Cyber Rebels Ltd Privacy & Cookie Policy
Effective Date: 31 January 2025
Last Updated: 21 November 2025
This Privacy & Cookie Policy explains how Cyber Rebels Ltd (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit our website https://cyberrebels.co.uk or interact with us. We are committed to safeguarding your information and being transparent about how we use it.
This Policy should be read alongside our Terms and Conditions. By using our website, you agree to this Privacy & Cookie Policy.
1. Who We Are
Cyber Rebels Ltd is a company registered in England and Wales (Company No. 16228861) with its registered office at 56 High Street, Tamworth, Staffordshire, B77 1LP.
We are registered with the Information Commissioner’s Office (ICO) as a Data Controller under registration number ZB892477. You can contact us about privacy matters at [email protected].
Cyber Rebels Ltd does not currently have a statutory Data Protection Officer. However, a designated member of our team is responsible for overseeing data protection matters and can be contacted via the same email address.
2. What Data We Collect
We may collect and process the following information about you:
- Name and contact details (such as email address and telephone number)
- Enquiry details and communication history
- IP address, browser type and version, operating system, and access times
- Information about how you use our website (pages visited, links clicked, referring websites)
- Marketing preferences and communication consents
- Payment processors and merchant service providers who handle transactions on our behalf (e.g., Stripe, PayPal)
We may also receive personal data about you from trusted third parties, such as event partners, referral programmes, or publicly available business directories. Any data received from these sources will be used fairly, lawfully, and transparently.
We may also collect information from publicly available sources such as Companies House, LinkedIn, professional directories, social media platforms, or official business websites. We use this data to verify business details, assess cybersecurity training needs, or contact organisations that may benefit from our services. We only collect data that is relevant to our business-to-business purposes and always use it under a lawful basis of legitimate interests.
3. How We Collect Your Data
We collect data in the following ways:
- Directly from you – when you contact us via our website, email, phone, social media, or by completing a form.
- Automatically – when you browse our website, we collect technical information through cookies and analytics tools.
4. How We Use Your Data and Our Lawful Bases
We process your personal data only when we have a clear and lawful reason to do so. Each purpose for processing is linked to one or more lawful bases defined under the UK GDPR and the Data Use and Access Act (DUAA):
- Performance of a Contract – to deliver our services or respond to your enquiries.
- Legal Obligation – to comply with laws such as tax or business record requirements.
- Legitimate Interests – when it is necessary for our legitimate business interests, provided your rights and freedoms do not override those interests. This includes activities such as:
- improving our website, products, and services;
- maintaining business operations and communications;
- ensuring cybersecurity and preventing fraud; and
- sending direct B2B marketing to existing or prospective business contacts who have shown interest in our services.
We have carried out a Legitimate Interest Assessment (LIA) to ensure the processing is necessary, proportionate, and aligned with your reasonable expectations. We only process the minimum data required, protect all information with strong security controls, and you may opt out of marketing at any time.
Legitimate Interests Assessment (LIA) Summary
Purpose: We rely on Legitimate Interests to deliver and improve our cybersecurity training services, manage enquiries and bookings, ensure the security of our systems, and send relevant B2B marketing to individuals or organisations who have shown an interest in Cyber Rebels.
Necessity: The processing is essential to operate effectively, fulfil requests, deliver services securely, and provide follow-up communications that users reasonably expect. We only collect and use the minimum personal data required for these purposes.
Balancing Test: We assess all Legitimate Interests processing to ensure it does not override your rights or freedoms. We do not process sensitive data under this basis and never use Legitimate Interests for intrusive or unexpected activities. You may opt out of marketing at any time, and all data is protected through appropriate technical and organisational security measures.
Conclusion: Our LIA confirms that this processing is lawful, proportionate, and aligned with your reasonable expectations. This helps us maintain secure, effective service delivery while protecting your privacy.
- Consent – for marketing communications or event updates. You can withdraw consent at any time by contacting us at [email protected].
A Data Protection Impact Assessment (DPIA) has been completed for all Youth Cyber Safety Sessions; a summary is available upon request.
5. Who We Share Your Data With
We only share data when necessary and always with appropriate safeguards. We may share your data with:
- Our employees and professional advisers for legitimate business purposes
- Service providers such as website hosting, analytics, or email marketing platforms (e.g., Zoho, Microsoft Clarity, Google Analytics)
- Regulatory or legal authorities if required by law
We do not sell or rent your data to third parties.
