Home/Legal/Privacy Policy
Legal

Privacy Policy

Last updated: 1 June 2026 · Effective: 1 June 2026

1. Overview

HEXSTRIKE ("we", "us", or "our") is committed to protecting the personal information of our clients, prospective clients, and website visitors. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the General Data Protection Regulation (GDPR), applicable data protection legislation, and industry best practices.

By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

2.1 Information you provide directly

  • Contact information: name, work email address, phone number, job title, company name.
  • Engagement information: scope descriptions, technical documentation, credentials, and system access provided during the course of a security assessment.
  • Communications: email correspondence, meeting notes, and support requests.

2.2 Information collected automatically

  • Usage data: IP address, browser type, pages visited, referral source, and time spent on our website (collected via server logs and analytics).
  • Cookies: session and preference cookies as described in Section 8.

2.3 Engagement data

During security assessments, we may access, process, or temporarily store data relating to your systems, applications, and infrastructure. This data is processed exclusively for the purpose of delivering the agreed security assessment and is governed by the terms of your engagement agreement.

3. How We Use Your Data

We process personal data on the following legal bases:

  • Contract performance: to deliver security assessment services you have engaged us to provide.
  • Legitimate interests: to respond to enquiries, improve our services, and manage our business operations.
  • Legal obligation: to comply with applicable laws and regulations, including financial and tax obligations.
  • Consent: to send marketing communications where you have opted in.

We do not use personal data for automated decision-making or profiling.

4. Data Sharing & Third Parties

We do not sell, rent, or trade personal data. We may share data with:

  • Service providers: cloud hosting, email delivery, and project management tools operating under data processing agreements.
  • Legal authorities: when required by law, court order, or to protect our legal rights.
  • Professional advisors: lawyers and accountants bound by confidentiality obligations.

All engagement-related data (client system data, vulnerability findings, credentials) is shared with no third parties under any circumstances without explicit written consent.

5. Data Retention

We retain personal data only for as long as necessary:

  • Engagement reports and findings: 12 months post-delivery, unless a longer retention period is agreed in writing.
  • System access credentials and test data: securely deleted within 14 days of engagement closure.
  • Contact and communication records: 3 years from last contact for business relationship management.
  • Financial records: 7 years as required by applicable tax law.

6. Your Rights

Under GDPR and applicable data protection law, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your data where we have no legitimate reason to retain it.
  • Restriction: request that we restrict processing of your data.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@hexstrike.io. We will respond within 30 days.

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • End-to-end encryption for all sensitive communications (PGP / TLS 1.3)
  • AES-256 encryption for data at rest
  • Role-based access controls limiting data access to authorised personnel
  • Secure deletion procedures for all engagement data
  • Regular security reviews of our own infrastructure
  • Staff training on data protection obligations

In the event of a personal data breach, we will notify affected individuals and relevant supervisory authorities as required by law within 72 hours.

8. Cookies

Our website uses the following cookies:

  • Strictly necessary: session management cookies required for the website to function. These cannot be disabled.
  • Analytics (optional): anonymised usage statistics to help us improve the website. Requires your consent.

You can manage cookie preferences via your browser settings. Disabling analytics cookies does not affect your ability to use our website.

For privacy-related enquiries, contact our Data Protection contact at:

Email: privacy@hexstrike.io
Secure channel: PGP key available on request

If you are dissatisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority.

This policy was last reviewed on 1 June 2026. We may update this policy periodically. Material changes will be communicated via email to existing clients.