Privacy Policy

Last updated 24/04/2026

CYJAX (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Notice explains how we collect, use, and safeguard your personal data when you use our Platform, services, visit our website, or interact with us. It also outlines your rights and how you can exercise them. Please read this notice carefully to understand our practices and your choices.

The Privacy Policy for Candidates can be found here

The Privacy Policy for Investors can be found here

CYJAX Platform, Services and Website

Who we are

CYJAX is a Threat Intelligence company that provides businesses with Threat Intelligence and alerting. We collect publicly available information from varying sources, enabling us to provide consultancy and advisory services to clients about the risks they face, and to help ensure their critical assets are secured. We do this through technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytic features that generate outputs in the form of alerts, reports or data feeds to enable business entities to conduct analysis of the threats they face.

1. Collection of personal data

We collect from several sources:

1.1 Information provided by you
  • name, business contact details - company, email address, phone number, job title,
  • Details submitted via forms, contracts, support interations, or event registrations.
1.2 Technical information

To ensure secure and effective website and platform navigation, we collect:

  • IP address, browser type & version, time zone, operating system.
  • Login details and plug-in information
  • information about your visit, including pages viewed and navigation paths.

Our Cookies Policy is available here.

You do not need to submit any personal information to use our website but certain areas allow you to provide details for access or communication.

1.3 Information we obtain from third party sources

We may receive information from:

  • Social media platforms, event sponsors or lead generation partners
  • Marketing and sales engagement service providers for legitimate business purposes.
1.4 Website Analytics and Advertising

We use:

  • Heat mapping and session recording tools (withopt-out options available).
  • Analytics technologies to understand visitor behaviour patterns
  • Security and performance monitoring services to protect and optimise our website.
  • Advertising technologies to deliver targeted ads based on interests and interactions.

2. How we use your information

We use your personal data for the following purposes:

  • Providing the Service: To give you with access to our website and platform, deliver threat intelligence services, and manage your account.
  • Improving Our Services: To analyse usage patterns, improve our platform’s performance, and enhance user experience.
  • Customer Support: To respond to your inquiries, resolve issues, and provide technical assistance.
  • Billing and Payments: To process your payments and manage your subscription.
  • Compliance and Security: To maintain the securit of our systems , prevent fraud, and comply with applicable legal requirements.
  • Marketing and Communications: To share product updates, event invitations, andrelevant information (with opt-out options available).
  • Advertising: To deliver targeted ads based on your interestsand interactions.
  • Business sale: If our business or assets are acquired, yourpersonal data will be transferred to the buyer.
  • AI assisted marketing: To support marketing and service improvement activities (including sales outreach), such as drafting content analysing engagement, using third-party tools where appropriate.

3. Legal basis for processing personal data

When we process personal data, we do so in accordance with the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("EU GDPR") where applicable, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 ("DUAA"). Because we provider services involving both EU & UK personal data, we apply the relevant legal regime depending on where the individual is located and/or which law applies to the processing activity.

Where we rely on legitimate interests as a lawful basis, we do so under Article 6(1)(f) EU GDPR for processing and/ or Article 6(1)(f) UK GDPR for processing subject to the UK GDPR.

We will always ensure that whenever personal data processed, industry standards and legal requirements are maintained.

The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. Several data elements are collected for multiple purposes, as the table below shows.

Purpose for collection Data collected Reason for collection Lawful basis for processing Data shared with Retention period
Account setup, Access &
Threat Intelligence Service Provision		 Name, company name, job title and email address To create and provide access to our Platform Contractual Performance Internal teams, authorised systems 1 month following end of contract
Threat Intelligence Services *Name, telephone, address/location, and email addresses, contact details, aliases, social media accounts, financial information e.g. credit card information, photographs, DOB * To provide Threat Intelligence services to clients to enable risk management to their business and potentially fraudulent activity Contractual Performance
Legitimate Interests		 Internal teams, customers up to 4 years
Payments & invoicing Name, business address, email, phone & bank details / payment information To process payments, maintain records for accounting, tax & legal compliance Contractual performance
Statutory obligation
Legitimate interest		 Internal teams, Professional advisors 7 Years
Security Technical information, IP addresses, (login information) To protect our website, platform and infrastructure, trouble shoot issues and compile statistics Legitimate interest Internal teams 18 months
Analytics Technical information, IP addresses, login information (where applicable), To understand user behaviour, troubleshoot and improve website & platform performance Legitimate interest Internal teams 12 months
Platform improvements Device information, IP address, interaction, data (e.g. clicks, page views), email addresses To understand platform users interactions for service improvements Legitimate interest Internal teams, trusted partners 12 months
Marketing & Communications (Service Communications) Names, business contact details (company name, job title & usage history (where applicable) To communicate with you about services and new products during and shortly after your contract.
To evaluate customer satisfaction and improve our products and services		 Contractual Performance
Legitimate Interest (surveys)		 Internal teams, CRM providers, NPS provider, trusted partners 6 months following end of contract
Marketing & Communications (Marketing & professional engagement) Names, business contact details (company name, job title & usage history (where applicable) To share updates, articles, invitations, and information about services you have use, trialled, or may be interested in Legitimate Interest Internally, CRM provider and trusted third parties Reviewed annually; retained for up to 24 months from last transaction or until opt-out
Marketing & Communications (Automated LinkedIn outreach & engagement) Names, business contact details (company name, job title), LinkedIn profile URL, engagement metadata (connection status, message history), professional signals To identify and engage relevant professional, send connection requests and follow-up messages, monitor job changes and new hies and interest with posts to maintain professional engagement Legitimate Interest Internally, CRM provider and trusted third parties Reviewed annually; retained for up to 24 months from last transaction or until opt-out
Advertising Name, job title, business entity To deliver personalised ads and measure the effectiveness of marketing campaigns Legitimate Interest Internal teams, Advertising partners, trusted partners 24 months
Telecommunications Contact details, call recordings, communications logs To communicate with you Contractual Performance Internal teams & VOIP provider 30 days (voicemail) 12 months (analytics)

CYJAX acts as a Data Controller for its own information and as a Processor when acting under customer instructions. Customers as Data Controllers are responsible for compliance with applicable regulations.

Where processing is based on legitimate interests, we identify the interest pursued and consider the impact on individuals’ rights and freedoms, applying safeguards as appropriate. This approach is applied consistently to processing subject to both the EU GDPR and the UK GDPR.

3.1 Open source data*

*We collect publicly available information from the internet and dark web to deliver threat intelligence services. This helps our customers identify vulnerabilities, detect breaches, protect critical assets, monitor exposure of sensitive data, and respond to direct threats.

Due to the volume and nature of this data, we rely on GDPR Article 14(a) and (b) exemptions, as notifying individuals would involve disproportionate effort. Additionally, where we cannot identify data subjects without processing further information, we rely on Article 11(1) UK GDPR, which permits processing without identification when it is not necessary for the purpose.

Where applicable, processing of publicly available information is carried out on the basis of legitimate interests under Article 6(1)(f) EU GDPR and/or Article 6(1)(f) UK GDPR. In all cases, such processing is proportionate, subject to safeguards, and carried out in accordance with applicable transparency obligations and exemptions where required.

3.2 If our business is sold

http://www.privacy-regulation.eu/en/article-14-information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject-GDPR.htm

We will share your information with the purchaser of our business and your personal information will be shared for this purpose. In this instance, we have a legitimate interest to ensure that our business can continue for the buyer. If you object to the use of your personal information in this way, the buyer will not be able to provide the services you have subscribed to. In some circumstances we will need to share your personal information if we are under a legal obligation to do so.

4. Automated decision making and profiling

We may use automated processing and analytic technologies on our platform and websites  to support threat intelligence, security monitoring, detection of risks, and service improvement. We do not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals without appropriate safeguards.

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. When your data is no longer needed, we will securely delete or anonymise it

Where automated decision making or profiling is used, we provide safeguards as required by applicable data protection law, including the right to request human intervention, to express a view, and to challenge decisions, where applicable.

5. Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements. When your data is no longer needed, we will securely delete or anonymise it.

6. Security

CYJAX is dedicated to ensuring that all information is protected against unauthorised access, processed appropriately, and held securely in accordance with the UK and EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 as amended by the Data (Use & Access) Act 2025.

Our ISMS (information security management system) is certified to ISO/IEC 27001, demonstrating that we have the appropriate Framework in place to ensure that all our information assets and networks are secure. We limit access to users’ personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process users’ personal data on our instructions and they are subject to a duty of confidentiality.

7. International transfers and third party processing

We make every reasonable effort to store and process your information in the country where it was submitted. However, some of our service providers may operate outside the UK and European Economic Area (EEA). This means your data may occasionally be transferred internationally.

When data is transferred outside the UK or EEA, we apply the following safeguards:

• Transfers are only made to countries offering an adequate level of protection, or where appropriate safeguards are in place under applicable data protection law.

• Where adequacy does not apply, we use contracts approved by the relevant regulatory authorities to ensure equivalent protection and effective data controls.

• All third-party processors must meet our security standards and comply with our information management framework.

• Where we use third-party AI service providers, personal data may be processed in the UK, EEA or other locations, with appropriate safeguards applied.

• Data is encrypted end-to-end during transit and at rest.

• Retention periods are clearly defined and regularly reviewed.

7.1 Third parties and sub processors

We may share data with carefully selected third parties to deliver services, such as hosting, invoicing system administration, and file management. If the third-party processes data on our behalf, we will ensure that the processor only has the information they require to perform their specific service and is only entitled to process personal data to our specific instructions.

