Privacy Policy

1. Introduction

1.1 This Privacy Policy explains how CyberCraft (“we”, “us”, “our”) collects, uses, stores, and protects personal data in the course of providing cybersecurity training, instructional design, membership services, and consultancy.
1.2 CyberCraft is a trading name of True Innovation Group Ltd.
1.3 We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act 2018, and all other applicable data protection and privacy laws.
1.4 This Privacy Policy applies to business clients, their employees, contractors, and authorised users only. Our services are provided strictly on a B2B basis.

2. Data Controller

2.1 The data controller is True Innovation Group Ltd, trading as CyberCraft.
2.2 Company registration number: 13412515.
2.3 Registered address: 12 Wood End Way, SO53 4LN, UK.
2.4 Contact email for privacy and data protection matters: [email protected]

3. Personal Data We Collect

3.1 We may collect and process the following categories of personal data:

- Name

- Business email address

- Job title and role

- Company name and business contact details

- Training enrolment, progress, completion status, and assessment results

- Usage data and analytics relating to our platforms and materials

3.2 We do not intentionally collect special category data as defined under GDPR.
3.3 If special category data is shared with us unintentionally, it will be deleted where reasonably practicable.

4. Client Documents and Confidential Information

4.1 Clients may provide internal policies, procedures, documents, or operational information to enable customisation of training materials.
4.2 Such information may contain personal or commercially sensitive data and is processed solely for the purpose of delivering the agreed services.
4.3 All such information is treated as confidential and subject to appropriate technical and organisational safeguards.

5. How We Use Personal Data

5.1 We use personal data for the following purposes:

- Delivering instructional design, training, membership, and consultancy services

- Managing client relationships and communications

- Administering certifications and renewals

- Improving and developing our services

- Ensuring platform security and performance

- Meeting legal, contractual, and regulatory obligations

6. Lawful Bases for Processing

6.1 We process personal data under one or more of the following lawful bases:

- Performance of a contract

- Legitimate interests pursued by CyberCraft, provided these are not overridden by individual rights

- Compliance with legal obligations

- Consent, where explicitly obtained

6.2 Where processing is based on legitimate interests, those interests include service delivery, security, analytics, and business operations.

7. Consent and Withdrawal

7.1 Where we rely on consent (for example, use of testimonials, logos, or marketing communications), consent will be obtained explicitly.
7.2 Consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

8. Cookies and Tracking Technologies

8.1 Our website uses essential, analytics, and marketing cookies.
8.2 Cookies are managed via a cookie banner and preference management tool, allowing users to accept or reject non-essential cookies.
8.3 Cookie usage complies with the UK GDPR, EU GDPR, and the ePrivacy Directive.
8.4 Detailed cookie information is available via the cookie banner

9. Third-Party Processors

9.1 We may engage trusted third-party service providers, including:

- Email communication and marketing platforms

- Analytics providers

- Hosting and learning management platforms

9.2 All processors act under written agreements that include data protection obligations in accordance with Article 28 GDPR.

10. Data Sharing

10.1 We do not sell personal data.
10.2 Personal data is shared only where necessary to:

- Deliver services

- Operate our systems

- Comply with legal obligations

11. International Data Transfers

11.1 Where personal data is transferred outside the United Kingdom or European Economic Area (EEA), we ensure appropriate safeguards are in place.
11.2 These safeguards may include:

- Adequacy decisions

- Standard Contractual Clauses (SCCs)

- Other lawful transfer mechanisms recognised under GDPR

12. Data Retention

12.1 Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected.
12.2 Retention periods take into account contractual requirements, legal obligations, and legitimate business needs.
12.3 Data is securely deleted or anonymised when no longer required.

13. Data Security

13.1 We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, alteration, or disclosure.
13.2 Security measures are reviewed periodically and updated as appropriate.

14. Individual Rights

14.1 Individuals have the right to:

- Access their personal data

- Request rectification of inaccurate data

- Request erasure of personal data

- Restrict or object to processing

- Request data portability

14.2 Requests may be submitted via [CONTACT EMAIL].
14.3 We may require verification of identity before fulfilling requests.

15. Complaints and Supervisory Authorities

15.1 Individuals are encouraged to contact us directly with any concerns or complaints.
15.2 Individuals in the UK may lodge a complaint with the Information Commissioner’s Office (ICO).
15.3 Individuals in the EU may lodge a complaint with their local supervisory authority.

16. Marketing, Testimonials, and Case Studies

16.1 Client names, logos, testimonials, and case studies are used only with explicit permission.
16.2 Consent for such use may be withdrawn at any time.

17. Changes to This Policy

17.1 This Privacy Policy may be updated periodically to reflect legal, regulatory, or operational changes.
17.2 The most current version will always be published on our website.

17.3 This Privacy Policy was most recently updated on 23/01/2026.