We also use Zoho Mail as our secure business email provider for communication with clients and partners. Emails and attachments are transmitted using encrypted protocols (TLS) and stored on Zoho’s secure servers within the UK or EEA where possible. Access to Zoho Mail accounts is protected by multi-factor authentication and role-based permissions.
5A. E-Commerce and Payments
When you make a purchase through our website, we collect and process the information required to complete your order. This may include your name, billing address, delivery address (if applicable), contact details, payment information, and purchase history.
Payment processing on our website is handled securely by our trusted third-party providers, such as Stripe, PayPal, or other merchant service partners. We do not store or have access to your full card details; all payment data is encrypted and processed directly by these providers in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
We also use QuickBooks for bookkeeping and financial record-keeping. This may include processing client invoices, payments, and associated business contact details for accounting purposes. QuickBooks acts as our data processor and stores information on secure, encrypted servers within the UK or European Economic Area (EEA) where possible. Data is retained only for as long as legally required under HMRC and accounting regulations. For more information, see QuickBooks’ Privacy Policy.
We use order information to process your transactions, manage your purchases, provide customer support, and maintain accurate accounting and tax records. The lawful bases for processing this information are the performance of a contract and legal obligations (for record-keeping and financial compliance).
If you create an account in our online store, we will also store your login credentials and purchase history so you can view or manage your bookings. You can request deletion of your account or purchase history at any time by contacting us at [email protected].
For subscription-based services or recurring payments, we retain only the information necessary to manage your subscription, including payment status, renewal dates, and communication preferences. Recurring transactions are processed securely through our payment provider (such as Stripe) using tokenised details — we do not store or have access to your full payment information. You may cancel your subscription or update your billing preferences at any time through your account or by contacting us at [email protected].
5B. Live Events and Training Sessions
When you register for or attend a Cyber Rebels live event, webinar, or training session (online or in person), we collect the information needed to manage your participation. This may include your name, contact details, job title, organisation, and event preferences.
We use this data to process bookings, deliver event communications, provide session materials, issue CPD certificates, and send follow-up resources or feedback requests. The lawful bases for processing this data are performance of a contract (to deliver the event you registered for) and legitimate interests (to improve our training services and maintain professional relationships).
Some live events may be recorded for training, compliance, or promotional purposes. We will always make this clear in advance and obtain your consent before recording any identifiable personal information, such as video, audio, or chat participation.
Eventbrite
For some online or in-person events, we use Eventbrite to manage registrations, ticketing, and attendee communication. When you register via Eventbrite, the information you provide (such as name, contact details, organisation, and payment details if applicable) is processed securely by Eventbrite in accordance with their own privacy policy. We only access the information necessary to manage your attendance, issue event updates, and meet our contractual obligations.
Eventbrite acts as our data processor for these activities. All personal data is stored and transmitted securely, and you can review Eventbrite’s Privacy Policy for details on how they handle attendee information.
We may also use event attendance data in anonymised form to analyse engagement, improve future sessions, and ensure compliance with CPD and professional accreditation requirements.
5C. Affiliate and Referral Programmes
Cyber Rebels operates affiliate and referral schemes designed to reward individuals or organisations who introduce new clients to our services. Participation in these programmes is entirely voluntary and governed by separate affiliate terms and conditions.
When you join our affiliate or referral programme, we collect and process information such as your name, contact details, payment details (for commission purposes), and referral tracking data. This information is used to administer the programme, track referrals, process commission payments, and maintain accurate records for financial and legal purposes.
If you refer another person or organisation to Cyber Rebels, we will only use their data to contact them about our services in line with our legitimate interests and the requirements of the Privacy and Electronic Communications Regulations (PECR). We will never share your details with the referred party without your consent.
Affiliate tracking is managed securely through cookies or unique referral links. These tracking identifiers do not contain personal data but allow us to verify which affiliate generated a referral. You can learn more about how cookies are used in our Cookies section (Section 11).
All affiliate and referral data is processed in accordance with this Privacy & Cookie Policy and applicable data protection laws.
6. Data Transfers Outside the UK
We primarily store and process personal data within the UK. If we use third-party tools that transfer data outside the UK (for example, Microsoft Clarity), we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.
