Privacy Policy
Last updated: 1 January 2026. This policy explains how ClairSec collects, uses, stores, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection law.
1. Controller identity
ClairSec (“ClairSec”, “we”, “us”, “our”) is the data controller for personal data collected through this website and in the course of providing managed cyber threat intelligence services.
Contact: privacy@clairsec.com
2. Data we collect
2.1 Website visitors
- IP address and browser type (server logs, retained 30 days)
- Pages visited, referrer URL, session duration (analytics)
- Name and email address if you submit the contact form
2.2 Prospects and clients
- Name, job title, company name, business email, phone number
- Correspondence (email, call notes, meeting records)
- Contractual documents (proposals, signed agreements)
- Billing and invoice data
2.3 Data we do not collect
We do not collect special-category personal data (health, biometric, political, religious). We do not use tracking pixels or third-party behavioural advertising networks on this website.
3. Legal basis for processing
| Purpose | Legal basis (GDPR Art.) |
|---|---|
| Responding to contact form enquiries | Legitimate interest (Art. 6(1)(f)) |
| Contract execution and invoicing | Performance of contract (Art. 6(1)(b)) |
| Service delivery to clients | Performance of contract (Art. 6(1)(b)) |
| Legal and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
| Website analytics (privacy-preserving) | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (opt-in) | Consent (Art. 6(1)(a)) |
4. How we use your data
- To respond to enquiries and schedule discovery calls
- To deliver contracted intelligence services
- To issue invoices and manage accounts
- To send service notifications and reports (clients only)
- To send the monthly ClairSec threat briefing (subscribers only, opt-out at any time)
- To improve website performance through aggregated, anonymised analytics
5. Retention periods
| Data category | Retention period |
|---|---|
| Website server logs | 30 days |
| Contact form submissions (no contract) | 12 months |
| Client contact data (active) | Duration of contract + 2 years |
| Invoices and financial records | 7 years (legal obligation) |
| Intelligence reports delivered to client | Duration of contract + 90 days |
| Credential exposure findings | 30 days after delivery, then purged |
6. Data sharing and sub-processors
We do not sell personal data. We share data only with the following categories of recipient and only to the extent necessary:
- Cloud infrastructure providers — hosting and storage (EU regions)
- Email service provider — transactional and service communications
- Accounting software — invoicing and financial records
- Legal and audit advisors — under strict confidentiality obligations
For clients subject to a Data Processing Agreement (DPA), the full sub-processor list is maintained in Annex D of the DPA and is updated on 30 days' notice.
7. International transfers
All personal data is processed within the European Economic Area (EEA) or in countries with an adequacy decision. Where a transfer outside the EEA is unavoidable, it is governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
8. Security measures
We protect personal data with:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control — data accessible only to personnel who need it
- Multi-factor authentication on all systems
- Annual access reviews and quarterly internal audits
- 72-hour breach notification procedure (GDPR Art. 33)
9. Your rights
Under GDPR, you have the right to: access your data, correct inaccurate data, erase data (where no legal obligation to retain), restrict processing, data portability, object to processing based on legitimate interest, and withdraw consent where consent is the basis.
Submit requests to privacy@clairsec.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (CNIL in France, ICO in the UK, etc.).
10. Cookies
This website uses only technically necessary cookies. No advertising or profiling cookies are set. See our Cookie Policy for the full cookie inventory.
11. Changes to this policy
We may update this policy when our processing activities change. Material changes will be communicated to active clients by email at least 14 days before taking effect. The “last updated” date at the top reflects the current version.