Privacy policy
PRIVACY POLICY
Clockwork Cyber Limited
Company number: SC886072
VAT number: GB517562286
Email: john.hay@clockworkcyber.co.uk
Website: www.clockworkcyber.co.uk
Last updated: May 2026
1. About this Privacy Policy
This Privacy Policy explains how Clockwork Cyber Limited, trading as Clockwork Cyber, collects, uses, stores and protects personal data.
Clockwork Cyber is the controller for personal data used for its own business purposes, including enquiries, orders, accounting, supplier management, marketing consent, customer feedback, complaints, appeals, quality improvement, security, business administration and service delivery.
For some client services, Clockwork Cyber may process information on behalf of a client. Where that applies, the relevant contract, scope confirmation, scheme rules or client instructions will define the processing role and responsibilities.
2. Contact details
For privacy questions or data protection requests, contact:
John Hay, Director
Email: john.hay@clockworkcyber.co.uk
Registered office: Rowallan Drive, ML1 5WX
3. Personal data we collect
Clockwork Cyber may collect and use the following types of personal data:
name;
business name;
job title;
business email address;
business telephone number;
billing details;
order and enquiry details;
communications with Clockwork Cyber;
supplier or business contact details;
accounting and invoice records;
payment status and transaction reference information;
marketing consent records;
website enquiry form submissions;
technical and security information needed to deliver an agreed service;
customer feedback, complaint, appeal and quality improvement records;
security logs and access records;
and information required to deliver agreed cyber security, compliance, certification support, assessment support or technical review services.
Clockwork Cyber does not directly see, store, write down, download or manually process full payment card numbers, CVV codes or card expiry dates. Payments are handled by external payment service providers.
Clockwork Cyber does not currently process special category personal data.
Clockwork Cyber does not knowingly collect personal data from children.
4. Assessment and service evidence
Where assessment, certification support, benchmarking, technical review or cyber security services are agreed with a client, Clockwork Cyber may process client evidence.
This may include questionnaires, scoping information, asset lists, screenshots, vulnerability scan reports, policy documents, network or system information, user or access evidence, supplier evidence, assessor notes, client contact details and related service records.
This type of processing will only apply where it is required for an agreed service and will be handled in line with the applicable contract, scheme rules, retention requirements and security controls.
5. How we collect personal data
Clockwork Cyber may collect personal data from:
website enquiry forms;
online orders or checkout processes;
email correspondence;
telephone calls;
video meetings;
business contacts;
client-provided documents or evidence;
supplier records;
accounting and banking activity;
security monitoring;
feedback, complaints or appeals;
and public or professional sources where relevant to a business relationship.
6. Why we use personal data and lawful basis
Clockwork Cyber uses personal data for the following purposes and lawful bases.
Customer enquiries and service delivery
Purpose: responding to enquiries, preparing quotations, managing orders, delivering services and communicating with clients.
Lawful basis: contract or steps before entering into a contract.
Accounting, invoicing, tax and business records
Purpose: issuing invoices, maintaining accounting records, VAT records, tax records and financial records.
Lawful basis: legal obligation.
Supplier and business contact management
Purpose: managing suppliers, partners, business contacts and professional relationships.
Lawful basis: legitimate interests.
Marketing opt-in
Purpose: sending marketing emails or promotional information where someone has opted in.
Lawful basis: consent.
Security logging and access monitoring
Purpose: protecting systems, accounts, data and services from misuse, unauthorised access, fraud or cyber security threats.
Lawful basis: legitimate interests.
Assessment, certification support, benchmarking or technical review services
Purpose: delivering agreed services, managing evidence, preparing outputs, supporting certification activity, and maintaining records where required.
Lawful basis: normally contract, with legal obligation or legitimate interests applying where records need to be retained for scheme, audit, legal, contractual or dispute-handling reasons.
Customer feedback, complaints, appeals and quality improvement
Purpose: measuring customer satisfaction, handling complaints or appeals, improving service quality, maintaining audit records and meeting contractual, scheme or service expectations.
Lawful basis: legitimate interests, or contract where the record is linked to service delivery.
7. Legitimate interests
Where Clockwork Cyber relies on legitimate interests, it does so only where the processing is necessary and proportionate and where individual rights and freedoms do not override the business interest.
Clockwork Cyber may rely on legitimate interests for supplier and business contact management, security logging, access monitoring, fraud prevention, account protection, ordinary business relationship management, customer feedback, complaint handling, appeal handling and service improvement.