7. Keeping Your Data Secure
We use technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include:
- Secure servers and encrypted data storage
- Access restricted to authorised personnel only
- Strong password and authentication controls
In limited cases, authorised Cyber Rebels personnel may securely store business data on encrypted company laptops or external drives to support service delivery, travel, or remote work. All such devices are protected with full-disk encryption, multi-factor authentication, and automatic lockout features. Access to personal data is restricted to trained staff who require it for legitimate business purposes, and no unencrypted copies are retained locally.
If you suspect misuse, loss, or unauthorised access to your data, please contact us immediately at [email protected].
We only collect and retain personal data that is adequate, relevant, and limited to what is necessary for the purposes described. We also take reasonable steps to keep your information accurate and up to date.
7.1 Limitations of Data Security
While we take appropriate technical and organisational measures to protect personal data, no method of transmission over the internet or electronic storage can be guaranteed to be completely secure.
We are committed to maintaining a high standard of data protection and continuously improving our security practices. However, we cannot guarantee absolute security of information transmitted to or from our systems.
8. Data Retention
We only keep your data for as long as necessary for the purposes for which it was collected, or to comply with legal, accounting, or reporting obligations. Typical retention periods include:
- Enquiry data: up to 24 months
- Client data: duration of the contract plus 6 years
- Marketing data: until you withdraw consent or unsubscribe
9. Your Rights
You are in control of your data. Under UK data protection law and the DUAA, you have the right to:
- Request access to the data we hold about you
- Request correction of inaccurate or incomplete data
- Request erasure of your data (“the right to be forgotten”)
- Restrict or object to how we use your data
- Request data portability (transfer to another service)
- Withdraw consent where processing is based on consent
You also have the right to request clear, structured information about what data we hold, where it came from, and who we share it with, in line with the DUAA.
To make a data access or portability request, please email [email protected] with “Data Access Request” in the subject line. We will acknowledge receipt and respond within one month.
If you are unhappy with how we handle your data, you can contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.
10. Automated Decision-Making and Profiling
We do not use personal data for automated decision-making or profiling that produces legal or significant effects on individuals. If this ever changes, we will update this Privacy Policy and notify affected users in advance.
11. Cookies
We use cookies and similar technologies to keep our website running smoothly, improve your browsing experience, and understand how people use Cyber Rebels. When you first visit our site, you will be asked to accept or reject optional cookies. You can change your preferences at any time using the cookie banner or by adjusting your browser settings.
Cookie Categories
| Type | Purpose | Examples |
|---|---|---|
| Strictly Necessary | Essential for site functionality and security. | reCAPTCHA, wpEmojiSettingsSupports |
| Performance & Analytics | Helps us understand how visitors use our site and improve user experience. | Google Analytics (_ga, _ga_*), Microsoft Clarity (_clck, _clsk) |
| Functionality | Remembers user preferences and improves site features. | Zoho cookies (zuid, zsr, zsc) |
| Targeting / Advertising | Delivers relevant ads based on browsing behaviour. | Facebook (_fbp), Bing (MUID, ANONCHK) |
Non-essential cookies (Analytics, Marketing, Functionality) are blocked by default and will only run if you consent through our cookie banner.
For more information about cookies and how to manage them, visit aboutcookies.org.
11A. Use of Analytics, Marketing, and CRM Tools
We use a small number of trusted third-party platforms to help us understand how visitors use our website, improve performance, and manage client relationships. These services may collect limited technical or behavioural information such as IP address, device type, and interaction data. All data collected through these tools is processed securely and in accordance with the UK GDPR and the Data Use and Access Act (DUAA).
Google Tag Manager And Google Consent Mode
We use Google Tag Manager (GTM) to manage analytics and marketing tags on our site. GTM itself does not collect personal data, but may load other tools such as Google Analytics.
We have enabled Google Consent Mode v2, which means:
Analytics and marketing tags only fire if you give consent
If you refuse cookies, Google receives only anonymous, cookieless “consent pings”
No personal data is stored or used when you decline optional cookies
Any data collected through these tags is processed under Google’s Privacy Policy.
Meta (Facebook) Pixel
We use Meta (Facebook) Pixel to measure the effectiveness of our advertising and to deliver relevant content on Meta platforms such as Facebook and Instagram. Meta may collect or receive information from our website and use it to provide measurement and targeted advertising services, in line with Meta’s Privacy Policy.
You can manage your Meta advertising preferences through your Facebook account settings.
