Privacy Policy

Last updated: 8 October 2025

1. Who We Are

E3SS LIMITED (company number 06389933) is the data controller responsible for your personal information collected through e3ss.co.uk.

We provide expert legal and cybersecurity review for AI-generated SaaS platforms, helping startups protect against hidden vulnerabilities and legal risks before they become costly problems.

2. What We Collect and How

2.1 Information You Provide

When you contact us through forms on our website, we collect:

• Your name
• Email address
• Company name (if provided)
• Message content and any enquiry details

Forms are submitted via Netlify and delivered to our Outlook email system.

Sensitive Information: We do not ask you to provide sensitive or special-category personal data (such as health information, financial details, or details of security vulnerabilities) through our website forms. If your enquiry requires discussion of sensitive matters, we will arrange a secure communication channel after initial contact.

2.2 Technical Information

Our hosting provider and content delivery network automatically collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent
• Referring website

This information is collected in server logs for security, abuse prevention, and service operation purposes only.

3. Why We Use Your Information and Our Lawful Bases

We process your personal data for the following purposes and legal grounds under UK GDPR:

3.1 Responding to Enquiries

• Purpose: To respond to your questions, provide information about our services, and take steps at your request before entering into a contract.
• Lawful basis: Legitimate interests (responding to enquiries and developing client relationships) and performance of a contract.

3.2 Service Delivery

• Purpose: To deliver our legal and cybersecurity review services if you become a client.
• Lawful basis: Performance of a contract and legal obligation (where we have professional duties).

3.3 Security and Abuse Prevention

• Purpose: To protect our systems from abuse, prevent spam, detect security incidents, and maintain service integrity.
• Lawful basis: Legitimate interests (protecting our business and other users from harm).

3.4 Legal and Professional Obligations

• Purpose: To comply with legal obligations, respond to lawful requests from authorities, establish or defend legal claims, and meet professional regulatory requirements.
• Lawful basis: Legal obligation and legitimate interests (exercising or defending legal claims).

4. Who We Share Your Information With

We share your personal data only with the following categories of recipients, and only to the extent necessary:

4.1 Service Providers

• Hosting and CDN: Our website infrastructure providers host the site and deliver content securely.
• Form Processing: Netlify processes form submissions and delivers them to our email system.
• Email System: Microsoft Outlook receives and stores enquiry emails for us to respond to you.
• IT and Security Providers: Third parties who help us maintain, monitor, and secure our systems.

4.2 Professional Advisers

We may share information with lawyers, accountants, auditors, and insurers where necessary for professional advice or to meet regulatory obligations.

4.3 Legal and Regulatory Authorities

We may disclose your information where required by law, court order, or regulatory request, or to protect our legal rights.

4.4 No Sharing or Sale to Partners

We do not share, sell, or otherwise disclose your enquiry information to third-party partners, brokers, or introducers. Your information stays with us and our direct service providers only.

5. International Transfers

Some of our service providers may process data outside the United Kingdom. Where this occurs, we ensure adequate protection through:

• The UK adequacy regulations (for countries with an adequacy decision, such as EEA countries)
• Standard Contractual Clauses approved by the UK or EU authorities
• The UK International Data Transfer Agreement (IDTA) or Addendum to EU Standard Contractual Clauses

You may request copies of the safeguards we use by contacting info@e3ss.co.uk.

6. How Long We Keep Your Information

We retain personal data for the following periods:

• Enquiries and correspondence: 24 months from the date of your last contact, unless you become a client or we have a legal obligation to retain longer.
• Client records: 6 years from the end of our engagement, to meet professional and tax record-keeping obligations.
• Technical logs: 12 months from collection, for security and operational purposes.

After these periods, we securely delete or anonymise your information unless we are required by law to keep it longer.

7. Security

We take appropriate technical and organisational measures to protect your personal data, including:

• Transport Layer Security (TLS) encryption for data in transit
• Multi-factor authentication (MFA) for access to systems holding personal data
• Access controls and role-based permissions following the principle of least privilege
• Regular security patching and updates
• Logging and monitoring for security incidents
• Secure communication channels for sensitive matters

8. Your Rights

Under UK data protection law, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete information.
• Erasure: Request deletion of your personal data in certain circumstances.
• Restriction: Ask us to restrict processing of your data in certain situations.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Data portability: Receive your data in a structured, commonly used format where processing is based on consent or contract and carried out by automated means.
• Withdraw consent: Where we rely on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at info@e3ss.co.uk. We will respond within one month of receipt.

8.1 Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

9. Children

Our services are directed at businesses and professionals. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will update the "Last updated" date at the top of this document and may notify you by email or through a notice on our website.

We encourage you to review this policy periodically.

11. Contact Us