Privacy Notice
Cyber Native · Version 2.0 · 04/2026
Next scheduled review: 03/2027
1. Who We Are
Cyber Native is a cybersecurity and cyber risk consultancy based in London. We provide advisory, assessment, architecture and training services to small and medium-sized businesses and large enterprises.
Data Controller
Cyber NativeLondon
United Kingdom
Contact for data protection matters
Email: hello@cybernative.uk
We have determined that we are not required to designate a Data Protection Officer under Article 37 of the UK GDPR.
2. Scope of This Notice
This notice covers personal data processed in connection with visits to our website at cybernative.uk and enquiries submitted to us via our website contact form or by email.
Personal data arising from client service engagements is addressed in the relevant engagement documentation between Cyber Native and the client, and is not within the scope of this notice.
3. Personal Data We Collect
3.1 Website Analytics (Google Analytics)
We use Google Analytics to understand how visitors use our website. We use this information solely to monitor and improve website performance.
Is the Google Analytics dataset personal data?
The UK GDPR defines personal data as information that relates to an identified or identifiable natural person, where identifiability is assessed by reference to all means reasonably likely to be used to identify the individual (Article 4(1) and Recital 26, UK GDPR). The Information Commissioner has confirmed that a very slight hypothetical possibility of reconstructing data to identify an individual does not automatically make that individual identifiable — all objective factors must be weighed, including the cost, time and technology required to achieve identification.
We use Google Analytics 4 (GA4). GA4 does not log or store full IP addresses: IP data is used solely to derive coarse geographic information (country and region level) before being discarded immediately, and is not accessible to us or retained by Google in its raw form. The data we receive consists of aggregated, session-level statistics (for example, number of sessions, pages visited, device category, approximate geographic region). We have no capability, and no means reasonably likely to be used, to identify any individual visitor from this aggregated dataset.
On the basis of the ICO's "means reasonably likely" test, we consider that the Google Analytics dataset in our hands does not constitute personal data within the meaning of the UK GDPR. We nonetheless disclose our use of Google Analytics in full in the interests of transparency, and note that Google, as the analytics platform provider, processes data subject to its own terms and privacy documentation.
Analytics cookies and PECR
Separately from the question of whether GA data is personal data in our hands, the analytics cookies that Google Analytics places on your device are subject to the Privacy and Electronic Communications Regulations 2003 (PECR). PECR applies to the placing of and access to cookies on a user's device regardless of whether the resulting data constitutes personal data.
Analytics cookies are not exempt from PECR consent requirements. We explain our approach to cookies, and how you may control them, in Section 5 below.
Retention
Google Analytics 4 retains event-level data for the default period of two months, after which it is automatically deleted by Google. Aggregate, non-identifiable reporting data does not carry a fixed retention period and is retained for as long as we maintain our Google Analytics account.
3.2 Website Contact Form and Email Enquiries
This is the only category of processing within scope of this notice that involves personal data as defined by the UK GDPR.
| Personal data | Purpose | Lawful basis |
|---|---|---|
| Name, email address, and message content provided via our contact form or by direct email | To respond to your enquiry and to assess whether we are able to assist you | Legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is in responding to genuine business enquiries. We have assessed this against your interests and rights: you have initiated contact with us, the data is limited to what you have chosen to provide, and the processing is proportionate to the purpose. |
| Name, email address, and nature of enquiry, retained following initial response | To maintain a record of communications relevant to a potential business relationship | Legitimate interests (Article 6(1)(f) UK GDPR). Our legitimate interest is in maintaining accurate business records. Retention is limited to what is necessary for this purpose (see Section 6). |
You are not under any statutory or contractual obligation to provide information via the contact form. If you do not provide a name and email address, we will be unable to respond to your enquiry.
We do not collect special category personal data via our website or contact form. If you choose to include sensitive information in a message to us, we will handle it with appropriate care but would recommend contacting us directly to discuss more sensitive matters.
4. Data We Do Not Collect
For the avoidance of doubt, the following activities and associated datasets are not within scope of this notice.
- Personal data processed in connection with client engagements (addressed in engagement contracts)
- Personal data relating to Cyber Native staff and contractors (addressed in internal staff documentation)
- A subscription mailing list (we do not operate one)
- Data collected via a blog subscription service (we do not operate one)
- Automated profiling or scoring of website visitors
5. Cookies
Cookies are small text files placed on your device when you visit a website. Our website uses the following categories of cookie.
Strictly necessary cookies
These are essential for the website to function correctly. They do not require your consent under PECR.
Analytics cookies (Google Analytics)
We use Google Analytics cookies to measure how visitors interact with our website. We use the resulting information solely to understand and improve website performance.
The legal basis for our analytics cookies under PECR
The Privacy and Electronic Communications Regulations 2003 (PECR) govern the placing of cookies on a user's device. Historically, PECR required consent for analytics cookies unless they fell within the narrow "strictly necessary" or "communication" exemptions.
The Data (Use and Access) Act 2025, which came into force on 19 June 2025, materially amended PECR by inserting Schedule A1, which introduces a new "statistical purposes" exception. Under this exception, storage or access is permitted without consent where the purpose is to collect information about how a website is used in order to improve that website or service, provided that the information resulting from the storage or access is aggregate data that cannot be used to identify individuals.
