Privacy Policy

1. Introduction

This Privacy Policy explains how CyberFlow Cyprus (“we”, “us”, “our”, or “CyberFlow”) processes personal data of individuals who visit our website at https://cyberflowcy.com, use our services, or interact with us in any capacity. This policy informs you about your privacy rights and how data protection law protects you.

This Privacy Policy applies to natural persons who are current or potential customers of CyberFlow, website visitors, newsletter subscribers, or anyone who provides personal data to us through any means.

We comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and any applicable local data protection laws.

Effective Date: 16.09.2025
Last Updated: 16.09.2025

2. Who We Are

CyberFlow Cyprus is a leading cybersecurity company specialising in comprehensive cybersecurity solutions for businesses. We provide cybersecurity consulting, threat detection and response, security assessments, penetration testing, security awareness training, and cyber risk management services to help organisations protect their digital assets and infrastructure.

Contact Information:

• Company Name: CyberFlow
• Website: https://cyberflowcy.com
• Email: [email protected]
• Data Protection Officer Email: [email protected]

For all privacy-related inquiries, including requests to exercise your legal rights, please contact our Data Protection Officer at [email protected].

3. The Types of Personal Data We Collect and Process

We may collect, use, store, and transfer the following categories of personal data:

3.1 Contact Information

• First and last names
• Business names and job titles
• Email addresses
• Phone numbers
• Postal addresses
• Company information

3.2 Technical and Usage Data

• IP addresses
• Browser type and version
• Device information
• Operating system
• Pages visited on our website
• Time and date of visits
• Referring websites
• Cookies and similar tracking technologies

3.3 Service-Related Information

• Information provided during cybersecurity consultations
• Security infrastructure specifications
• Vulnerability assessment data
• Incident response details
• Security training records
• Support ticket details
• Service preferences
• Communication history

3.4 Security Assessment Data

• Network architecture information
• System configurations
• Security policies and procedures
• Penetration testing results
• Vulnerability scan reports
• Security audit findings
• Compliance assessment data

3.5 Financial Information

• Payment details
• Billing addresses
• Transaction records
• Invoice information

3.6 Marketing and Communication Data

• Marketing preferences
• Newsletter subscriptions
• Communication preferences
• Event attendance records
• Webinar participation data

3.7 Special Categories of Data

In the course of providing cybersecurity services, we may process special categories of personal data, including:

• Security incident logs containing personal identifiers
• Employee security training records
• Access control data, including biometric information
• Security clearance information (where applicable)

Such processing occurs only with explicit consent, legal requirement, or substantial public interest in cybersecurity protection, and appropriate safeguards are implemented.

4. How, Why, and on What Legal Basis We Collect and Process Personal Data

4.1 How We Collect Data

Direct Collection:

• When you contact us through our website, email, or phone
• When you request security assessments or consultations
• When you subscribe to our newsletter
• When you engage our cybersecurity services
• When you attend our security training or events
• During incident response activities

Automated Collection:

• Through website analytics and cookies
• During security monitoring sessions (with permission)
• Through security assessment tools and platforms
• Via threat intelligence gathering systems

Third-Party Sources:

• Business partners and referrals
• Public business directories
• Professional security networks
• Threat intelligence feeds
• Industry security forums

4.2 Why We Process Your Data

We process personal data for the following legitimate business purposes:

Cybersecurity Services:

• To provide cybersecurity consulting and support services
• To conduct security assessments and penetration testing
• To manage incident response and threat detection
• To deliver security awareness training
• To monitor and protect client systems (with permission)
• To provide compliance and risk management services

Business Administration:

• To respond to inquiries and communications
• To manage contracts and agreements
• To conduct business analysis and improvement
• To maintain accurate business records
• To process payments and billing

Marketing and Communication:

• To send security updates and newsletters (with consent)
• To inform you about relevant cybersecurity threats and services
• To conduct market research and surveys
• To provide security awareness communications

Legal and Security:

• To comply with cybersecurity legal obligations
• To protect our business interests and rights
• To prevent fraud and ensure security
• To resolve disputes and enforce agreements
• To report security incidents as required by law

4.3 Legal Basis for Processing

We process your personal data under the following lawful bases:

Contract Performance: When processing is necessary for performing our contract with you or taking steps at your request before entering into a contract.

Legitimate Interests: For our legitimate business interests, including:

• Providing and improving our cybersecurity services
• Direct marketing to existing clients
• Network and information security protection
• Business development and administration
• Threat intelligence and security research

Legal Obligation: When we must process data to comply with cybersecurity legal requirements, incident reporting obligations, and regulatory compliance.

Consent: For special categories of data, direct marketing to non-clients, and certain cookies (where required).

Vital Interests: For protecting against immediate cybersecurity threats that could harm individuals or organisations.

Public Interest: For cybersecurity activities that serve a substantial public interest in protecting digital infrastructure.

