CyberWare Ltd Privacy Policy

Last Updated:  112/06/2025

1. Introduction

At CyberWare Ltd, we believe that privacy is a fundamental right. As a Managed Service Provider (MSP) specializing in end-user device management, secure network access, and cloud services, we collect only the minimum data necessary to provide our services while ensuring compliance with legal and regulatory obligations.

We operate under a Privacy by Design framework, meaning that privacy, security, and compliance are embedded into our managed services from the ground up. We proactively implement safeguards to ensure that user data is protected at every stage—collection, processing, and storage.

We never sell user data, and we work to minimize the amount of data we collect, store, and process. We are committed to full compliance with:

• UK GDPR & Data Protection Act 2018
• Computer Misuse Act 1990
• Network & Information Systems (NIS) Regulations 2018
• Privacy & Electronic Communications Regulations (PECR)
• ISO 27001 (Information Security), ISO 22301 (Business Continuity), and ISO 9001 (Quality Management)
• Cyber Essentials & Cyber Essentials Plus
• ISO 42001 (AI Governance & Security) – In Progress

2. What Data We Collect and Why

We collect data only when necessary to:

• Provide secure IT and managed network services.
• Ensure network integrity & regulatory compliance.
• Improve user experience & security monitoring.
• Enhance Help Desk functions using AI to provide more timely and targeted support to users.

Business & Subscriber Data

• Identity Information – Name, company, email, job role.
• Account & Authentication Data – Subscription status, login credentials (secured & encrypted).
• Service & Usage Logs – For troubleshooting, security monitoring, and compliance.

Device & Network Data

To protect the network and ensure compliance, we may collect:

• Device Identifiers – MAC addresses, IP addresses, OS details.
• Security Status – Device encryption status, compliance with corporate security policies.
• Network Traffic Metadata – To detect unauthorized access & cyber threats, but we do not inspect content or personal communications.

Compliance & Security Monitoring

To ensure compliance with UK law, we may collect:

• Audit Logs & Incident Reports – Capturing security events, unauthorized access attempts.
• Access Control Data – Verifying authentication & preventing misuse.

3. Data Security & Protection

We implement multi-layered security controls to ensure user data is secure and private:

• End-to-End Encryption – Data is encrypted at rest & in transit using AES-256 and TLS 1.3.
• Zero Trust Security Model – All network access is verified based on device security posture & risk scoring.
• No User Profiling for Marketing – We do not track users across applications or sell personal data to advertisers.
• ISO 27001-Certified Security Framework – Ensuring full compliance with UK & international standards.
• Routine Network Testing – Regular security audits through Cyber Essentials & penetration testing.

4. Data Sharing & Third-Party Access

We do not sell your data. We only share data with:

• Trusted service providers under strict security contracts (e.g., cloud hosting partners).
• Regulatory authorities when legally required, but we challenge requests that do not meet due process.
• Security researchers and auditors who help us improve our security systems, ensuring full compliance with ISO 27001.

5. AI & Privacy – Our Commitment to ISO 42001

As an early adopter of AI-powered IT security & management, we ensure that AI is secure, ethical, and transparent:

• AI models trained with privacy in mind – We do not use customer data for AI training without explicit consent.
• AI-powered security monitoring – Detecting cyber threats in real-time while ensuring zero personal data exposure.
• AI-enhanced Help Desk support – Providing faster, more targeted IT assistance while maintaining strict privacy safeguards.
• Bias-Free & Ethical AI Use – Ensuring fair, transparent, and accountable AI decision-making.

6. Your Privacy Rights & Controls

Under UK GDPR & Data Protection Act 2018, you have the right to:

• Access & review your data.
• Request corrections to inaccurate information.
• Delete your data (where applicable).
• Withdraw consent for analytics & AI use.
• Restrict data processing & request portability.

To make a request, contact privacy@cyberware.co.uk. We will respond within 30 days in accordance with UK GDPR.

7. Data Retention & Storage

We retain data based on legal, operational, and security requirements:

• Subscriber Data – Retained for 2 years after subscription ends, then automatically deleted via Spotipo tools.
• Service & Usage Logs – Retained for 12 months, unless legally required to store them longer.
• Support Records (Help Desk Tickets, DeskPro Data) – Retained for 3 years, then archived or securely deleted.
• Authentication & Access Logs – Stored for 6–12 months for security monitoring & compliance.
• Incident Reports & Security Logs – Retained for at least 3 years.
• Customer Billing Data (QuickBooks Records) – Retained for 7 years in accordance with tax regulations, then automatically archived.
• Payroll Records – Retained for 7 years, then securely deleted.
• Signed Contracts (PandaDocuments) – Retained for 6 years, flagged for deletion when the retention period ends.
• Marketing & Ticketing Data (HubSpot Records) – Retained for 3 years, then archived or deleted.
• Internal Communications (Google Mail Records) – Retained for 5 years, then automatically deleted per Google Workspace policies.
• Device MAC Address Logs (WiFi Access Systems) – Retained for 1 year, then deleted as part of monthly log maintenance.
• Source Code & Notes (GitHub Repositories) – Active projects are retained indefinitely, but archived 2 years after project completion.

We ensure that expired data is securely deleted in line with ISO 27001 and Cyber Essentials standards.

Final Thoughts – Your Privacy, Our Priority

At CyberWare Ltd, we believe that privacy and security go hand in hand. We continuously enhance our security measures to ensure your data is protected, compliant, and responsibly managed.