Privacy Policy

2. Who we are (and how to contact us)

Secure Chain Technology Group Ltd is the data controller for the personal data described in this policy unless stated otherwise.

2.1 Controller details

• Registered name: Secure Chain Technology Group Ltd
• Registered address: Unit 43, Clocktower Business Centre, Works Rd, Chesterfield, S43 2PE
• Company registration number: 12153901
• Email: info@securechaingroup.com

If you have questions about this policy or how we handle personal data, please contact us using the email address above. If we are required to appoint a Data Protection Officer (DPO) for a particular engagement, we will provide DPO contact details in the relevant documentation.

3. When we act as controller vs processor

Depending on the service, we may act as:

• Data controller – where we decide why and how your personal data is processed (for example, handling enquiries, managing supplier and client relationships, billing, and administering our website).
• Data processor – where we process personal data on behalf of a client (the client is the controller) under a contract and Data Processing Agreement (DPA), for example when delivering managed services such as vulnerability management, patch management, monitoring, and incident response.

Where we act as a processor, we process personal data only on the documented instructions of the controller (our client) and in line with the contract/DPA. Client service specifications may confirm that the client is the controller and Secure Chain is the processor for service delivery.

4. Personal data we collect

We collect personal data in the following main categories (the exact data depends on your interaction with us):

4.1 Identity and contact data

• Name
• Business contact details (email, telephone number, postal address)
• Job title, employer/organisation details

4.2 Communications data

• Content of messages you send to us (for example, enquiries, support tickets, emails)
• Records of communications and decisions (including approvals, change requests, and incident communications where applicable)

4.3 Technical and usage data (website and security operations)

• IP address and device/browser information
• Website usage and interaction data (for example, page visits and preferences)
• Security and operational logs relevant to service delivery (for managed services, this may include vulnerability scan outputs, asset identifiers, and remediation records, depending on scope and instructions)

4.4 Business relationship data

• Account and contract information
• Billing and payment records (business contact details, invoice details)
• Supplier and partner information

4.5 Special category data and criminal offence data

As a general rule, we do not need special category data (for example, health data) to operate our website or handle general enquiries. However, in some managed service contexts, clients may provide or generate datasets that incidentally include special category data or other sensitive information. Where this occurs, we handle it with enhanced safeguards and only as instructed by the client controller and as permitted under applicable law and the contract/DPA.

5. Where we get personal data from

We may obtain personal data from:

• You directly (for example, you contact us, complete a form, or request services).
• Your organisation (for example, a client provides contact details for authorised contacts).
• Publicly available sources (for example, corporate websites, professional profiles) where permitted and appropriate for B2B engagement.
• Our service delivery tools and systems (for example, support portal and logging systems), where relevant to the services provided.

When we obtain personal data from sources other than the individual (including publicly accessible sources), we provide privacy information within a reasonable period and at the latest within one month, and in any event at first contact or before disclosure where required.

6. How we use personal data (purposes and lawful bases)

UK GDPR requires us to have a lawful basis for processing personal data. The lawful basis depends on the purpose. Where we rely on legitimate interests, we carry out and document a Legitimate Interests Assessment (LIA) using the ICO three-part test (purpose, necessity, balancing) and keep an audit trail.

6.1 Purposes and lawful bases (controller activities)

The table below summarises common controller activities. Additional details may apply depending on your relationship with us.

6.2 Processor activities (client instructions)

Where we act as a processor for a client (controller), the client determines the purposes and lawful bases. We process personal data only on the client’s documented instructions, including for:

• Vulnerability management and patching activities
• Monitoring and incident response
• Change and service request management
• Reporting and governance (service review packs and evidence for audits where agreed)

7. Marketing and communications (PECR)

We may send B2B marketing communications about our services where permitted by law. We will not send marketing to you where you have opted out. You can object to direct marketing at any time by using the unsubscribe option in our emails or by contacting us at info@securechaingroup.com. We maintain suppression records to ensure we respect opt-out requests.

8. Cookies and similar technologies (PECR)

Our website uses cookies and similar technologies. We provide clear information about what they do and why, and obtain consent for non-essential cookies/technologies where required. We do not set non-essential cookies before you have provided valid consent. Essential cookies used to provide a service you request (for example, security or session management) may be used without consent.

For more detail, we may publish a separate Cookie Policy and/or cookie list via our cookie banner or website.

9. Who we share personal data with

We do not sell personal data. We may share personal data with:

• Trusted service providers (sub-processors) who support our operations (for example, hosting, email, support tooling, and secure storage), under contract and with appropriate security obligations.
• Professional advisers (legal, audit, insurance) where necessary.
• Regulators, law enforcement, and courts where required by law or to protect legal rights.
• A prospective buyer/seller in the event of a merger, acquisition, or business transfer (subject to confidentiality and appropriate safeguards).

Where we act as a processor, we only appoint sub-processors where permitted by the contract/DPA and we ensure appropriate contractual protections are in place.

10. International transfers

If personal data is transferred outside the UK and the transfer is a restricted transfer, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, and we complete a transfer risk assessment (TRA) where required.

11. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including legal, contractual, and audit requirements. Retention periods depend on the type of record and the engagement. Indicative retention periods used internally include:

• Client contracts: 7 years
• Financial records: 6 years
• Vulnerability scan logs: 2 years
• Email communications: 3 years
• Employee records: 6 years post-employment
• Third-party risk assessments: 5 years

Where we process data on behalf of a client, retention is governed by the contract/DPA and the client’s instructions.

12. Security of personal data

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include access controls, encryption in transit and (where appropriate) at rest, logging and monitoring, vulnerability management, secure configuration, staff training, and supplier assurance.

Where we become aware of a personal data breach, we assess the risk to individuals and comply with applicable reporting obligations, including notifying the ICO within 72 hours where feasible when required, and notifying affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

13. Your rights (UK GDPR)

You have rights in relation to your personal data, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object (including to direct marketing)
• Rights relating to automated decision-making and profiling

To exercise your rights, contact info@securechaingroup.com. We may need to verify your identity before responding.

14. Complaints

If you have concerns about our handling of your personal data, please contact us first so we can address them. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk

15. Links to other websites

Our website may include links to third-party websites. We are not responsible for their privacy practices. Please review the privacy notices on any third-party sites you visit.

16. Children’s data

Our services and website are not directed at children and we do not knowingly collect personal data from individuals under 16.

17. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will be published on our website and the “Last updated” date will be revised accordingly.