FOUNDED 2025 · INDEPENDENT UK PRACTICE
InfoSecAI
Home LEGAL

Privacy notice

This notice explains how InfoSecAI Limited ("InfoSecAI", "we", "us") collects, uses, stores and protects personal data. It applies to visitors to this website, subscribers to The Brief, and prospective and existing clients.

LAST UPDATED · 18 MAY 2026

1. Who we are

InfoSecAI Limited is a company registered in England and Wales, company number 16012345. Our registered office is in London, United Kingdom. We act as the data controller for the personal data described in this notice.

Contact: info@infosecai.net.

2. Scope

This notice covers personal data processed in connection with:

  • visits to infosecai.net and related subdomains;
  • subscriptions to The Brief, our email dispatches;
  • downloads of insights papers, briefings and field notes;
  • consultation requests made through our Microsoft Bookings link or by email;
  • client and prospective client engagements, including correspondence and contractual relationships.

3. The personal data we process

CategoryExamplesSource
Identification dataName, job title, employer, business emailYou, when you contact us or subscribe
Engagement dataTopics of interest, meeting notes, scope documentsYou, in correspondence and meetings
Technical dataIP address, browser type, pages visited, referrerAutomatically through Vercel hosting logs
Marketing dataSubscription status, email open and click eventsBeeHiiv, our email service provider

4. Lawful bases for processing

We process personal data on the following lawful bases under Article 6 of the UK GDPR:

  • Consent (Article 6(1)(a)): when you subscribe to The Brief or download a gated paper.
  • Contract (Article 6(1)(b)): to deliver consultancy services and to take pre-contractual steps at your request.
  • Legitimate interests (Article 6(1)(f)): to operate our website, respond to enquiries, market business-to-business services to commercial contacts, and protect our information systems. Our legitimate interest is the responsible operation of an independent professional consultancy.
  • Legal obligation (Article 6(1)(c)): to comply with anti-money-laundering, tax and accounting obligations.

We do not process special category data through this website. We do not engage in automated decision-making producing legal or similarly significant effects on you.

5. How we use personal data

We use personal data only for the purposes for which it was collected, including:

  • responding to enquiries and consultation requests;
  • delivering The Brief to confirmed subscribers;
  • providing requested insights papers and field notes;
  • performing consultancy engagements under signed engagement letters;
  • operating our information systems securely;
  • complying with statutory and regulatory obligations.

6. Disclosures and sub-processors

We share personal data only with carefully selected sub-processors operating under written data processing agreements. Our current sub-processors are:

ProviderPurposeLocation
Vercel Inc.Website hostingUnited States (with appropriate safeguards)
BeeHiiv Inc.Email delivery for The BriefUnited States (with appropriate safeguards)
Microsoft CorporationOutlook Bookings, Microsoft 365European Union and United States
Google LLCGoogle Fonts (no personal data processed)United States

We will provide additional disclosure if our sub-processor list changes materially.

7. International transfers

Where personal data is transferred outside the United Kingdom, we rely on one or more of the following safeguards: an adequacy decision (for example, the UK extension to the EU-US Data Privacy Framework), the UK International Data Transfer Agreement, or the UK Addendum to the European Commission Standard Contractual Clauses. Transfer impact assessments are completed where required.

8. Retention

  • Enquiry correspondence: retained for three years from the last meaningful contact, then deleted.
  • Subscriber data: retained while the subscription is active and for one year after unsubscribe, after which it is deleted.
  • Client engagement records: retained for six years from the end of the engagement, in line with UK statutory limitation periods and professional record-keeping expectations.
  • Technical logs: retained for thirty days unless required for security investigation.

9. Your rights

You have the following rights under the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025:

  • the right of access to your personal data;
  • the right to rectification of inaccurate personal data;
  • the right to erasure in defined circumstances;
  • the right to restrict processing in defined circumstances;
  • the right to data portability for data you provided to us under consent or contract;
  • the right to object to processing carried out under legitimate interests, including direct marketing;
  • the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects.

To exercise any right, email info@infosecai.net. We will respond within one calendar month.

You may also complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. We would prefer the opportunity to address any concern first.

10. Security

InfoSecAI applies appropriate technical and organisational measures to personal data, calibrated to the risk of processing. Measures include encryption in transit, encryption at rest where technically feasible, role-based access control, multi-factor authentication on administrative accounts, supplier due diligence, and incident response procedures aligned to UK GDPR Articles 33 and 34.

11. Changes to this notice

We will update this notice when our processing changes materially. The "Last updated" date at the top of the page reflects the most recent revision. Where the change is significant, we will notify affected individuals by email or prominent notice on this website.

12. Contact

Questions about this notice or our processing of your personal data should be sent to info@infosecai.net.