.png?width=178&height=28&name=Logo%20(1).png "Logo (1)"){kind=small}
Data Privacy Policy
Table of Contents
- 1. Introduction and Our Commitment to Privacy
- 2. Data Controller Information
- 3. Legal Framework
- 4. Categories of Personal Data We Process
- 5. How We Process Personal Data
- 6. Legal Bases for Processing (GDPR)
- 7. Data Sharing and Third Parties
- 8. International Data Transfers
- 9. Data Security
- 10. Data Retention
- 11. Your Privacy Rights
- 12. Marketing and Communications
- 13. Children’s Privacy
- 14. Privacy Policy Updates
- 15. Contact Us
1. Introduction and Our Commitment to Privacy
FortifyOps (“FortifyOps,” “we,” “us,” or “our”) understands that privacy and data protection are critical concerns for our customers and website visitors. As a security governance platform that helps organizations detect and respond to compliance and security risks, we are deeply committed to protecting your personal data and being transparent about our data practices.
This Data Privacy Policy explains:
- What personal data we collect
- How and why we process it
- Who we share it with
- How we protect it
- Your rights regarding your personal data
- How to contact us about privacy concerns
This Policy applies to all personal data we process about:
- Visitors to our website (www.fortifyops.com)
- Prospective customers who inquire about our services
- Customers and their authorized users
- Expert marketplace participants
- Business partners and suppliers
- Job applicants
2. Data Controller Information
Data Controller:
FortifyOps Limited
London, United Kingdom
Data Protection Officer:
Email: dpo@fortifyops.com
3. Legal Framework
We process personal data in compliance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003
- EU General Data Protection Regulation (EU GDPR) where applicable
- California Consumer Privacy Act (CCPA) where applicable
- Other applicable data protection laws
4. Categories of Personal Data We Process
4.1 Website Visitors
Data Collected:
- IP address and approximate location
- Browser type and version
- Device information (type, operating system)
- Pages visited and interaction data
- Referral source
- Date and time of visits
- Cookie data (see Cookie Policy)
Purpose: Website optimization, analytics, security
Legal Basis: Legitimate interests (improving website experience)
4.2 Prospective Customers
Data Collected:
- Full name and job title
- Company name and size
- Business email address
- Business phone number
- Industry sector
- Security/compliance needs
- Marketing preferences
- Communication history
Purpose: Sales engagement, demo provision, marketing
Legal Basis: Consent or legitimate interests (direct marketing to businesses)
4.3 Customers and Platform Users
Account Data:
- Name, email, phone number
- Job title and department
- Company information
- Account credentials (encrypted)
- Billing information
- Subscription details
- Usage data and preferences
Platform Monitoring Data (when configured by customer):
- Internal communications metadata
- Support ticket data
- Project management tool data
- Email communications (as authorized)
- Meeting transcripts (if enabled)
- Security event logs
- Compliance status indicators
Purpose: Service delivery, account management, platform operations
Legal Basis: Contract performance
4.4 Expert Marketplace Participants
Professional Profile Data:
- Full name and contact details
- Professional qualifications and certifications
- Areas of expertise
- Work history and experience
- References and credentials
- Banking/payment information
- Tax identification numbers
- Performance ratings and reviews
- Communication history
Purpose: Expert vetting, matching, payment processing
Legal Basis: Contract performance, legal obligations (tax reporting)
4.5 Business Partners
Data Collected:
- Contact names and roles
- Business contact information
- Contract details
- Communication history
- Payment information
Purpose: Relationship management, contract fulfillment
Legal Basis: Contract performance, legitimate interests
5. How We Process Personal Data
5.1 Core Service Delivery
Platform Operations:
- Providing access to the FortifyOps platform
- Processing and analyzing operational data for governance signals
- Generating risk alerts and compliance insights
- Matching customers with appropriate experts
- Managing the expert marketplace
- Processing payments and billing
Customer Support:
- Responding to support tickets
- Providing technical assistance