The ICO has confirmed that "statistical purposes" carries the same meaning as defined in the UK GDPR: the information that results from the processing is aggregate data that is not personal data.
As described in Section 3.1, the Google Analytics data we receive consists exclusively of aggregated, session-level statistics. We have no capability to identify any individual visitor from this dataset. Our use of Google Analytics is limited to the purpose of improving our website, and we do not use analytics data for any secondary purpose such as advertising or profiling. Our implementation therefore falls squarely within the statutory "statistical purposes" exception to PECR, and consent is not required for these cookies.
We provide this notice in the interests of full transparency, and we satisfy the associated transparency obligation by disclosing our use of analytics cookies here.
Your control over analytics cookies
You may prevent Google Analytics cookies from being placed on your device at any time by adjusting your browser settings to block third-party cookies, or by using your browser's incognito or private browsing mode. Instructions for managing cookies are available through your browser's help function. This will not affect your ability to access or use cybernative.uk.
We do not use advertising, targeting or social media cookies.
Google Analytics and data transfers
Google Analytics involves the transfer of data to Google servers. See Section 7 (International Transfers) for further detail.
6. How Long We Keep Your Personal Data
We retain personal data only for as long as is necessary for the purpose for which it was collected.
| Data | Retention period |
|---|---|
| Contact form and email enquiries (no engagement follows) | 12 months from the date of last contact, after which data is deleted or anonymised |
| Contact form and email enquiries (where an engagement commences) | Personal data transfers to engagement documentation and is handled in accordance with the relevant engagement contract from that point |
We review our retention periods periodically and delete or anonymise data that is no longer required.
7. Who We Share Your Data With
We do not sell, rent or otherwise transfer personal data to third parties for their own purposes.
Google Analytics
We share website interaction data with Google LLC (trading as Google Analytics) for the purpose of website performance analysis. As noted in Section 3.1, we do not consider this dataset to constitute personal data in our hands. Google operates as a data processor in relation to data processed via Google Analytics, subject to Google's data processing terms.
Google Analytics data is processed on servers that may be located outside the United Kingdom, including in the United States. The United States does not currently benefit from a UK adequacy decision under Article 45 of the UK GDPR. Google relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses as the transfer mechanism for data flows from the UK to its servers. Further information is available in Google's privacy documentation at policies.google.com.
Regulatory and law enforcement authorities
We will disclose personal data where required to do so by law, by court order, or where necessary to establish, exercise or defend legal claims.
8. Your Rights Under UK Data Protection Law
The UK GDPR gives you a number of rights in relation to personal data we hold about you. These rights apply to the contact form and email enquiry data described in Section 3.2. They do not apply to the Google Analytics dataset, which we consider to be non-personal data in our hands for the reasons set out in Section 3.1.
To exercise any of the rights below, please contact us at hello@cybernative.uk. We will respond within one calendar month of receiving your request. In complex or numerous cases we may extend this by a further two months, in which case we will notify you within the first month and explain the reason.
We will not charge a fee unless a request is manifestly unfounded or excessive.
Right of access
You may request confirmation of whether we hold personal data about you, and a copy of that data (Article 15 UK GDPR).
Right to rectification
You may request that inaccurate or incomplete personal data be corrected (Article 16 UK GDPR).
Right to erasure
In certain circumstances you may request deletion of personal data we hold about you — for example, where the data is no longer necessary for the purpose for which it was collected (Article 17 UK GDPR). This right does not apply where retention is required to comply with a legal obligation or to establish, exercise or defend legal claims.
Right to restriction
In certain circumstances you may request that we restrict our processing of your personal data rather than delete it — for example, while the accuracy of data is being contested (Article 18 UK GDPR).
Right to object
Where we process personal data on the basis of legitimate interests, you have the right to object on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims (Article 21 UK GDPR).
Right to data portability
This right applies where processing is based on consent or contract and is carried out by automated means. As our processing of your personal data under this notice is based on legitimate interests, this right does not apply in our case (Article 20 UK GDPR).
Rights related to automated decision-making
We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects. No action is required under Article 22 UK GDPR.
9. Security
We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Given the nature of our business as a cybersecurity consultancy, we operate our information security practices in line with recognised industry standards.
Where a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and within 72 hours of becoming aware, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, in accordance with Article 34 UK GDPR.
10. How to Raise a Concern or Complain
If you have a concern about how we handle your personal data, please contact us in the first instance at hello@cybernative.uk. We will aim to resolve the matter promptly.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the supervisory authority for data protection in the United Kingdom.
Information Commissioner's Office
Wycliffe House, Water LaneWilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
Online complaints: ico.org.uk/make-a-complaint
11. Changes to This Notice
We review this notice at least annually and whenever there is a material change to our processing activities. The current version and its publication date are shown at the top of this document. Where changes are significant, we will take reasonable steps to draw them to your attention.
12. Legal Framework
This notice is drafted in accordance with the following legislation.
- UK General Data Protection Regulation (UK GDPR), as retained in UK law by the European Union (Withdrawal) Act 2018
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003 (PECR), as amended Data (Use and Access) Act 2025