8. Marketing
Clockwork Cyber may send marketing emails only where consent has been provided or where another lawful route is available under applicable law.
Marketing consent can be withdrawn at any time by using the unsubscribe link in marketing emails or by contacting:
john.hay@clockworkcyber.co.uk
Withdrawing marketing consent does not affect necessary service, order, account, legal or security communications.
9. Who we share personal data with
Clockwork Cyber only shares personal data where necessary for business operations, legal compliance, service delivery, security, accounting, payment processing, supplier management, certification activity, complaint handling or appeal handling.
This may include trusted providers of:
website hosting and e-commerce services;
payment processing;
accounting and banking services;
email, document management and secure sharing;
domain management;
backup and recovery services;
security monitoring and vulnerability checking;
professional advice;
certification or assessment platforms;
technical testing services;
legal, regulatory, scheme, insurer or law enforcement support where required.
These providers only receive the information needed for their role and are reviewed as part of Clockwork Cyber’s supplier management process.
10. International transfers
Clockwork Cyber uses UK data storage where available.
Some suppliers may process personal data outside the UK or EEA. Where this happens, Clockwork Cyber relies on the supplier’s published contractual terms, data processing terms and lawful transfer safeguards, such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement or equivalent safeguards.
11. How long we keep personal data
Clockwork Cyber keeps personal data only for as long as necessary for the purpose it was collected, including to meet legal, accounting, tax, contractual, audit, insurance, dispute-handling, security and certification scheme requirements.
Accounting and invoice records are normally retained for 6 years.
Customer and contact records are retained for the duration of the business relationship and then reviewed annually.
Security and access records are retained for at least 12 months.
Incident records are retained for at least 3 years.
Policy, risk, continuity, quality, complaint, appeal and improvement records are retained for at least 3 years unless a longer contractual, scheme, legal or audit requirement applies.
Marketing consent records are retained until consent is withdrawn, with a suppression record retained where needed.
Future assessment evidence will be handled under the applicable IASME scheme rules, Certification Body agreement, client contract and data retention schedule once Certification Body activity begins.
When data is no longer required, it is securely deleted or disposed of.
12. How we protect personal data
Clockwork Cyber protects personal data using appropriate technical and organisational measures.
These include access control, multi-factor authentication where available, encryption, managed business devices, secure document sharing, backup and recovery controls, supplier review, security monitoring, data minimisation, incident response procedures and periodic review.
Access to personal data is restricted to those who need it for legitimate business purposes.
13. Your rights
Depending on the circumstances and applicable law, individuals may have rights including:
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object;
the right to withdraw consent;
and rights relating to automated decision-making where applicable.
To exercise your rights, contact:
john.hay@clockworkcyber.co.uk
Clockwork Cyber will respond without undue delay and normally within one month of receiving a valid request. Identity verification may be required before a request is completed.
14. Complaints about personal data
If you have a concern about how Clockwork Cyber handles personal data, please contact:
john.hay@clockworkcyber.co.uk
You also have the right to complain to the UK Information Commissioner’s Office.
ICO website: www.ico.org.uk
15. Service complaints and appeals
Service complaints or appeals relating to Clockwork Cyber services can be sent to:
john.hay@clockworkcyber.co.uk
Complaints and appeals are recorded, reviewed and handled through Clockwork Cyber’s internal quality management process. Where a complaint or appeal relates to an external certification scheme, assessment decision or certification body process, the relevant scheme or certification body escalation route may also apply.
16. Cookies and website data
Clockwork Cyber’s website may use cookies and similar technologies for essential site operation, checkout, security, analytics, performance, user experience and marketing where enabled.
Browser settings may allow you to block or delete cookies. Some website functions may not work correctly if essential cookies are blocked.
17. Automated decision-making
Clockwork Cyber does not currently carry out solely automated decision-making that produces legal or similarly significant effects on individuals.
18. Changes to this Privacy Policy
Clockwork Cyber may update this Privacy Policy from time to time to reflect changes in services, suppliers, legal requirements, data processing, security controls, quality management records or business operations.
The current version will be published on the website.
19. Contact
For privacy or data protection queries, contact:
Clockwork Cyber Limited
Email: john.hay@clockworkcyber.co.uk
Website: www.clockworkcyber.co.uk
Registered office: Rowallan Drive, ML1 5WX