- Managing account issues
- Sending service notifications
5.2 Privacy-Preserving Processing
We implement privacy-first architecture including:
Zero-Knowledge Processing:
- Analyzing patterns without storing full content where possible
- Temporary retention of flagged items only
- Automatic purging after resolution
- Metadata analysis preference over content analysis
Customer Controls:
- Granular permissions for data sources
- Explicit opt-in for each monitoring type
- Configurable retention periods
- On-demand data deletion
Technical Safeguards:
- End-to-end encryption for sensitive data
- Tokenization of personal identifiers
- Differential privacy techniques
- Minimal data collection principles
5.3 Business Operations
Communications:
- Sending service updates and notifications
- Marketing communications (with consent)
- Security alerts and compliance notices
- Newsletter and educational content
Analytics and Improvement:
- Analyzing platform usage patterns
- Improving features and user experience
- Conducting research and development
- Creating aggregated insights
Legal and Compliance:
- Meeting regulatory obligations
- Responding to legal requests
- Preventing fraud and abuse
- Enforcing terms of service
6. Legal Bases for Processing (GDPR)
We only process personal data when we have a valid legal basis:
6.1 Contract Performance
Processing necessary to fulfill our contract with you:
- Providing platform access and features
- Processing payments
- Customer support
- Expert marketplace operations
6.2 Legitimate Interests
Processing for legitimate business interests that don’t override your privacy rights:
- Improving our services
- Direct marketing to business contacts
- Ensuring platform security
- Preventing fraud
- Network and information security
We conduct legitimate interests assessments to ensure balance between our needs and your privacy rights.
6.3 Consent
We obtain explicit consent for:
- Marketing emails to individuals
- Non-essential cookies
- Processing special categories of data
- Testimonials and case studies
You can withdraw consent at any time without affecting the lawfulness of prior processing.
6.4 Legal Obligations
Processing required by law:
- Tax reporting
- Anti-money laundering checks
- Court orders and legal proceedings
- Regulatory compliance
6.5 Vital Interests
In rare circumstances, we may process data to protect someone’s life or physical safety.
7. Data Sharing and Third Parties
7.1 Service Providers (Data Processors)
We share data with carefully selected providers who process it on our behalf:
Infrastructure:
- Amazon Web Services (cloud hosting) – US/EU/UK
- Google Cloud Platform (backup systems) – US/EU
- Cloudflare (CDN and security) – Global
Business Operations:
- Stripe (payment processing) – US/EU
- HubSpot (CRM and marketing) – US
- Office 365 (internal operations) – US
Analytics:
- Google Analytics (website analytics) – US
- PostHog (product analytics) – US
- PostHog (user experience) – EU
All processors are bound by data processing agreements ensuring GDPR compliance.
7.2 Expert Marketplace Connections
When you engage with experts:
- Your requirements are shared with matched experts
- Expert profiles are shared with you
- Limited data is shared for engagement facilitation
- Payment information is processed through secure channels
7.3 Legal Disclosures
We may disclose data when legally required:
- Court orders and subpoenas
- Regulatory investigations
- Law enforcement requests (with valid legal basis)
- National security requirements
We assess each request and only disclose what’s legally required.
7.4 Business Transfers
In case of merger, acquisition, or asset sale:
- Your data may transfer to the new entity
- We’ll notify you before transfer
- The new entity must honor this privacy policy
- You’ll have the option to close your account
7.5 No Sale of Personal Data
We do not and will not sell your personal data to third parties.
8. International Data Transfers
Your data may be transferred outside your country of residence:
Primary Processing Locations:
- United Kingdom (main operations)
- South Africa (development center)
- United States (cloud infrastructure)
- European Union (backup systems)
Transfer Safeguards:
We ensure appropriate protection through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Enhanced contractual provisions
- Technical and organizational measures
For transfers to the US, we rely on SCCs and additional safeguards given the lack of adequacy decision.
