Customer Privacy Notice

Last Updated: June, 2026

This privacy notice explains what personal data Cyber Universe Europe Ltd. collects from clients, prospective clients, and members of the public, how it is used, with whom it may be shared, how long it is retained, and what rights individuals have over their data. The organisation is committed to handling personal data with the utmost care, in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. About the Organisation

Cyber Universe Europe Ltd. is a managed security services provider registered in England and Wales (company registration number 16833900). Our registered office is Landmark House, 12 Chorley New Road, Bolton, Greater Manchester, England, BL1 4AP.

Cyber Universe Europe Ltd. is a data controller for the purposes of the Data Protection Act 2018 and the UK GDPR in relation to our clients', employees', and prospective clients' personal data. We are also a data processor when handling personal data on behalf of our clients as part of our managed security services. Our ICO registration details can be found at ico.org.uk. For all data protection enquiries, please contact us at info@cyberuniverse.uk.

2. What Personal Data We Collect

As a data controller, we may collect the following categories of personal data:

  • Personal contact details, including name, job title, organisation name, address, telephone number, and email address.
  • Account and identity information, including login credentials, authentication data, and account preferences.
  • Correspondence records, including emails, meeting notes, and communications relating to our services.
  • Financial and billing information, including invoice and payment records.
  • Website usage data, including IP addresses, browser type, pages visited, and session information.
  • Marketing preferences and engagement data.

As a data processor, we may access personal data held within our clients' systems in the course of delivering managed security services, including SOC monitoring, incident response, penetration testing, and related activities. This processing is governed by the client Data Processing Agreement and is performed solely on the client's instructions.

3. How We Collect Your Data

Most of the personal data we process is provided directly by you. We collect data when you:

  • Enter into a contract with us for the provision of managed security services.
  • Submit an enquiry through our website, by email, telephone, or at an event.
  • Correspond with us by letter, email, or other communication channel.
  • Attend a webinar, conference, or other event hosted or attended by the organisation.
  • Visit our website, where data may be collected automatically through cookies and analytics tools in accordance with your consent preferences.

We may also receive personal data indirectly from third parties, including referral partners, event organisers, and publicly available sources such as LinkedIn and company websites.

4. How We Use Your Data

We use the personal data we hold about you to:

  • Deliver managed security services in accordance with our contractual obligations.
  • Manage our client relationships, including account administration and billing.
  • Respond to enquiries and communications.
  • Comply with our legal and regulatory obligations, including UK GDPR, ISO 27001:2022, and applicable UK legislation.
  • Conduct internal security and quality assurance activities.
  • Send marketing communications about our services, where you have consented or where we have a legitimate interest in doing so.
  • Improve our services and website through analytics and feedback.

If you do not wish your personal data to be used for marketing communications, you may opt out at any time by contacting us at info@cyberuniverse.uk or by using the unsubscribe link in any marketing email.

5. Our Lawful Bases for Processing

We process your personal data under the following lawful bases established by the UK GDPR:

  • Contract: processing necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract.
  • Legal obligation: processing necessary to comply with our legal and regulatory duties, including UK GDPR, employment law, and tax obligations.
  • Legitimate interests: processing necessary for our legitimate interests, including business development, service improvement, and security of our systems, where those interests are not overridden by your rights.
  • Consent: where you have given us specific, informed, and unambiguous consent to process your data for a particular purpose. You may withdraw your consent at any time by contacting info@cyberuniverse.uk.

6. Sharing Your Data

We may share your personal data with the following parties:

  • Vairav Technology Security Pvt. Ltd. (Kathmandu, Nepal): our technical delivery partner who provides managed security functions as a sub-processor. Data transfers to Nepal are governed by a UK International Data Transfer Agreement (IDTA) in accordance with UK GDPR Article 46. A Transfer Risk Assessment has been conducted and is available to clients on request.
  • Microsoft (M365): our cloud infrastructure provider, which hosts all communication, collaboration, and data storage on UK-region servers.
  • Professional advisers: including legal advisers, accountants, and auditors, where strictly necessary.
  • Regulatory authorities: including the Information Commissioner's Office, where we are required to do so by law.

We will not sell, rent, or otherwise disclose your personal data to any third party for their own marketing purposes. We will not share your personal data without a lawful basis and, where required, your consent.

7. How We Store Your Data

Your information is stored securely within Microsoft 365 tenancies hosted on UK-region servers. All data is encrypted at rest (AES-256) and in transit (TLS 1.2 or above) as standard. Access to your personal data is restricted to authorised personnel only, governed by role-based access controls and enforced multi-factor authentication.

Personal data is not stored in Nepal. Nepal-based analysts at Vairav Technology access UK-hosted systems within their authorised scope. All such access is logged and attributable to a named individual.

We retain your personal data for the periods set out in our Information Retention, Protection and Deletion Policy. Once the applicable retention period has passed, personal data is securely deleted using approved deletion methods. A summary of retention periods is available on request.

8. Your Data Protection Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: you can request a copy of the personal data we hold about you. To request a copy, see our Data Subject Access Request procedure.
  • Right to rectification: you can ask us to correct personal data that is inaccurate or incomplete.
  • Right to erasure: you can ask us to delete your personal data in certain circumstances, such as where it is no longer necessary for the purpose for which it was collected.
  • Right to restrict processing: you can ask us to limit how we process your data in certain circumstances.
  • Right to data portability: you can ask us to transfer your personal data to another organisation or to you in a structured, commonly used, machine-readable format, in certain circumstances.
  • Right to object: you can object to our processing of your personal data, including processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.

You are not required to pay a fee to exercise your rights. We will respond to all requests within one calendar month. In complex cases this may be extended by a further two months, with notification to you. Please contact us at info@cyberuniverse.uk or in writing to our registered address.

9. Children's Personal Data

Cyber Universe Europe Ltd. does not provide services directly to individuals under the age of 18, and our services are not directed at children. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data relating to a child, we will take steps to delete it promptly.

Where a child's personal data is encountered incidentally in the course of providing managed security services to a client (for example, within client system logs or telemetry), such data is handled in accordance with the data minimisation principles described in this notice and the applicable client Data Processing Agreement. We do not use such data for any purpose beyond the delivery of the authorised security service.

10. Photography and Events

At events hosted or attended by Cyber Universe Europe Ltd., photographs or recordings may be taken. Where the organisation hosts an event and intends to use photographs for promotional purposes, attendees will be notified in advance. Any individual who does not wish to appear in photographs should make themselves known to the event organiser. Photographs and recordings may be posted on our website or professional social media channels, including LinkedIn.

11. How to Contact Us or Raise a Complaint

If you have any queries about this notice, wish to submit a Data Subject Access Request, or wish to raise a concern about how your personal data has been handled, please contact:

  • By email: info@cyberuniverse.uk
  • By post: Chief Operating Officer / Data Protection Officer, Cyber Universe Europe Ltd., Landmark House, 12 Chorley New Road, Bolton, Greater Manchester, England, BL1 4AP

Should you be dissatisfied with our response or with how we have handled your personal data, you have the right to make a complaint to the Information Commissioner's Office (ICO):

ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 | Website: ico.org.uk