5. Sharing and Disclosure of Personal Data

We may share your personal data with:

5.1 Service Providers

• Cloud security providers
• Payment processors
• Cybersecurity tool vendors
• Threat intelligence providers
• Professional advisors (lawyers, accountants)
• Security training platforms

5.2 Business Partners

• Cybersecurity technology vendors
• Partner security firms
• Subcontractors providing services on our behalf
• Industry security consortia

5.3 Security and Legal Requirements

• Regulatory authorities and government bodies
• Law enforcement agencies
• Cybersecurity incident response teams
• Courts and legal proceedings
• National cybersecurity centres

5.4 Threat Intelligence Sharing

• Industry security information sharing organisations
• Cybersecurity research communities
• Anonymous threat intelligence platforms (with anonymised data)

5.5 Business Transfers

In the event of a merger, acquisition, or sale of business assets, personal data may be transferred to the acquiring entity.

All third parties are contractually obligated to protect your data and use it only for specified purposes in accordance with our instructions and applicable data protection laws.

6. International Transfers of Personal Data

Some of our cybersecurity service providers and threat intelligence sources are located outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries with adequate data protection as determined by the European Commission
• Standard Contractual Clauses: Using EU-approved standard contractual clauses
• Certification Schemes: Ensuring providers have appropriate cybersecurity certifications
• Your Explicit Consent: When you have specifically agreed to the transfer

For more information about our international transfer safeguards, contact our Data Protection Officer.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

Service Data: For the duration of our business relationship, plus 7 years for financial records

Security Assessment Data: Up to 5 years for security audit and compliance purposes

Incident Response Data: As required by cybersecurity incident reporting regulations (typically 5-7 years)

Website Data: Up to 2 years for analytics purposes

Marketing Data: Until you unsubscribe or withdraw consent

Threat Intelligence Data: Anonymised data may be retained indefinitely for security research

Legal Requirements: As required by applicable cybersecurity laws and regulations

We regularly review our data retention practices and securely delete or anonymise data when no longer needed.

8. Data Security

As a cybersecurity company, we implement the highest standards of technical and organisational measures to protect your personal data, including:

• Advanced encryption of data in transit and at rest
• Multi-factor authentication and access controls
• Regular security assessments and penetration testing
• Employee cybersecurity training and clearance procedures
• Secure data centres and infrastructure
• Real-time threat monitoring and incident response
• Regular security audits and compliance assessments

While we implement industry-leading security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. However, we will notify the Cyprus Commissioner for Personal Data Protection and affected individuals within the timelines required by GDPR.

Cyprus Commissioner for Personal Data Protection: Website: https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument Address: Kypranoros 15, Nicosia 1061, Cyprus

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of the personal data we hold about you

9.2 Right to Rectification

Request correction of inaccurate or incomplete data

9.3 Right to Erasure (“Right to be Forgotten”)

Request deletion of your personal data in certain circumstances (subject to cybersecurity legal requirements)

9.4 Right to Restrict Processing

Request a limitation of processing in certain situations

9.5 Right to Data Portability

Request the transfer of your data to another organisation

9.6 Right to Object

Object to processing based on legitimate interests or for direct marketing

9.7 Rights Related to Automated Decision-Making

Rights regarding automated decision-making and profiling in security systems

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within one month of receiving your request.

Note: Some rights may be limited where processing is necessary for cybersecurity purposes or legal compliance requirements.

10. Consent and Withdrawal

Where we rely on your consent for processing, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To withdraw consent for marketing communications, use the unsubscribe link in our emails or contact [email protected].

11. Cookies and Website Technologies

We use cookies and similar technologies to:

• Ensure website functionality and security
• Analyse website usage and detect threats
• Remember your preferences
• Provide personalised security content
• Monitor for security incidents
• Enhance website security measures

You can control cookie settings through your browser preferences. For detailed information about our cookie usage, please see our Cookie Policy.

12. Children’s Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it promptly.

13. Marketing Communications

We may send you marketing communications if:

• You have consented to receive them
• You are an existing client, and the communications relate to similar services
• We have a legitimate interest in marketing cybersecurity services to you
• The communications contain important security threat information

You can opt out of marketing communications at any time by:

• Using unsubscribe links in emails
• Contacting [email protected]
• Updating your preferences in your account

14. Data Protection Officer

We have appointed a Data Protection Officer responsible for overseeing data protection compliance. Contact our DPO for:

• Privacy-related questions
• Exercising your rights
• Data protection complaints
• General data protection inquiries

DPO Contact: [email protected]

15. Complaints and Supervisory Authority

If you believe we have not handled your personal data properly, you can:

1. Contact our Data Protection Officer at [email protected]
2. Lodge a complaint with the Cyprus Commissioner for Personal Data Protection
3. Contact your local supervisory authority if you’re in another EU country

Cyprus Commissioner for Personal Data Protection: Website: https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument Address: Kypranoros 15, Nicosia 1061, Cyprus

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our business practices
• Legal or regulatory requirements
• Improvements in our data protection practices
• Emerging cybersecurity threats and technologies

We will notify you of significant changes through:

• Email notifications
• Website announcements
• Updated effective dates

17. Contact Information

For any questions about this Privacy Policy or our data practices:

CyberFlow
Email: [email protected]
Website: https://cyberflowcy.com

Data Protection Officer
Email: [email protected]

This Privacy Policy was last updated on 16.09.2025 and is effective as of 16.09.2025.