Legal

Who this policy applies to

This policy applies to:

• visitors to our website;
• people who contact us by email;
• prospective customers, pilot organisations, partners and investors;
• administrators and authorised users of the Cyberlytica platform;
• employees, users or device holders whose information is provided to us through a customer's Microsoft Intune environment.

Our website and services are intended for business users and organisations. They are not intended for children or individual consumer use.

Information we collect

Website visitors

Our public website is currently static. We do not currently use contact forms, account registration forms or analytics cookies on the public website.

If you contact us using a mailto link or by sending us an email, we may collect:

• your name;
• email address;
• phone number, if you provide it;
• organisation name;
• job title or role;
• the content of your message.

Business contacts

We may collect contact information about customers, prospective customers, partners, investors and suppliers, including:

• name;
• business email address;
• phone number;
• organisation;
• role;
• communication history.

We use this information to respond to enquiries, manage business relationships, discuss pilots or partnerships, and communicate about Cyberlytica's products and services.

Cyberlytica platform users

When a customer uses the Cyberlytica platform, we may process information required to provide the service. This may include:

• administrator names and email addresses;
• Microsoft Intune tenant information;
• users and groups available through Microsoft Intune;
• device information;
• installed, discovered, managed or assigned application information;
• application status, policy status and compliance-related information;
• app risk scores, privacy analysis results, policy matches, decisions and governance actions;
• audit and activity logs;
• Microsoft Graph access tokens and refresh tokens required to provide the service.

Microsoft Graph refresh tokens are stored in encrypted form using Azure Key Vault.

How we use personal data

We use personal data for the following purposes:

• to operate, provide and improve the Cyberlytica platform;
• to connect to Microsoft Intune and retrieve application, device, user and group information;
• to analyse application privacy risks and provide governance functionality;
• to allow customer administrators to review applications, apply policies and generate evidence;
• to maintain audit logs, service records and compliance evidence;
• to respond to enquiries and manage customer relationships;
• to communicate with prospective customers, partners and investors;
• to provide updates about our products and services where appropriate;
• to protect the security, reliability and integrity of our systems;
• to comply with legal, regulatory and accounting obligations.

We do not use customer data to train AI models.

We do not sell personal data.

Legal bases for processing

Where Cyberlytica acts as a controller, we rely on the following legal bases under UK GDPR:

• Legitimate interests: to respond to business enquiries, manage B2B relationships, improve our services, secure our systems and communicate with relevant business contacts.
• Contract or pre-contractual steps: to provide services to customers, support pilots, manage subscriptions and respond to requests before entering into a contract.
• Legal obligation: where processing is necessary for accounting, tax, regulatory or legal compliance.
• Consent: where we ask for consent, for example for optional marketing communications or non-essential cookies if introduced in the future.

Where Cyberlytica acts as a processor for customer platform data, we process that data on behalf of the customer organisation and in accordance with our agreement with that customer.

Microsoft Intune and customer data

Cyberlytica's first product connects to Microsoft Intune to help organisations govern privacy risks in managed and discovered mobile applications.

Depending on the customer's configuration and permissions, Cyberlytica may process information from Microsoft Intune such as:

• managed and discovered apps;
• application assignments and status;
• device records;
• users and groups;
• relationships between users, devices, groups and applications;
• policy review outcomes and governance actions.

This data is used only to provide the Cyberlytica service to the customer organisation.

Security

We apply technical and organisational measures to protect personal data.

These include:

• encryption in transit;
• encryption at rest;
• encrypted storage of Microsoft Graph refresh tokens in Azure Key Vault;
• access controls;
• restricted administrative access;
• cloud-hosted infrastructure in Microsoft Azure;
• monitoring and security controls appropriate to the service.

No system can be guaranteed to be completely secure, but we take reasonable steps to protect personal data against unauthorised access, loss, misuse or disclosure.

Hosting and storage location

Cyberlytica's application infrastructure is hosted in Microsoft Azure in the United Kingdom.

Customer data is stored in the United Kingdom. We currently do not intentionally transfer customer data outside the UK.

We also use Google Firebase/Firestore for parts of our service infrastructure. Where used, it is configured for UK-based storage where available.

Third-party service providers

We may use trusted third-party providers to operate our website, business systems and product platform. These may include:

• Microsoft Azure;
• Microsoft Graph and Microsoft Intune;
• Azure Key Vault;
• Google Firebase/Firestore;
• email and business communication providers.

These providers process data only where necessary to provide their services to us or to support delivery of Cyberlytica services to customers.

Cookies and analytics

Our public website does not use analytics cookies or marketing cookies.

We use Simple Analytics to understand basic website usage, such as page views, referrers, country-level location, device type and browser information. Simple Analytics does not use analytics cookies on our website. We use this information to understand website traffic and improve the website.

Strictly necessary cookies may be used where required to operate secure product login or platform functionality.

Marketing communications

We may contact business contacts about Cyberlytica products, pilots, partnerships or related updates where we believe this is relevant to their role or organisation.

You can opt out of marketing communications at any time by contacting us at max@cyberlytica.ai.

Data retention

We keep personal data only for as long as necessary for the purposes described in this policy.

For business enquiries and contact records, we keep data for as long as needed to manage the relationship, respond to enquiries and maintain business records.

For customer platform data, we keep data while the customer subscription or pilot remains active. After the subscription or pilot ends, we retain customer data for up to one month, after which it will be deleted or anonymised.

If a customer requests deletion earlier, we can delete customer data sooner, subject to any legal or contractual obligations that require retention.

Audit logs, compliance evidence or service records may be retained for longer where required by the customer, contract, law or legitimate governance purposes.

Your rights

Under UK data protection law, individuals may have rights to:

• access personal data;
• correct inaccurate data;
• request deletion;
• restrict processing;
• object to processing;
• request data portability;
• withdraw consent where processing is based on consent;
• complain to the UK Information Commissioner's Office.

To exercise your rights, contact us at max@cyberlytica.ai.

If your data is processed by Cyberlytica on behalf of your employer or organisation, we may need to refer your request to that organisation.

You also have the right to complain to the UK Information Commissioner's Office.

Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be published on our website with the updated date shown at the top.

Contact us

For questions about this Privacy Policy or how we handle personal data, contact: