Privacy Policy
Last updated: 8 May 2026
WHO WE ARE
Pentiq Limited (“Pentiq”, “we”, “us” or “our”) is a UK-based cyber security provider specialising in penetration testing, cyber security assurance and related consultancy services.
Pentiq Limited is a company incorporated and registered in England and Wales with company number 10106200. Our registered office is Admirals Offices Main Gate Road, The Historic Dockyard, Chatham, England, ME4 4TZ.
For questions about this Privacy Policy or how we handle personal data, please contact us at:
Email: legals@pentiq.com
Postal address: 3-7 Temple Avenue, London, EC4Y 0DA
We may update this Privacy Policy from time to time. The latest version will be made available on our website.
ABOUT THIS PRIVACY Policy
This Privacy Policy explains how we collect, use, store and share personal data when we act as a controller of that personal data.
It applies to personal data relating to:
- visitors to our website;
- individuals who contact us or submit enquiries;
- customer, prospective customer and partner contacts;
- users of our portals, platforms, applications and online services;
- individuals involved in cyber security engagements, including customer personnel and authorised representatives;
- supplier and subcontractor contacts;
- event attendees;
- marketing contacts;
- job applicants and recruitment candidates; and
- other individuals who interact with us in the course of our business.
This Privacy Policy does not replace any contract we have with a customer or partner.
WHEN WE ACT AS CONTROLLER AND WHEN WE ACT AS PROCESSOR
In some circumstances, Pentiq decides how and why personal data is used. In those circumstances, we act as a b and this Privacy Policy applies.
In other circumstances, we process personal data on behalf of a customer as part of providing penetration testing, cyber security assurance, platform, reporting or related services. In those circumstances, we usually act as a processor, and our customer acts as the controller. That processing is governed by our agreement with the customer, including our Data Processing Agreement where applicable.
Where we act as a processor, individuals should usually contact the relevant customer/controller if they have questions about how their personal data is used.
PERSONAL DATA WE COLLECT
The personal data we collect depends on your relationship with us and how you interact with us.
We may collect and use the following categories of personal data:
Contact and identity information
This may include your name, business email address, telephone number, employer, job title, role, department, address and other business contact details.
Account and access information
This may include usernames, user IDs, authentication details, portal account information, permissions, access logs and records of your use of our systems, platforms or services.
Customer and project information
This may include information contained in contracts, order forms, authorisation to test forms, project communications, support tickets, meeting notes, delivery records, reports, service records and billing information.
Technical and usage information
This may include IP addresses, device identifiers, browser type, operating system, log data, diagnostic data, analytics data, cookie identifiers, website usage information and information about how you interact with our website, portals, platforms and services.
Cyber security engagement information
Where relevant, this may include information contained in or generated from cyber security engagements, such as screenshots, logs, evidence extracts, test results, vulnerability findings, user/account identifiers and report content. Where this information is processed on behalf of a customer, it will usually be governed by our customer agreement and Data Processing Agreement.
Marketing and communications information
This may include marketing preferences, event registrations, webinar attendance, form submissions, enquiry details, email engagement information and records of communications with us.
Supplier and partner information
This may include contact details, business information, onboarding information, compliance information, due diligence information, payment details and records of our relationship with suppliers, subcontractors, partners and advisers.
Recruitment information
If you apply for a role with us, we may collect information such as your CV, employment history, qualifications, references, interview notes, right to work information and other information you provide as part of the recruitment process.
Special category and criminal offence data
We do not usually seek to collect special category personal data or criminal offence data through our website or ordinary business activities. However, such data may be incidentally included in information provided to us, or accessed during cyber security engagements where it is present in customer systems. Where this occurs, we will handle it in accordance with applicable law and the relevant agreement.
HOW WE COLLECT PERSONAL DATA
We may collect personal data from:
- you directly, for example when you contact us, complete a form, use our website, register for an event, access our portal or communicate with us;
- our customers, partners, suppliers and subcontractors;
- customer systems and environments where this is necessary to provide services;
- authorised representatives, End Users or other contacts involved in an engagement;
- public sources, such as company websites, professional networking platforms and public registers;
- event organisers, referral partners and business partners;
- third-party data providers, where permitted by law;
- our website, portals, platforms, systems and security tools; and
- recruitment agencies or professional referees, where relevant.
