Privacy Policy

Vexelon is a Managed Security Service Provider (MSSP) offering cybersecurity advisory, monitoring, testing, and managed defence services to organisations worldwide. References to "Vexelon," "we," "us," or "our" in this Policy refer to Vexelon and its operating entities.

Our registered contact for privacy matters: [email protected]

We collect information in two ways:

Information you provide directly
- Contact and enquiry data: name, job title, company name, work email address, phone number, and the content of messages you send us via forms, email, or live chat.
- Account and engagement data: login credentials, communication preferences, and feedback you submit.
- Client operational data: technical artefacts, log samples, network diagrams, and other security-relevant information you share with us during service delivery. This data is processed under the terms of your service agreement and a separate Data Processing Agreement (DPA) where required by law.

Information collected automatically
- Usage data: pages visited, time on site, referral URL, and browser/device type, collected via cookies and similar technologies.
- Communication metadata: email open and click events, where you have consented to receive marketing communications from us.

We process your personal data only where we have a lawful basis to do so:

We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects.

Our website uses cookies and similar technologies. We group these into:

- Strictly necessary cookies: essential for the site to function (e.g. session management, security tokens). These cannot be disabled.
- Analytics cookies: help us understand aggregate traffic patterns (e.g. page views, bounce rate). We use anonymised data only.
- Preference cookies: remember your choices (e.g. cookie consent status).
- Marketing cookies: used only where you have given explicit consent.

You can manage your preferences at any time via our Cookie Preferences panel. Withdrawing consent does not affect the lawfulness of prior processing.

We share personal data only where necessary:

- Service providers acting as data processors on our behalf (e.g. cloud hosting, CRM, email delivery). All processors are bound by data processing agreements and may not use your data for their own purposes.
- Professional advisors (legal, accounting, audit) under strict confidentiality obligations.
- Law enforcement or regulators where disclosure is required by applicable law, court order, or to protect the rights and safety of our clients or the public.
- Business transfers: in the event of a merger, acquisition, or asset sale, personal data may be transferred to a successor entity, subject to equivalent privacy protections.

We do not transfer your personal data outside the European Economic Area (EEA) or United Kingdom without applying appropriate safeguards (e.g. Standard Contractual Clauses or adequacy decisions).

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

- Prospect and contact data: 3 years from last meaningful interaction, unless you request earlier deletion.
- Client service data: Duration of the contract plus 7 years (to meet statutory accounting and audit obligations).
- Marketing preferences: Until you withdraw consent or unsubscribe.
- Website analytics: Up to 26 months in aggregate, anonymised form.

When data is no longer required, it is securely deleted or anonymised.

Depending on your jurisdiction, you may have the right to:

- Access: obtain a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: ask us to delete your personal data ("right to be forgotten"), subject to our legal retention obligations.
- Restriction: request that we limit how we process your data in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or a relevant EU data protection authority).

Security is our core business. We apply it to our own operations with the same rigour we apply for our clients. Measures include:

- Encryption in transit (TLS 1.2+) and at rest for sensitive data stores.
- Role-based access controls and least-privilege principles.
- Regular internal security assessments and penetration testing.
- Incident response procedures with defined notification timelines.

No transmission over the internet is 100% secure. We cannot guarantee absolute security, but we commit to acting promptly and transparently in the event of a breach that affects your personal data.

Our services are directed at business professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will delete it promptly.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Your continued use of our services after the effective date constitutes acceptance of the updated Policy.

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, contact our privacy team:

Email: [email protected]
Subject line: Privacy Enquiry: [Your Name]

We aim to respond to all privacy-related enquiries within 5 business days.