SHELLHEX LTD – PRIVACY POLICY

This privacy policy applies to Shellhex Ltd (company number: 16400588) (we, us or our). We are committed to protecting your privacy. This policy explains how we collect, use and share your personal data when you interact with us directly, for example through our website or when you contact us about our services.

Please note that when we carry out security testing and related services for our clients, we may process personal data on their behalf as a data processor. That processing is governed by the data processing addendum in our customer contract and is not covered by this policy.

Information we collect

Identity and contact details

  • Name, address, email address and phone number
  • Professional details

Service related information

  • Transaction details for services you have purchased from us or enquiries about our services
  • Your preferences for our services
  • Feedback and complaints

Financial and payment information

  • Payment details for services you have purchased from us, and where relevant banking or payment card information processed through our payment providers.

Digital information

  • IP address and general location information derived from your IP address
  • Web browser type and operating system

Recordings

  • Call recordings
  • Records of meetings and decisions

Professional information (for job applicants and workers)

  • Employment history
  • Professional experience
  • Required authorisations and licences
  • Professional registrations
  • Information about your right to work in the UK

How we collect personal data

  • Directly from you when you: when you interact with us, contact us, fill out forms.
  • Automatically when you: visit our website, use our technologies, interact with our online services.
  • From third parties: service providers, business partners, previous employers, government organisations and organisations or people authorised by you.
  • From publicly available sources: such as Companies House and professional networking sites such as LinkedIn.

How we use your information

Data protection law requires us to have proper legal reasons for using your personal data. We can only use your information when we have one or more of these legal bases.

  • Consent - You have clearly agreed to us using your personal data for a specific purpose.
  • Performance of a contract - We need to use your information to fulfil a contract with you, or because you've asked us to do something before entering into a contract.
  • Legal duty - We must use your information to comply with the law.
  • Vital interests - We need to use your information to protect someone's life.
  • Public interest - We need to use your information to perform a task in the public interest or carry out official functions that have a clear legal basis.
  • Legitimate interests - We have a genuine business reason to use your information, or a third party does, but only if this doesn't unfairly override your rights and interests. Where we rely on legitimate interests as our legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. These assessments consider:
    • The nature of our legitimate interest
    • The impact on you
    • Any safeguards we can implement
    • Your reasonable expectations
    • The broader context of our relationship

Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data. We have listed the reasons we process your data and the legal basis below. Please reach out to us if you need further details about the specific legal basis we are relying on to process your personal data.

Managing your account and providing our services

What we use your information for:

  • To provide our security testing and related services to you
  • To contact and communicate with you about our services, including responding to support requests and enquiries and for dealing with complaints or claims
  • Internal record keeping, administrative, invoicing and billing purposes
  • We may also collect your work email address and contact details in order to set up and manage a secure client portal through which we provide you with access to reports and other deliverables. Access to the portal will be created by us and will be linked to your work contact details. You will not be able to self-register for the portal.

Legal basis for using this information:

  • Performance of a Contract
  • Legal Duty (for billing and record-keeping requirements)
  • Legitimate interests

Types of information we use:

  • Identity and contact details
  • Service related information
  • Financial Information
  • Digital information

Client onboarding and verification

What we use your information for:

  • To assess whether to take you on as a new client, including performing anti-money laundering, anti-terrorism, sanction screening, fraud and other background checks

Legal basis for using this information:

  • Performance of a Contract
  • Legal Duty
  • Public Interest
  • Legitimate interests

Types of information we use:

  • Identity and contact details
  • Financial information

Website enquiries and customer service

What we use your information for:

  • To contact and communicate with you about any enquiries you make with us via our website

Legal basis for using this information:

  • Legitimate interests

Types of information we use:

  • Identity and Contact Data
  • Digital Information

Business improvement and development

What we use your information for:

  • To operate and improve our services and to develop our business.

Legal basis for using this information:

  • Legitimate interests

Types of information we use:

  • Digital Information

Marketing and communications

What we use your information for:

  • To contact prospective clients and business partners about our services where we consider this may be of interest to them.

Legal basis for using this information:

  • Legitimate interests

Types of information we use:

  • Identity and Contact Data

Recruitment and employment purposes

What we use your information for:

  • To consider your application if you have applied to work with us and to keep you up to date with its progress
  • In relation to self-declared disabilities in order for us to make a reasonable adjustments to support your application and any possible future employment
  • In relation to any diversity or equal opportunities monitoring questionnaire data, to monitor and report on our equality and diversity composition and ensure fairness in the recruitment process
  • In relation to any right to work information we collect, in order to ensure we comply with the law in employing you
  • To keep you updated on any other suitable vacancies

Legal basis for using this information:

  • Legitimate interests
  • Legal Duty
  • Consent
  • Performance of a Contract

Types of information we use:

  • Identity and Contact Data
  • Professional Data

Legal compliance

What we use your information for:

  • Comply with our legal obligations or if otherwise required or authorised by law

Legal basis for using this information:

  • Legal Duty

Types of information we use:

  • All relevant Personal Data

Our disclosures of personal data to third parties

We may disclose personal data to:

Service providers

  • IT service providers including Contabo, Migadu, FreeAgent and Obsidian
  • Web hosting and server providers
  • Payment processors including Stripe, PayPal, and GoCardless

Professional advisers

  • Bankers including Mettle
  • Auditors
  • Insurers and insurance brokers
  • Legal advisers

