Last updated: 28 April 2026 · Version 1.0

This Privacy Notice explains how Malwise Cyber Ltd (“Malwise”, “we”, “us” or “our”) collects and uses personal data. It applies to personal data we collect through our website (malwise.co.uk, operated by Malwise Cyber Ltd, which also operates malwise.uk), through email and phone, at meetings and events, and during the delivery of our services.

It covers personal data we hold about visitors to our website, people who contact us, our clients and their representatives, our suppliers, job applicants, and our own staff.

Where we deliver services to a client, we may also process personal data on behalf of that client. In that situation we are acting as a processor and the client is the controller. The client’s own privacy notice will explain how that data is used. This Notice describes only the processing for which Malwise is the controller.

1. Who we are

Malwise Cyber Ltd is a UK cyber security consultancy. We deliver Cyber Essentials and Cyber Essentials Plus certification activities, penetration testing, vulnerability assessment, cyber audit, Microsoft 365 security review, ISO 27001 advisory and cyber security consultancy.

We are the data controller for the personal data described in this Notice. Our details are:

Company name
Malwise Cyber Ltd
Registered address
66 Paul Street, London, EC2A 4NA
Companies House number
17184436
ICO registration number
ZC154242
Website
malwise.co.uk
Email
hello@malwise.co.uk
Data protection contact
Michael Raisbeck, Managing Director, privacy@malwise.co.uk

We are not legally required to appoint a Data Protection Officer (DPO). The Managing Director acts as our day-to-day data protection contact and is the point of contact for any data protection enquiries.

2. The personal data we collect

The personal data we collect depends on how you interact with us. The most common situations are described below.

2.1 Visitors to our website

When you visit our website, we automatically collect limited technical data, which may include:

  • your IP address and approximate location;
  • the type of device, operating system and browser you use;
  • the pages you visit, the time of your visit, and how you arrived at the site (referring URL);
  • cookies and similar identifiers (see section 8).

We use this data to operate the website, ensure it is secure, and understand how it is used.

2.2 People who contact us or enquire about our services

If you contact us, whether through the website contact form, by email, by phone, on LinkedIn, or in person at an event, we collect:

  • your name;
  • your email address;
  • your phone number (if you provide it);
  • your employer or organisation;
  • your role or job title;
  • the content of your enquiry and our reply;
  • any further communications between us.

We use this data to respond to your enquiry, to provide a quotation if requested, and to maintain a record of our communications.

2.3 Clients and client representatives

If your organisation engages us, we hold contact data about the people we work with at that organisation, typically:

  • name, role, business email and business phone of named contacts;
  • communications and meeting notes;
  • contracts, statements of work and engagement records;
  • invoices and payment records.

Where Malwise delivers services that involve handling personal data within client systems (such as Cyber Essentials Plus testing, penetration testing or audit work), Malwise acts as a processor on behalf of the client controller. That processing is governed by a separate Data Processing Agreement and is not covered by this Notice.

2.4 Suppliers and contractors

Where we work with suppliers, contractors and associates, we hold contact and commercial data, typically:

  • contact details of named individuals at the supplier;
  • contracts, terms and confidentiality agreements;
  • invoices, payment information and (for sole traders) bank details.

2.5 Job applicants and candidates

If you apply for a role with us, we collect:

  • your name and contact details;
  • your CV, employment history, qualifications and references;
  • notes from interviews or written exercises;
  • any other information you choose to provide;
  • right-to-work documents (only at offer stage).

We use this data to assess your application and manage the recruitment process. If you are unsuccessful, we will normally retain your application for a limited period (see section 7).

2.6 Employees and contractors

If you work for or with us, we hold the personal data necessary for that working relationship. This is set out in detail in the staff privacy notice provided to personnel on engagement.

3. How we use your personal data

We use personal data for the following purposes:

  • to operate our website;
  • to respond to enquiries and provide quotations;
  • to deliver services to our clients;
  • to manage our relationship with our clients, suppliers, contractors and personnel;
  • to manage our finances, including invoicing and tax compliance;
  • to comply with our legal and regulatory obligations (including under tax law, employment law, the UK GDPR and any IASME scheme rules);
  • to send occasional business communications such as newsletters or service updates to existing client contacts and other people who have indicated they want to hear from us;
  • to recruit, where vacancies exist;
  • to keep our information secure and to investigate any security incidents;
  • to defend our legal rights or pursue claims if necessary.

We do not use personal data for automated decision-making, including profiling, in a way that produces legal or significant effects.

4. Our lawful basis for processing

Under the UK GDPR, we must have a lawful basis for processing personal data. Depending on the activity, we rely on:

Lawful basisWhere we use it
ContractTo enter into and perform contracts with clients, suppliers and personnel, including processing personal data necessary to deliver agreed services.
Legal obligationTo meet obligations under tax law (HMRC), the Companies Act, employment law, the UK GDPR (for example data subject rights, breach reporting), and IASME scheme rules where applicable.
Legitimate interestsFor day-to-day business activities such as responding to enquiries, business development with business-to-business contacts (subject to PECR), and information security. We balance our interest against your rights and only rely on this basis where it is appropriate.
ConsentWhere required, for example for non-essential cookies on our website and for some marketing communications. You can withdraw consent at any time.

We document our lawful basis for each activity in our internal Record of Processing Activities, which we make available to the ICO on request.

5. Who we share your personal data with

We do not sell personal data and we do not share it for advertising purposes.