HOW AND WHY WE USE PERSONAL DATA
We use personal data for the purposes set out below.
Purpose | Examples of personal data used | Lawful basis |
Responding to enquiries | Contact details, enquiry content, communications | Legitimate interests |
Providing services to customers | Business contact details, project communications, account information, support information | Contract, legitimate interests |
Managing penetration testing and cyber security engagements | Authorised representative details, project records, access information, test evidence, report content | Contract, legitimate interests, legal obligation where applicable |
Managing customer accounts and relationships | Contact details, contract records, account management notes, communications | Contract, legitimate interests |
Operating portals, platforms and online services | Account details, access logs, usage data, security logs | Contract, legitimate interests |
Providing support | Contact details, support tickets, technical information, diagnostic data | Contract, legitimate interests |
Billing, finance and administration | Contact details, invoice details, payment records, account information | Contract, legal obligation, legitimate interests |
Website operation and security | IP addresses, logs, device information, cookie data, security events | Legitimate interests, consent where required for cookies |
Analytics and website improvement | Cookie identifiers, usage data, analytics information | Consent where required |
Marketing to business contacts | Business contact details, marketing preferences, engagement information | Legitimate interests or consent where required |
Events and webinars | Registration details, attendance records, communications | Contract, legitimate interests, consent where required |
Supplier and subcontractor management | Contact details, due diligence records, payment details, communications | Contract, legal obligation, legitimate interests |
Recruitment | CVs, application details, interview notes, right to work information | Steps before entering into a contract, legal obligation, legitimate interests |
Compliance and legal purposes | Records relevant to legal, regulatory, tax, accounting, security or dispute matters | Legal obligation, legitimate interests |
Protecting our business, systems and users | Security logs, access records, investigation records, communications | Legitimate interests, legal obligation |
Where we rely on legitimate interests, those interests may include running and improving our business, providing secure and effective services, managing customer and supplier relationships, preventing misuse, protecting our systems, enforcing our rights, and promoting our services to relevant business contacts.
Where we rely on consent, you may withdraw that consent at any time. This will not affect processing carried out before consent was withdrawn.
MARKETING COMMUNICATIONS
We may use business contact details to send marketing communications about our services, events, updates and content that may be relevant to your role or organisation.
We will only send electronic marketing where permitted by applicable law. In some cases, we may rely on consent. In other cases, particularly for business-to-business communications, we may rely on our legitimate interests, subject to your right to opt out.
You can opt out of marketing communications at any time by:
- using the unsubscribe link in our emails; or
- contacting us at marketing@pentiq.com.
We will not sell your personal data to third parties for their own marketing purposes.
COOKIES AND SIMILAR TECHNOLOGIES
We use cookies and similar technologies on our website and online services.
Some cookies are necessary for our website and services to work. Others, such as analytics or marketing cookies, will only be used where required with your consent.
Further information about the cookies we use, why we use them and how you can manage your preferences is available in our Cookie Policy and cookie settings tool.
WHO WE SHARE PERSONAL DATA WITH
We may share personal data with:
- companies and service providers who support our business operations;
- hosting, cloud, platform and software providers;
- CRM, finance, project management and customer support providers;
- communications, email, collaboration and productivity providers;
- cyber security tooling, testing platforms and engagement platforms;
- analytics and website service providers;
- payment, accounting, tax, audit and professional advisers;
- subcontractors and specialist partners involved in delivering services;
- event organisers and business partners, where relevant;
- insurers and legal advisers;
- regulators, public authorities, courts, law enforcement agencies or other third parties where required by law or necessary to protect our rights, users, customers, systems or business; and
- prospective buyers, investors or advisers in connection with any corporate transaction, restructuring, investment, sale or transfer of business assets.
Where we use third parties to process personal data on our behalf, we require appropriate contractual protections.
Where we use sub-processors to provide services to customers, details are available in our Sub-processor List and/or the applicable Data Processing Agreement.