Business partners

  • Our existing or potential agents
  • Our business partners or contractors

Corporate transactions

If we merge with or are acquired by another company, or sell our business assets:

  • Your information may be disclosed to our advisers
  • Your information may be disclosed to the potential purchaser's advisers
  • Your information may be included in the transferred assets

Legal and regulatory bodies

  • Courts and tribunals
  • Regulatory authorities including as required for reporting obligations
  • Law enforcement officers

Other parties

  • Third parties you have authorised
  • Emergency services when necessary
  • Any other parties as required or permitted by law

Overseas transfers

Where we store and access your information

We store your personal data in the United Kingdom. However, your information may be transferred to locations outside the United Kingdom in these circumstances:

  • When our service providers are located overseas
  • When we work with overseas business partners
  • When using cloud-based services or data storage solutions
  • When required by law or legal proceedings

Our approach to overseas transfers

When we transfer your personal data outside the United Kingdom, we ensure it receives appropriate protection by:

  • Only transferring your information to countries that UK data protection law recognises as providing adequate protection for personal data, or
  • Putting in place a contract with the third party that means they must protect personal data to the same standards as the UK.
  • Transferring personal data to organisations that are part of specific agreements on cross-border data transfers with the UK.

What this means for you

We only transfer the minimum amount of personal data necessary and require all recipients to:

  • Protect your information to the same standards required by UK law
  • Use your information only for the purposes we've agreed
  • Allow us to monitor how they handle your information
  • Provide you with the same rights over your information that you have under UK law

Data retention

How long we keep your information

We only keep your personal data for as long as we need it to:

  • Provide our services to you
  • Meet our legal, tax, accounting or regulatory obligations
  • Handle any complaints or legal issues that may arise

We may keep your information for longer periods if:

  • You make a complaint that we need to investigate or respond to
  • We reasonably believe legal action involving our relationship with you might occur
  • The law requires us to keep it for specific timeframes

How we decide retention periods

When determining how long to keep your information, we consider:

  • How much information we have and how sensitive it is
  • The risk of harm if the information was accessed without permission
  • Whether we can achieve our purposes in other ways
  • What legal, regulatory, tax or accounting rules require
  • The nature of our relationship with you and the services we provide

What happens when we no longer need your information

Once we no longer need your personal data, we will securely delete or destroy it in accordance with our data retention policies and legal requirements.

Your Rights

You can request information about retention periods for your data and ask for early deletion where legally possible.

Your privacy rights and choices

Providing information

You can choose whether to provide personal data to us, however, if you don't provide certain information, we may not be able to provide some services. Let us know if you don't want to provide information and we will let you know when information is required versus optional.

Right of Access

You have the right to ask us for copies of your personal data. You can request other information such as details about where we get personal data from and who we share personal data with. There are some exemptions which means you may not receive all the information you ask for.

Right to Rectification

You have the right to ask us to correct or delete personal data you think is inaccurate or incomplete.

Right to Erasure ("Right to be forgotten")

You can request deletion of your personal data in certain limited circumstances as set out in data protection law, such as where the data is no longer necessary or has been unlawfully processed. This right is not absolute and we may be required or entitled to retain your data for legal, regulatory or legitimate business reasons.

Right to Restrict Processing

You can ask us to suspend processing where:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification of our legitimate grounds

Right to opt-out of marketing communications

You can opt-out of receiving marketing communications at any time. Each marketing communication will include an unsubscribe option. You can change your marketing preferences by contacting us. We will process your request as soon as practicable.

Right to Data Portability

Where technically feasible, you can receive your personal data in a structured, commonly used format or have it transmitted to another controller where:

  • Processing is based on consent or contract
  • Processing is automated

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

To exercise any of these rights, contact us using the details below. We may ask for proof of identity and will respond within one month (extendable to three months for complex requests).

These rights are available under data protection law, though some may not apply in every situation. We'll let you know if any limitations apply when you make a request.

Making a complaint

If you have concerns about how we handle your information

If you're unhappy with how we've used your personal data, please get in touch with us first using the contact details at the end of this policy. When you contact us:

  • Give us full details about your complaint
  • We'll investigate your concerns promptly
  • We'll respond to you in writing explaining what we found and what we'll do to address your complaint

Your right to complain to the regulator

You can also make a complaint directly to the Information Commissioner's Office (ICO), the UK's data protection regulator, at any time.

The ICO's address:

Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

You don't have to contact us first before going to the ICO, but we'd appreciate the opportunity to try to resolve your concerns directly with you.

Protecting your information

We take the security of your personal data seriously. As a cybersecurity business, we apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These measures include:

  • encryption of data in storage and transmission where appropriate;
  • strict access controls limiting access to personal data to those who need it;
  • regular review of our security practices; and
  • secure disposal of personal data when it is no longer needed.

Cookies and analytics

We do not currently use cookies or similar tracking technologies on our website, and we do not use third-party analytics tools such as Google Analytics. If we introduce cookies or analytics in the future, we will update this policy and, where required, obtain your consent before doing so.

Artificial Intelligence (AI) Technologies

We may use AI tools to assist with internal tasks such as drafting communications. We do not input your personal data into AI tools. Where we use AI tools, we ensure that any personal data is not shared with third-party AI providers.

Amendments

We may update this policy at any time by posting the revised version on our website. We recommend that you review our website regularly to stay current with any policy changes.

Our contact details

Privacy contact email: 'hello' at this domain

Last update: 30 March 2026

© LegalVision Law UK Ltd