We share personal data only where it is necessary to deliver our services or meet our legal obligations. The recipients are typically:

  • our cloud service providers, such as Microsoft (Microsoft 365) and our accounting platform (Xero), which host data on our behalf;
  • our website host and email service provider;
  • our accountant, where required for finance and statutory purposes;
  • HMRC, Companies House and other regulatory bodies where the law requires us to share data;
  • our insurers and legal advisers, where necessary;
  • the IASME consortium, when delivering certification body activities (only the data needed to manage the assessment);
  • approved associates or contractors who help us deliver services to a client, and who are subject to confidentiality terms;
  • law enforcement or regulators, if we are legally required to do so.

Where we share personal data with a service provider that processes it on our behalf, we put a written contract in place that meets the requirements of the UK GDPR.

6. International data transfers

Most of the personal data we hold is processed within the UK or the European Economic Area (EEA).

Some of our service providers, including Microsoft (Microsoft 365) and certain other cloud services, may transfer or store personal data outside the UK and EEA. Where this happens, we rely on lawful transfer mechanisms recognised under the UK GDPR, including:

  • the UK government’s adequacy decisions, where applicable;
  • the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs);
  • appropriate supplementary measures where required.

If you would like more detail about the transfers we rely on, you can contact us using the details in section 14.

7. How long we keep your personal data

We keep personal data only for as long as needed for the purpose we collected it for, plus any period required by law.

Typical retention periods are:

Type of dataHow long we keep it
Website analytics and log dataUp to 26 months (Google Analytics default) for aggregated analytics; access logs typically 90 days.
Enquiries that don’t lead to engagement12 months from the date of enquiry, then deleted unless you ask to be kept on our records.
Client records and engagement filesDuration of the engagement plus 7 years (in line with commercial and tax limitation periods).
Supplier recordsDuration of the relationship plus 7 years.
Financial and accounting recordsAt least 6 years from the end of the relevant accounting period (HMRC requirement).
Marketing contactsUntil you unsubscribe or 2 years after last engagement, whichever is sooner.
Unsuccessful job applications6 to 12 months from end of recruitment, then deleted (unless you have asked us to keep them on file).
Employee recordsDuration of employment plus 6 years (limitation period for employment claims).
Security incident records6 years (in line with limitation periods).

Where data is no longer needed, we securely delete or anonymise it.

8. Cookies and website technology

Our website uses cookies and similar technology. Cookies are small files stored on your device that help websites operate and remember information about your visit.

Strictly necessary cookies are used to make our website work, for example to remember your cookie preferences. We use these without consent because the website cannot function without them.

Other cookies (such as analytics cookies) are only set if you give consent through our cookie banner. You can withdraw your consent or change your cookie preferences at any time by clicking the cookie settings link on our website.

If you would like more detail on the specific cookies we use, please contact us using the details in section 14.

9. How we keep your personal data secure

As a cyber security business, security is fundamental to how we operate. We apply organisational and technical measures including:

  • multi-factor authentication on all of our cloud services;
  • encryption of devices and data;
  • least-privilege access controls;
  • supported software and prompt installation of security updates;
  • endpoint protection (anti-malware);
  • documented information security, vulnerability management, risk management and business continuity policies;
  • personnel confidentiality undertakings and security training;
  • documented incident response and breach notification arrangements.

Malwise Cyber Ltd is certified to Cyber Essentials and works to the IASME Cyber Assurance standard.

10. Your rights

Under the UK GDPR you have the following rights in relation to your personal data:

RightWhat it means
Right of accessYou can ask for a copy of the personal data we hold about you.
Right to rectificationYou can ask us to correct personal data that is inaccurate or incomplete.
Right to erasureYou can ask us to delete your personal data in certain circumstances.
Right to restrict processingYou can ask us to limit the way we use your data in certain circumstances.
Right to data portabilityWhere the processing is based on consent or contract and is automated, you can ask for your data to be provided in a structured, machine-readable format.
Right to objectYou can object to processing based on legitimate interests, and to direct marketing.
Rights related to automated decisionsYou can ask us not to be subject to a decision based solely on automated processing that produces legal or significant effects (we don’t currently do this).
Right to withdraw consentWhere we rely on consent, you can withdraw it at any time.

Some of these rights are not absolute and there are exceptions. For example, your right to erasure does not override our legal obligation to keep tax records for a minimum period.

11. How to exercise your rights

To exercise any of your rights, please contact us using the details in section 14. There is normally no charge for exercising your rights.

We will respond within one calendar month of receiving your request, although we may extend this by a further two months for complex requests (in which case we will let you know within the first month).

We may need to verify your identity before responding, particularly for an access or erasure request.

12. How to complain

If you have a concern about how we are handling your personal data, please contact us first. We will do our best to put things right.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK data protection regulator:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline
0303 123 1113
Website
ico.org.uk

13. Changes to this notice

We may update this Privacy Notice from time to time. The current version is always available on our website. The ‘Last updated’ date at the top of this Notice tells you when it was most recently revised.

Where changes are significant, we will draw them to the attention of people we are in active contact with, for example by email.

14. Contact us

If you have any questions about this Privacy Notice, your personal data, or how to exercise your rights, please contact us at:

Privacy email
privacy@malwise.co.uk
General email
hello@malwise.co.uk
Postal address
66 Paul Street, London, EC2A 4NA
Data protection contact
Michael Raisbeck, Managing Director

Malwise Cyber Ltd, Privacy Notice, MAL-DP-002, v1.0