top of page

LEGAL

PRIVACY POLICY

HADES SECURITY CONSULTANCY LTD

 

Effective Date: 28 June 2026

 

Document Version: 1.0

 

ICO Registration Number: [Your ICO Registration Number]

​

1. Introduction & Who We Are

Hades Security Consultancy Ltd ("we", "us", "our") is committed to protecting and respecting the privacy of our clients, their employees, website visitors, and any third parties. We operate as a specialist physical risk advisory and security testing consultancy in the United Kingdom.

For the purposes of the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK GDPR), the data controller is:

​

  • Company Name: Hades Security Consultancy Ltd

  • Registered Office Address: [Your Registered UK Address]

  • Contact Email: [operations@hades-security.com]

2. Scope of This Policy

Unlike standard corporate privacy policies, this document is split into two distinct operational frameworks to address the highly specialized nature of our business:• Corporate & Marketing Data: Personal data collected via our website, emails, phone calls, and standard business-to-business (B2B) communications.• Operational Testing Data: Personal and sensitive data captured, processed, or incidentally encountered during physical security penetration tests, red-teaming exercises, and site audits.

3. Section I: Corporate & Marketing Data

This section details how we collect and process information from prospective clients, website visitors, and industry contacts.3.1 What Information We Collect• Contact Information: Name, corporate email address, job title, company name, telephone number, and physical office address.• Technical Data: IP address, browser type, operating system, and browsing activity collected via cookies on our website to optimize site performance.3.2 How We Use Your B2B Data• To fulfill contract negotiations, draft Statements of Work (SoW), and deliver security reports.• To manage billing, invoicing, and standard business accounting.• With your explicit consent, to send occasional security briefings, industry news, or updates on our service offerings.3.3 Legal Basis for ProcessingUnder the UK GDPR, we process B2B data under the following legal bases:• Performance of a Contract: To carry out services agreed upon in a Master Services Agreement (MSA) or Statement of Work.• Consent: When you explicitly fill out an inquiry form or sign up for communications.• Legitimate Interests: To protect our business infrastructure, manage our client pipeline, and promote our specialized services to corporate security professionals.

4. Section II: Operational Testing Data

During the performance of physical security penetration testing, our operators will inevitably capture, process, or incidentally interact with personal data belonging to our client's employees, contractors, and visitors.4.1 What Information May Be CapturedDuring authorized testing, our team may capture:• Visual Media: Covert video footage, photographs of security perimeters, and images of unattended workstations or unsecured physical assets.• Access Control Data: Incidentally captured RFID/proximity credential payloads harvested during authorized credential-cloning assessments.• Sensitive Information: Printed documents containing proprietary corporate data, client personal data, or employee logs left exposed in common physical zones.4.2 Legal Basis for Processing Operational Data• Legitimate Interests: We process this data under the joint Legitimate Interest of the Provider and the Client. The processing is strictly necessary to evaluate the physical vulnerabilities, security perimeters, and asset protection mechanisms of the Client's facilities, enabling the Client to harden their security posture and protect human and intellectual assets.• Written Contractual Consent: All operational data captured is governed by an executed Master Services Agreement, Scope of Work, and signed Rules of Engagement (RoE).4.3 Data Minimisation & Blur-by-Default PolicyTo protect third-party privacy, Hades Security Consultancy operates under a strict "Blur-by-Default" protocol:• Any visual media containing faces of employees, security guards, or members of the public will be digitally blurred or redacted before being compiled into final deliverables, unless specifically requested otherwise by the Client for internal disciplinary investigations.• Harvested RFID badge payloads are kept strictly hashed and are permanently deleted immediately upon verification of successful access control replication.

5. Data Storage, Security, and Encryption

We implement military-grade physical and electronic security controls to safeguard all data from unauthorized access, loss, or theft:

• Local Offline Storage: All operational video, images, and logs gathered during physical breaches are transferred directly to offline, local hardware encrypted using AES-256 standards.
• No Public Cloud Transfers: Deliverables and raw operational data are never uploaded to unencrypted or public cloud storage platforms.
• Strict Access Controls: Access to testing evidence is restricted exclusively to the lead operators assigned to that specific Statement of Work.

6. Meticulous Data Retention Policy

Due to the sensitivity of physical security findings, our retention periods are strictly minimized:
• Raw Operational Media: All unedited raw covert video files, audio recordings, and photos captured during an operation are permanently wiped and securely shredded within 30 days of the final report being delivered to the Client.
• Final Reports & Deliverables: The final technical report is kept securely archived for a maximum of 12 months to assist the Client with multi-phase remediation audits, after which it is permanently purged.
• Corporate B2B Data: Standard contact, billing, and accounting data is held for up to 6 years to satisfy UK corporate tax and auditing requirements.

7. Sharing of Information

• No Third-Party Sharing: We do not sell, rent, or lease any client data or operational evidence to third parties.
• Client Exclusivity: Deliverables, reports, and videos are securely shared exclusively with the designated Corporate Sponsors named on the active Statement of Work.
• Law Enforcement: We will only share operational information with UK law enforcement if legally compelled to do so by a valid warrant, court order, or statutory authority.

8. Your Legal Rights (UK GDPR)

As a data subject, you have the following rights under UK law:
• The Right to Access: You can request a copy of the personal data we hold about you.
• The Right to Erasure: You can request that we delete your personal data.
• The Right to Rectification: You can request that we correct any inaccurate information.
• The Right to Object/Restrict: You can object to our processing of your data under Legitimate Interests.

9. Changes to This Privacy Policy

We keep this Privacy Policy under regular review to align with evolving UK legislative updates and operational frameworks. Any changes will be posted on this page and, where appropriate, notified directly to active clients.

bottom of page