1. Who we are
Onion Security Ltd ("we","us", "our") is a cyber security consultancy firm. We are the data controller for personal data collected through this website and for business interactions.
Company details:
- Legal name: Onion Security Ltd
- Company number: 15790877
- Registered office: Unit 10 Mandeville Courtyard, 142 Battersea Park Road, London, England, SW11 4NB
- Email: enquiries@onionsecurity.co.uk
2. What this policy covers
This policy explains how we collect, use, store, and share personal data when you:
- visit our website
- contact us via the website enquiry form or by email
- book a call via Calendly
- engage us for services (for example, governance, risk and compliance support, vCISO and security leadership, penetration testing, or resilience and recovery work)
3. Personal data we collect
The personal data we collect depends on howyou interact with us. It may include:
3.1 Data you provide
- your name, company name, job title (if provided)
- your email address and phone number (if provided)
- the content of your message or enquiry
- booking details submitted via Calendly (such as your name, email address, meeting time, and any notes you add)
Please do not submit confidential or sensitive information via the website form unless we have asked for it and provided a secure method to share it.
3.2 Data collected automatically (website usage)
- IP address and approximate location (derived from IP)
- device and browser information
- pages viewed and interactions on the website
We use Google Analytics to understand website usage, where analytics is enabled through cookie settings.
3.3 Client data processed during service delivery
If you engage us as a client, we may process personal data that appears within your organisation's systems or documents (for example, user identifiers in logs, evidence packs for compliance, incident artefacts, or access records). We only process such data to deliver the agreed services and under appropriate confidentiality and security controls.
4. How we use your personal data
We use personal data for the following purposes:
- to respond to enquiries and provide requested information
- to schedule and manage calls (including through Calendly)
- to deliver services and manage client relationships
- to operate, secure, and improve our website
- to maintain business records of communications and service activity
- to comply with legal obligations where applicable
5. Lawful bases for processing (UK GDPR)
We rely on one or more of the following lawful bases:
- Legitimate interests: to respond to enquiries, operate our business, and keep our website secure (balanced against your rights)
- Contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract
- Consent: where you choose to accept non-essential cookies/analytics (where implemented)
- Legal obligation: where we must comply with applicable law
6. Cookies and analytics
Our website uses cookies and similar technologies for:
- strictly necessary functionality (for example, site operation and security)
- preference management (for example, remembering settings)
- analytics (Google Analytics) to understand usage and improve performance, where enabled through cookie settings
- Calendly is used for scheduling and may place cookies or process booking data to provide its service
7. No email marketing
We do not send newsletters or marketing emails. If you contact us, we will only use your details to respond, manage bookings, and deliver services.
8. Who we share personal data with
We may share personal data with trusted service providers only as necessary to run the website and provide services. This includes:
- Webflow (website hosting and website form handling)
- Google Analytics (website usage analytics, where enabled)
- Calendly (call booking and scheduling)
We do not sell personal data. We may also share data where required by law or to protect our legal rights.
9. International transfers
Some service providers may process data outside the UK depending on their operations and infrastructure. Where international transfers occur, we use appropriate safeguards required by UK data protection law (for example, adequacy regulations or approved contractual protections).
10. Security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. No method of transmission is completely secure, so please avoid sending sensitive information via web forms.
11. Retention and deletion
We keep personal data only as long as necessary for the purposes described in this policy (for example, to respond to your enquiry, manage bookings, deliver services, and maintain reasonable business records).
If you would like your personal data removed from our systems, contact enquiries@onionsecurity.co.uk. We will act on your request where applicable and subject to any legal obligations to retain certain records.
12. Your rights
Under UK data protection law, you may have rights to:
- access your personal data
- correct inaccurate personal data
- request deletion of your personal data (in certain circumstances)
- restrict or object to processing (in certain circumstances)
- withdraw consent where processing is based on consent
To exercise your rights, contact: enquiries@onionsecurity.co.uk.
13. Complaints
If you have concerns, please contact us first at enquiries@onionsecurity.co.uk and we will try to resolve them promptly. You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority.
14. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will be available on our website and will show an updated "Last updated" date.
Your Trusted Partner