We may use third-party AI service providersto support sales outreach and marketing communications (for example, to generate draft messages, summarise prior interactions, or help prioritise outreach). Where this involves personal data, we share only what is necessary (typically business contact details and relevant communications context). These providers act as processors on our instructions and are subject to contractual obligations designed to protect your personal data, including appropriate security measures and restrictions on their use of the data for their own purposes.

If we transfer your personal data to a country outside the UK, EEA, or one not deemed ‘adequate’ by the Information Commissioner’s Office, we will only do so with sufficient safeguards in place, including contractual terms approved by relevant authorities.

8. Sharing

Any information you provide to CYJAX, or that CYJAX collects, will only be used within CYJAX or its trusted partners consistent with the purpose in which it was collected. It will not be shared with any third parties for commercial gain or sold.

The only other instances in which we would share this information is where we are obliged or permitted to by law, or consent has been given and/or in accordance with this Privacy Notice.

9. Links to other websites

From time to time, our website and Platform may contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

We may use third‑party AI service providers to support sales outreach and marketing communications, sharing only limited business contact details and message context as necessary, under contractual safeguards and our instructions.

10. Changes to this Privacy Notice

If we transfer your personal information to another organisation for processing in countries that are not located in the United Kingdom, European Economic Area or listed as ‘adequate’ by the Information Commissioner’s Office, we will only do so if we have sufficient protections in place to safeguard information, including, where appropriate, contractual terms approved by the relevant regulatory authorities

We reserve the right to change this Privacy Notice at any time. Please refer to the date at the top of this page to determine when this Privacy Notice was last revised. Any changes to our Privacy Notice will become effective upon posting of the revised Privacy Notice on our website. By continuing to use our website and/or the Service following such changes, users will be deemed to have agreed to such changes.

11. Your rights

Under data protection laws in the European Union and the UK, you have certain rights in relation to your personal information. You have the right:

  • To be informed about how we collect and use your personal data.
  • To access your personal data and supplementary information.
  • To rectify inaccurate or incomplete personal data.
  • To request erasure (“right to be forgotten”) in certain circumstances.
  • To restrict processing in specific situations.
  • To data portability, allowing you to obtain and reuse your data across different services.
  • To object to processing, including the right to object to direct marketing at any time.
  • To withdraw consent for processing where consent is the legal basis, without affecting prior lawful processing.
  • To rights related to automated decision-making and profiling, where applicable.
  • To lodge a complaint with the Information Commissioner’s Office (ICO).

When responding to data subject access requests, we carry out reasonable and proportionate searches and may request clarification or proof of identity where necessary. Where permitted by law, statutory response timeframes may be paused until such clarification is received.

A full list of your rights under the UK General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.

We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. If this is the case, we will write to you to explain the reasons why.

12. How to contact Us

To exercise these rights or to raise a privacy-related concern, please contact:

• Email: privacy[at]CYJAX.com

• Postal Address: First Floor, 1 Des Roches Square, Witan Way, Witney, OXON OX28 4BE

• Phone: 020 7096 0668

When responding to data subject access requests, we carry out reasonable and proportionate searches and may request clarification or proof of identity where necessary. Where permitted by law, statutory response timeframes may be paused until such clarification is received.

If you are based in the EU, you may also contact our EU Representative (details below).

Requests will be acknowledged within three working days, and we aim to provide a full response within 30 calendar days, subject to applicable exemptions.

A cease-processing request will be acknowledged immediately with an automated confirmation stating our intention to comply.

12.1 EU Representative (GDPR Article 27)

Our appointed EU Representative is:
Data Protection Limited, 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin, Ireland DO2 EK84
Email: cyjax[at]williansdps.com
Phone: 00 353 1 447 0402

You may contact our EU Representative for any matters related to the processing of personal datawithin the EU.

A full list of your rights under the General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.

For more information on applicable regulations, please visit:
Information Commissioner’s Office (ICO)
CYJAX is registered with the ICO under reference ZA053004, as required by UK legislation.

12.2 Privacy complaints

You have the right to lodge a data protection complaint directly with CYJAX if you believe we have infringed applicable data protection law in the way we handle your personal data.

Step 1: Raise you complaint with us

Complaints may be submitted via email, post, or telephone and do not need to reference specific legal provisions. We will acknowledge receipt within 30 days and investigate without undue delay.

Step 2: Our Response

We will inform you of the outcome as soon as reasonably possible, taking into account the nature and complexity of the complaint.

Step 3: If you are not satisfied

If you are dissatisfied with our response, you have the right to escalate your complaint to the Information Commissioner's Office (UK) or your relevant supervisory authority, as applicable.

https://ico.org.uk/make-a-complaint/.

13. Disclaimer

As far as is possible, CYJAX will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus-check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.

Links to other websites included on this website do not imply any endorsement, validation, or responsibility by CYJAX as to the content or privacy policies of such sites. We cannot guarantee that these links will work all the time and we have no control over the availability of the linked pages.