Privacy policy

1. Overview & scope

This Privacy Policy explains how Seckify (“Seckify”, “we”, “us”, “our”) collects, uses, discloses, retains, and protects personal data in two distinct contexts:

• The marketing website at seckify.com and its sub-paths (the “Site”).
• The Seckify platform — self-hosted software that you deploy and operate on your own infrastructure (the “Platform”).

The two contexts are intentionally separated. Operational data that you record inside the Platform — risk registers, control evidence, policy drafts, vendor questionnaires, incident timelines — never reaches Seckify. Only the limited information described in Section 3 flows to us, and only when you choose to contact us through the Site.

2. Data controller & contact

For personal data collected through the Site, Seckify is the data controller. For operational data inside a Platform deployment, the organisation that operates the deployment is the controller and Seckify has no role.

Privacy enquiries, access requests, and complaints can be sent to privacy@seckify.com. We aim to acknowledge within 5 business days and respond substantively within 30 days.

3. What we collect on the Site

We collect the minimum information needed to run a marketing website and reply to people who reach out to us.

• Contact & demo forms. Name, work email, optional company, and the message body that you submit on /contact or /demo. For demo bookings we also keep the date and time slot you picked.
• Server logs. IP address, user-agent string, requested URL, HTTP status code, referrer, and timestamp — written by the reverse proxy.
• Strictly necessary cookies. A session cookie used by the authentication layer when a signed-in maintainer accesses the admin area. The Site does not set marketing, advertising, or cross-site tracking cookies.
• No third-party analytics. No Google Analytics, Meta pixel, LinkedIn Insight tag, Hotjar, FullStory, Mixpanel, or comparable session-replay or behavioural-analytics tools are loaded on the Site.

4. What we never collect

Anything you enter inside the Platform. Risk records, control evidence, policy text, vendor assessments, incident timelines, uploaded files, board-report drafts, and user accounts you create inside your deployment all stay on the server you operate. The Platform has no telemetry, no phone-home, no automatic update check, no crash-reporting endpoint pointed at Seckify, and no licence-validation call-out. You can confirm this by inspecting the source code or network egress from your deployment.

5. How we use your data

Personal data collected through the Site is used only for the purposes described below:

• Replying to the specific enquiry, demo request, or message that you submitted.
• Scheduling, confirming, and conducting demo sessions if you requested one.
• Operating the Site (serving pages, blocking abuse, debugging production issues using short-lived logs).
• Complying with legal obligations and, where relevant, defending legal claims.

We do not use your personal data for automated decision-making, profiling with legal or similarly significant effects, training machine-learning models, or sale to third parties.

6. Lawful bases (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following lawful bases:

• Article 6(1)(b) — contract / pre-contractual steps. When you submit a demo or contact form, processing your name, email, and message is necessary to respond to your request.
• Article 6(1)(f) — legitimate interests. Keeping short-lived server logs to operate the Site, prevent abuse, and investigate incidents. We have weighed this interest against your rights and consider it proportionate given the limited retention and absence of behavioural profiling.
• Article 6(1)(c) — legal obligation. Where we must process data to comply with a legal duty (for example, responding to a lawful authority request).

7. Retention

• Contact & demo submissions. Up to 24 months from the date of last contact, then deleted or anonymised, unless an ongoing conversation, contract, or legal obligation requires us to keep them longer.
• Server logs. Up to 30 days, then deleted by the log-rotation policy.
• Email delivery records. Our transactional email provider retains delivery metadata (send status, bounce, complaint) per its own policy; see the subprocessor list in Section 9.

8. Sharing & disclosure

We do not sell or rent personal data. We share it only with:

• The subprocessors listed in Section 9, strictly to deliver the Site and respond to your enquiries.
• Professional advisors (lawyers, accountants, auditors) under duties of confidentiality.
• Public authorities where required by applicable law, court order, or to defend our legal rights.
• An acquirer or successor in the event of a merger, acquisition, or asset sale — bound by terms at least as protective as this Policy.

9. Subprocessors

We keep the subprocessor list deliberately short. Current providers:

• Hosting / infrastructure. The virtual server that runs seckify.com (EU region) and its reverse proxy.
• Transactional email — Maileroo. Delivers automated email confirmations and forwards form submissions to our inbox.

Material changes to the subprocessor list are reflected in this Policy via the “last updated” date.

10. International transfers

Where a subprocessor processes personal data outside the European Economic Area or the United Kingdom, the transfer is covered by an adequacy decision, the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or another lawful transfer mechanism. We can provide a copy of the relevant safeguards on request.

11. Security

We use commercially reasonable technical and organisational measures to protect personal data, including TLS-only transport, hardened server configuration, principle-of-least- privilege access, encrypted backups, multi-factor authentication on all administrative accounts, and prompt patching of the underlying operating system and application dependencies. No system can be guaranteed 100% secure, and we cannot promise absolute security.

12. Your rights

Subject to applicable law, you have the right to:

• Access — a copy of the personal data we hold about you.
• Rectification — correction of inaccurate or incomplete data.
• Erasure — deletion of data we hold about you (subject to legal retention requirements).
• Restriction — limit how we use your data while a request is being resolved.
• Portability — a machine-readable export of data you provided to us.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing relies on consent, you can withdraw it at any time.

Submit requests to privacy@seckify.com. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with a supervisory authority — in the EU, your national data protection authority; in the UK, the Information Commissioner’s Office at ico.org.uk.

13. Children

The Site and the Platform are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Cookies in detail

The Site uses only strictly necessary cookies for session management on the authenticated admin area. No consent banner is shown because no optional, analytics, or marketing cookies are set. If we ever introduce optional cookies, we will implement a granular consent banner first.

15. Do Not Track & Global Privacy Control

Because the Site does not perform cross-site tracking, DNT and GPC signals do not change our behaviour. We honour applicable opt-out signals where they apply to processing we actually perform.

16. Changes to this Policy

We update the “last updated” date at the top of this page whenever the Policy changes. For material changes that affect data we already hold, we will give reasonable advance notice — by email to known contacts and/or a prominent notice on the Site — before the change takes effect.