Cyber Essentials Scanner logo

Privacy Policy

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what we collect, how we use it and the choices you have. It is designed to comply with the UK GDPR and the Data Protection Act 2018.

Who we are (Data Controller)

For the purposes of UK data protection law, the data controller is the operator of the Cyber Essentials Scanner website ("we", "us", "our"). If you have questions, you can reach us at: privacy@cescanner.co.uk.

What data we collect

  • Essential data: technical data required to deliver the site (e.g. security cookies, load balancing, CSRF protection).
  • Scanner inputs: the website URL you choose to scan and scan settings. This runs in your browser; we do not modify your site.
  • Analytics (optional): with your consent, anonymous usage metrics such as page views and events. These are only loaded after you consent in the cookie banner.
  • Contact information (if you email us): we process the contents of your message to respond.

Why we use your data (Lawful bases)

  • To provide and secure the site (legitimate interests / performance of a service).
  • To remember your consent choices (legal obligation / compliance).
  • To improve the service (consent for analytics).
  • To communicate with you when you contact us (legitimate interests / consent).

Cookies

We use essential cookies for the website to function and an in‑page consent tool to control optional analytics cookies. Optional analytics are off by default and are only loaded if you click Accept or enable them in Preferences. You can change your choice at any time via Preferences in the cookie banner or by clearing your browser storage.

How we share data

We do not sell your personal data. If analytics is enabled, anonymised usage data may be processed by our analytics provider as our data processor, bound by a data processing agreement. We only share data if necessary to provide the service, comply with law, or protect our rights.

International transfers

Where data is processed outside the UK, we ensure appropriate safeguards are in place (e.g. UK International Data Transfer Agreement or equivalent). Details are available on request.

Retention

Essential operational logs are retained for a short period for security and troubleshooting. Optional analytics retention follows our analytics provider’s defaults. We retain emails while necessary to respond and for reasonable records management.

Your rights

Under UK GDPR you have rights to access, rectification, erasure, restriction, objection, and data portability. You may also withdraw consent at any time where processing is based on consent. To exercise your rights, contact us at privacy@cescanner.co.uk. You also have the right to complain to the ICO (ico.org.uk).

Security

We apply appropriate technical and organisational measures to protect personal data, including HTTPS, access controls and vulnerability management aligned to Cyber Essentials principles.

Updates

We may update this policy from time to time. Material changes will be highlighted on this page. Last updated: 06 Sep 2025.