INTERNATIONAL TRANSFERS
We are based in the United Kingdom, but some of our service providers and partners may process personal data in other countries.
Where personal data is transferred outside the UK or EEA and the recipient country is not considered to provide an adequate level of protection, we will use appropriate safeguards where required. These may include:
- adequacy decisions;
- the UK International Data Transfer Agreement;
- the UK Addendum to the EU Standard Contractual Clauses;
- EU Standard Contractual Clauses; or
- another lawful transfer mechanism.
Where appropriate, we may also assess whether supplementary measures are required to protect the personal data.
HOW LONG WE KEEP PERSONAL DATA
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to meet legal, regulatory, accounting, reporting, contractual, operational and security requirements.
Category | Typical retention approach |
Customer and contract records | Kept for the term of the relationship and for a reasonable period afterwards to manage legal, tax, accounting and dispute requirements |
Project and service records | Kept for the duration of the engagement and any agreed retention period, then deleted or archived in accordance with the relevant agreement |
Customer Personal Data processed as processor | Handled in accordance with the relevant customer agreement and Data Processing Agreement |
Website enquiry records | Kept for as long as needed to respond to the enquiry and manage any resulting relationship |
Marketing records | Kept while we have a business relationship or marketing reason to contact you, unless you opt out earlier |
Marketing suppression records | Kept as necessary to ensure we respect opt-out requests |
Support tickets | Kept for as long as necessary to provide support, maintain service records and deal with follow-up queries or disputes |
Security logs | Kept for a period appropriate to security, audit and investigation purposes |
Supplier records | Kept for the supplier relationship and for a reasonable period afterwards for legal, accounting and audit purposes |
Recruitment records | Kept for the recruitment process and for a reasonable period afterwards, unless a longer period is agreed or required |
Retention periods vary depending on the nature of the information and our relationship with you. In general:
We may retain personal data for longer where necessary to establish, exercise or defend legal claims, comply with legal obligations, resolve disputes, investigate security incidents or enforce our agreements.
SECURITY
We take reasonable and appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.
These measures may include access controls, authentication, logging, monitoring, encryption where appropriate, staff responsibilities, supplier due diligence and contractual protections.
No system or method of transmission is completely secure. You are responsible for using strong credentials, keeping account information confidential and notifying us promptly if you suspect unauthorised access or misuse.
YOUR RIGHTS
Depending on the circumstances and applicable law, you may have the right to:
- request access to your personal data;
- request correction of inaccurate or incomplete personal data;
- request deletion of your personal data;
- request restriction of processing;
- object to processing based on legitimate interests;
- object to direct marketing;
- request data portability;
- withdraw consent where processing is based on consent; and
- complain to a supervisory authority.
These rights are subject to conditions and exemptions under applicable law. We may need to verify your identity before responding to a request.
To exercise your rights, please contact us at legals@pentiq.com.
If your request relates to personal data we process on behalf of one of our customers, we may need to refer your request to that customer.
CHILDREN’S PERSONAL DATA
Our services are intended for business customers and are not directed at children. We do not knowingly collect personal data from children through our website for marketing or sales purposes.
In limited circumstances, personal data relating to children may be incidentally accessed or processed during a customer engagement if it is present in customer systems. Where this happens, it will usually be governed by our customer agreement and Data Processing Agreement.
AUTOMATED DECISION-MAKING
We do not use personal data to make solely automated decisions that produce legal or similarly significant effects on individuals.
LINKS TO THIRD-PARTY WEBSITES
Our website, portals or communications may contain links to third-party websites, platforms or services. We are not responsible for the privacy practices of those third parties. You should read their privacy notices before providing personal data to them.
HOW TO COMPLAIN
If you have concerns about how we handle your personal data, please contact us first at legals@pentiq.com so we can try to resolve the issue.
You also have the right to complain to the UK Information Commissioner’s Office, the UK supervisory authority for data protection.
Website: www.ico.org.uk
Telephone: 0303 123 1113
CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our business, services, legal obligations or how we process personal data.
The latest version will be published on our website and will show the date it was last updated.
Last Updated
8 May 2026