privacy complaints

If you have concerns about how we collect or use your personal data, we encourage you to contact us first. We are committed to resolving privacy complaints quickly and fairly.

Step 1: Contact Us

Please include: Your full name and contact information, a summary of your concern and any relevant dates or evidence.

Step 2: Our Response

We will acknowledge your complaint within 30 days. You will receive a full response as soon as possible (typically within 45 days).

Step 3: If You're Not Satisfied

If you are not happy with our response, you may escalate the matter to the Information Commission (ICO): https://ico.org.uk/make-a-complaint/

13. Disclaimer

As far as is possible, CYJAX will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus-check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.

Links to other websites included on this website do not imply any endorsement, validation, or responsibility by CYJAX as to the content or privacy policies of such sites. We cannot guarantee that these links will work all the time and we have no control over the availability of the linked pages. d