Microsoft Clarity
We use Microsoft Clarity to understand how visitors interact with our website and to improve usability, performance, and content experience. Clarity may record anonymised session data such as mouse movements, scrolling, page navigation, and general interaction patterns.
Clarity supports Consent Mode v2, which means it only sets cookies or runs full analytics features if you have given consent for analytics cookies through our cookie banner. If you decline, Clarity operates in a privacy-enhanced, no-consent mode that does not store identifiers or track you across pages.
Clarity does not capture personal data, payment information, or any sensitive content. All data is processed in accordance with Microsoft’s Privacy Statement, and all recordings are securely stored with restricted access.
MailerLite (Email Marketing and Automation)
We use MailerLite to manage our email marketing, newsletters, and automated communications. When you subscribe to our mailing list or download a resource, your name, email address, and communication preferences are securely stored within MailerLite. This allows us to send relevant updates, event information, and training insights.
MailerLite acts as our data processor and stores information on secure servers within the European Union (EU). It is fully compliant with the UK GDPR and EU GDPR. Data is processed in accordance with MailerLite’s Privacy Policy.
You can unsubscribe from our mailing list at any time by clicking the link in any email or by contacting [email protected].
Zoho CRM
We use Zoho CRM to securely manage enquiries, leads, and client communication. This system helps us respond efficiently to enquiries, deliver services, and maintain accurate client records. Zoho acts as our data processor and stores information on secure servers within the UK or European Economic Area (EEA) where possible. Data is protected using strong encryption and access controls in accordance with Zoho’s Privacy Policy.
Access is restricted to authorised Cyber Rebels personnel only, and all data is protected through secure authentication controls.
You can control how cookies and analytics tools operate on your device by adjusting your browser settings or through the cookie consent banner displayed on our site.
12. Children’s Data
Our website and services are not directed to children under 18, and we do not knowingly collect personal data from anyone under this age.
13. Links to Other Websites
Our website may contain links to third-party websites. We are not responsible for their content or privacy practices, and we encourage you to review their policies before providing personal information.
Our website may also include embedded third-party content or integrations (such as contact forms, booking widgets, or analytics tools). These providers may collect data directly when you interact with their features. We recommend reviewing their individual privacy policies for details.
14. Business Transfers
If our business is sold or transferred, your data may be shared with the new owner under the same terms as this policy. We will ensure your privacy rights continue to be protected.
15. Policy Version and Change Log
This policy is maintained as a living document under our DUAA accountability framework and is reviewed at least annually or whenever our data-processing activities change.
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | 31 January 2025 | Initial Privacy & Cookie Policy created in line with UK GDPR requirements. |
| 1.1 | 20 October 2025 | Updated to align with the Data Use and Access Act (DUAA) and ICO guidance. Added public-source data collection, legitimate interest assessment reference, direct marketing under legitimate interests, automated decision-making statement, data minimisation principles, and details covering e-commerce, payment, subscription, and live event processing. Rewritten for clarity, transparency, and easier readability. |
| 1.2 | 2 November 2025 | Added new section (11A) detailing the use of analytics, marketing, CRM, and productivity tools (Google Tag Manager, Meta Pixel, Microsoft Clarity, Zoho CRM, Zoho Mail, MailerLite, and Notion). Added new section (5C) covering Affiliate and Referral Programmes. Updated Section 5A to include QuickBooks for accounting and record-keeping, Section 5B to include Eventbrite for event registration management, and Section 7 to include encrypted local device storage and remote-work data protection measures. Enhanced transparency and compliance with UK GDPR and the Data Use and Access Act (DUAA). |
| 1.3 | 13 November 2025 | Added Legitimate Interest Assessment (LIA) summary for improved transparency. |
| 1.4 | 21 November 2025 | We refreshed our Cookies and Analytics sections to make things clearer, strengthen privacy controls, and reflect our updated consent settings across Google and Microsoft tools. |
| 1.5 | 21 March 2026 | We added section 7.1 (Limitations of Data Security) to provide additional clarity on data protection and security expectations, and removed Notion from our CRM tools as it is no longer in use. |
Future updates will be recorded here for transparency. You are encouraged to check this page periodically to stay informed about how we protect your personal data.
16. Contact Us
If you have any questions about this Privacy & Cookie Policy or how we handle your data, please contact us at:
Cyber Rebels Ltd,
56 High Street, Tamworth, Staffordshire, B77 1LP
Email: [email protected]