9. Data Security
9.1 Technical Measures
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Multi-factor authentication
- Role-based access controls
- Regular security audits
- Penetration testing
- Vulnerability scanning
- Security incident monitoring
9.2 Organizational Measures
- Employee security training
- Confidentiality agreements
- Access on need-to-know basis
- Regular security reviews
- Incident response procedures
- Business continuity planning
- Vendor security assessments
- Data protection impact assessments
10. Data Retention
We retain personal data only as long as necessary:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Data | Active account + 6 years | Contract and tax obligations |
| Platform Monitoring Data | Customer-configured (default 90 days) | Service delivery |
| Website Analytics | 26 months | Analytics purposes |
| Marketing Data | Until consent withdrawn or 3 years inactive | Marketing efficiency |
| Expert Profiles | Active participation + 6 years | Legal and tax requirements |
| Support Tickets | Resolution + 2 years | Service improvement |
| Financial Records | 7 years | Legal requirements |
| Job Applications | 1 year (unsuccessful) | Future opportunities |
| Legal Documents | 7 years after expiry | Legal protection |
After retention periods, data is securely deleted or anonymized.
11. Your Privacy Rights
11.1 Rights Under GDPR
Right to Access (Subject Access Request):
- Request a copy of your personal data
- Understand how we process it
- Verify lawful processing
Right to Rectification:
- Correct inaccurate data
- Complete incomplete data
- Update outdated information
Right to Erasure (‘Right to be Forgotten’):
- Request deletion of your data
- Applies when no longer necessary
- Subject to legal obligations
Right to Restrict Processing:
- Limit how we use your data
- While disputes are resolved
- Alternative to erasure
Right to Data Portability:
- Receive your data in structured format
- Transfer to another controller
- Applies to automated processing
RIGHT TO OBJECT:
- Object to processing based on legitimate interests
- Object to direct marketing
- Object to automated decision-making
Rights Regarding Automated Decisions:
- Not be subject to purely automated decisions
- Request human intervention
- Express your point of view
11.2 Exercising Your Rights
How to Submit Requests:
Email: privacy@fortifyops.com
Verification Process:
- We verify identity before processing requests
- May request additional information
- Respond within 30 days (GDPR) or 45 days (CCPA)
- Extensions notified with reasons
No Fee Usually:
- First request is free
- Reasonable fee for excessive requests
- May refuse unfounded or excessive requests
12. Marketing and Communications
12.1 Marketing Preferences
You can control marketing communications:
- Opt-out link in every marketing email
- Account settings preferences
- Contact privacy@fortifyops.com
- Update preferences at any time
12.2 Types of Communications
Service Communications (Cannot Opt-Out):
- Security alerts
- Service disruptions
- Account notifications
- Legal updates
Marketing Communications (Can Opt-Out):
- Product updates
- Newsletters
- Event invitations
- Educational content
13. Children’s Privacy
Our services are not directed to individuals under 16. We do not knowingly collect data from children. If we learn we have collected children’s data, we will promptly delete it.
Parents who believe we have collected their child’s data should contact privacy@fortifyops.com immediately.
14. Privacy Policy Updates
We may update this policy to reflect:
- Changes in our data practices
- New legal requirements
- Service enhancements
- Feedback from users
Notification of Changes:
- Email notification for material changes
- 30-day notice before changes take effect
- Website banner announcement
- Previous versions available upon request
15. Contact Us
Data Protection Officer
For privacy questions, concerns, or to exercise your rights:
Email: contact@fortifyops.ai
Address : 4th Floor, Silverstream House, 45 Fitzroy street, Fitzrovia, London W1T6EB
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority:
UK: Information Commissioner’s Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
EU: Your local data protection authority
List available at: edpb.europa.eu
Response Times
- Acknowledgment: Within 48 hours
- Initial response: Within 7 days
- Full resolution: Within 30 days (or 90 days for complex requests with notice)
Your Privacy Matters
At FortifyOps, we believe that strong data protection is fundamental to security governance. We’re committed to protecting your privacy while helping you protect your organization’s security and compliance posture.
Document Control:
Version: 1.0 | Last Review: 31 August 2025 | Next Review: 31 August 2026 | Owner: Data Protection Officer
Stay in the Loop with Our Team
Get the latest insights, product updates, and expert tips—delivered straight to your inbox to help your business grow faster.
