Privacy Policy

1. Who CSC is

For the purposes of this Privacy Policy, Cyber Security Center ("CSC", "we", "us", or "our") is the controller of personal data processed through the CSC website, tools, account system, and professional service request channels, except where another party is clearly identified for a specific service.

CSC is a UK-first service and operates with awareness of UK and EU data protection expectations. This policy is written in plain English and is intended to describe the data practices that actually apply to the current product.

2. What personal data we collect

Depending on how you use CSC, we may collect account email address, login verification data, policy acceptance data, optional marketing consent, IP address, approximate location derived from IP, browser/device/session metadata, usage events, tool inputs, scan metadata, service request details, support or enquiry messages, and security or abuse-related log data.

For signed-in accounts, we may also maintain records such as account creation date, last login date, session identifiers, remembered device/session records, masked session display data, and language preference where available.

3. Where the data comes from

Most personal data comes directly from you when you enter an email address, request a sign-in code, submit tool inputs, use the local network scan, request a professional assessment, or interact with the site.

Some data is created automatically from your use of the service, such as IP address, approximate location from IP, browser/user-agent information, session state, timing information, security logs, and tool result metadata. Some results may also include information obtained from public DNS, certificate, website, or IP-related sources that are relevant to the tool you are using.

4. Why we process personal data

We process personal data to operate CSC, authenticate users, maintain sessions, provide tool results, respond to assessment requests, support service integrity, manage local agent and device workflows, investigate abuse or suspicious use, keep records of consent and policy acceptance, and improve the quality, stability, and safety of the service.

We may also use personal data to comply with legal obligations, respond to lawful requests, preserve evidence where misuse is suspected, and establish or defend legal claims.

5. Lawful bases

Depending on the context, our lawful bases may include performance of a contract or steps taken at your request before entering into a contract, legitimate interests in operating, securing, and improving CSC, compliance with legal obligations, and consent where consent is specifically requested.

Where we rely on legitimate interests, those interests generally include service operation, account security, fraud prevention, abuse handling, platform diagnostics, lawful defensive logging, and responding to requests made through the service.

6. Account, login, and session data

CSC currently uses passwordless email-code sign-in. We process your email address, login code issuance/verification records, session identifiers, session expiry data, IP address, approximate location from IP, and browser/device/session metadata to authenticate you and maintain your account session.

We do not intentionally expose session secrets to frontend JavaScript. Session and remember-device mechanisms are intended to support account access, security, and fraud or misuse detection.

7. Tool inputs, scan logs, consent logs, and audit records

When you use CSC tools, we may store the input you submitted, high-level scan metadata, requester IP, timing information, account or guest identifiers, result summaries, consent confirmations, and related audit records. For website security reviews, we may log consent text/version and scan outcome summary. For account access, we may log versioned policy acceptance and optional marketing preference.

These records help us operate the tools, explain what was requested, investigate abuse, respond to disputes, and comply with legal obligations where necessary.

8. Cookies and similar technologies

CSC uses essential cookies and similar storage mechanisms that are required for core service operation, such as account session cookies, remember-device cookies, and local browser storage used for session display state or language preference. These are used to provide the service you request, maintain security, and improve usability.

Based on the current product behaviour, CSC does not present a non-essential analytics or advertising cookie banner because the service is not currently using those categories as part of the core public experience. If that changes, CSC may update this policy and the user experience accordingly.

9. Who we share data with

CSC may share data with service providers or infrastructure providers acting on our instructions where needed to run the service, deliver email, host the platform, or support security and reliability. We may also disclose data to professional advisers, regulators, courts, law enforcement, or other authorities where required by law or where disclosure is otherwise permitted for the prevention, investigation, or response to misuse or unlawful activity.

We do not say that data is never shared. Any sharing is limited to what is reasonably necessary for the relevant purpose.

10. International transfers

Some service providers or public data sources used by CSC may process data outside the UK or EEA. Where that happens, CSC aims to use appropriate transfer mechanisms and safeguards where required, such as contractual protections or reliance on permitted transfer mechanisms under applicable law.

11. Retention

We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required or justified for legal, security, fraud prevention, abuse investigation, or dispute-handling reasons.

Examples include: login codes for a short security-limited period; active and remembered session data for the session lifecycle and a reasonable retention window; usage events and service request logs for operational, support, and audit needs; and policy acceptance records for as long as reasonably needed to show what was accepted and when.

12. Security

CSC uses technical and organisational measures intended to reduce security risk, including access controls, secure cookie handling where applicable, session controls, backend-only handling for sensitive operations, and limited data exposure to the frontend. No service can promise absolute security, and you should use CSC with that understanding.

13. Automated decision-making

CSC may use automated processing to generate tool outputs, detect suspicious patterns, rate-limit usage, or support abuse handling. These checks are not presented as legally binding automated decisions about you, and CSC does not claim that tool outputs are definitive or complete.

14. Your rights

Depending on where you are located and what law applies, you may have rights to access personal data, request correction, request deletion, object to certain processing, request restriction, request portability, and withdraw consent where consent is relied on.

These rights are not absolute and may be limited where exemptions apply, for example to protect legal claims, platform security, other users, or compliance obligations.

15. How to exercise rights

You can contact CSC using the public contact route at /assessment-request/ or other public contact details published on the service. Please provide enough information for us to identify your request and respond appropriately.

If you are dissatisfied with how your data is handled, you may also have the right to complain to your local supervisory authority. In the UK, the main supervisory authority is the Information Commissioner's Office (ICO).

16. Children

CSC is not designed specifically for children. If you believe a child has provided personal data to CSC inappropriately, please contact CSC so the matter can be reviewed.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect operational, legal, or product changes. The latest version, effective date, and update date will be shown on this page. Where required, CSC may request renewed acceptance in the account access flow.

18. Contact details and complaint route

For privacy questions, contact CSC using the public contact route published on the service. If a public contact email address is published by CSC, that address may also be used for privacy requests where appropriate.

If you are in the UK and believe your personal data has been handled unlawfully, you may complain to the ICO. If you are elsewhere in the UK/EU region, you may also have a right to complain to your local supervisory authority.