Skip to content
CyBehave CyBehave|Academy

UK GDPR · Privacy notice

Privacy notice

Last reviewed 14 May 2026.

This notice explains what personal data CyBehave Academy collects when you use this site, why we collect it, how long we keep it, who we share it with, and what rights you have under the UK GDPR and the Data Protection Act 2018.

Who is the data controller

CyBehave Limited, trading as CyBehave Academy. Contact: our contact form. For data-protection questions, write "DPO" in the subject line.

What data we collect, and why

DataWhyLawful basis
Name, email, password (hashed)To create your account, sign you in, communicate with you about your courses.Contract (Art. 6(1)(b))
Course enrolments, slide progress, workbook responses, assessment attempts & answersTo deliver the course, track your progress, mark assessments.Contract (Art. 6(1)(b))
Certificates (your name, course title, date)To issue a verifiable certificate of completion. Verifier-page is public (name + course only, no email).Contract (Art. 6(1)(b))
Course feedback (rating + optional comment)To help us improve courses.Legitimate interest (Art. 6(1)(f))
Newsletter opt-in flag & timestampOnly when you tick the box on your profile. Used to send course-update emails.Consent (Art. 6(1)(a))
Audit log: admin actions on your account (status changes, role changes)Internal accountability and security.Legitimate interest (Art. 6(1)(f))
IP address, user-agent on contact-form submissions and admin actionsAnti-abuse, security investigation.Legitimate interest (Art. 6(1)(f))

What we don't collect

  • No third-party analytics, advertising, social-pixel, fingerprinting or behavioural-profiling cookies.
  • No special-category data (Art. 9 UK GDPR).

Cookies

We use a small set of strictly necessary cookies to keep you signed in (session cookie) and to protect form submissions (CSRF token). They expire when you close the browser or, for the CSRF token, when your session expires. No analytics or advertising cookies fire on this site.

See our consent banner for the choices available. You can clear cookies at any time from your browser.

How long we keep it

  • Active accounts — for as long as you remain signed up.
  • Inactive accounts — accounts with no sign-in for 24 months are flagged for review; on confirmation, they are anonymised (name + email scrubbed; learning records retained in aggregated, anonymised form).
  • Audit log entries — kept 24 months from the action date, then automatically purged.
  • Certificate verification records — kept indefinitely so issued certificates remain verifiable. Name + course title only.
  • Contact-form submissions — kept for 12 months from the reply, then purged.

Who we share it with

  • Postmark (transactional email delivery) — your name, email and the contents of any system email we send to you. Data centre: USA. Postmark is covered by the UK Extension to the EU–US Data Privacy Framework.
  • Plesk / our hosting provider — UK-region VPS. Sees encrypted traffic + standard webserver logs.
  • We do not sell, rent or share personal data with any other third party.

Your rights

Under UK GDPR you have the right to:

  • Access — download a copy of all data we hold about you. Click Download my data on your profile page.
  • Rectification — fix anything wrong, also from your profile page.
  • Erasure — request deletion. Click Delete my account on your profile page. We will immediately scrub your identifying data (name & email) and soft-delete your account; any records we have a statutory basis to retain (certificate-verification records) are kept in anonymised form only.
  • Restriction & objection — contact us via the form.
  • Withdraw consent — for anything you opted into (e.g. newsletter), unsubscribe from your profile page or any newsletter email.
  • Portability — the data download is JSON, machine-readable.

We will respond to any rights request within one calendar month.

Children

CyBehave Academy is intended for use by adults (16+). We do not knowingly collect data from anyone under 13.

Security

We use TLS in transit, hashed passwords (bcrypt, work-factor 12+), HTTP-only same-site session cookies, a strict Content-Security-Policy, HSTS in production, rate-limited authentication endpoints, and a least-privilege admin model with full audit logging. We back up daily and keep 14 rolling backups. If a personal-data breach occurs, we will notify the Information Commissioner's Office (ICO) within 72 hours where required.

Complaints

If you're not happy with our handling of your data, please raise it with us first. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office.

Changes to this notice

If we make material changes we will update the date at the top of this page and, if appropriate, contact you by email. Minor changes are reflected in the date stamp only.

← Back to home