Privacy Policy
1. Who we are
Pacific Technology Group Ltd ("PTG", "we", "us", "our") is a cybersecurity and operational resilience consultancy registered in England and Wales. We are the data controller for the personal data described in this policy.
Registered address: 167-169 Great Portland Street, 5th Floor, London W1W 5PF
Company number: 16541493
Email: hello@pacific.london
Phone: 0203 137 6707
We are registered with the Information Commissioner's Office (ICO) as a data controller. Registration reference: ZC014163.
2. What we collect and why
We collect personal data in three ways through this website. Each is described below with the specific data involved and the purpose of the processing.
2.1 Contact form
When you submit our contact form, we collect your name, email address, company name, phone number (optional), and your message. We use this information to respond to your enquiry and to create a contact record in our customer relationship management (CRM) system so we can manage the conversation.
2.2 Cybersecurity self-assessment tool
When you complete our cybersecurity self-assessment and request a report, we collect your name, email address, company name, your assessment answers, and the risk scores calculated from those answers. We use this information to generate and email you a personalised PDF report, create a CRM contact record, and (where you have given consent) send you a series of follow-up emails with guidance based on your assessment results.
Your assessment answers are processed in real time to calculate scores. We do not store your individual question-by-question responses beyond the period necessary to generate the report. Your overall scores and risk categories are retained in our CRM to inform any follow-up communications you have consented to.
2.3 Server logs
Our hosting provider, Vercel, automatically collects basic server logs when you visit any page on our website. This typically includes your IP address, browser type, the pages you visited, and the date and time of your visit. This data is collected for security monitoring, performance analysis, and to protect against unauthorised access. We do not use server logs for marketing or to build profiles about individual visitors.
2.4 What we do not collect
We do not use cookies, analytics tracking pixels, advertising pixels, or any other client-side tracking technologies. We do not require user accounts. We do not process any payment information through this website. We do not collect any special category data (such as health data, biometric data, or data about racial or ethnic origin).
3. Lawful basis for processing
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each processing activity. The table below sets out which basis applies to each type of data we process.
| Processing activity | Lawful basis | Detail |
|---|---|---|
| Responding to contact form enquiries | Legitimate interests (Article 6(1)(f)) | It is in our legitimate interest to respond to business enquiries, and in yours to receive a reply. We have conducted a Legitimate Interests Assessment confirming this processing is proportionate. |
| Creating CRM contact records | Legitimate interests (Article 6(1)(f)) | Maintaining organised records of business contacts is a standard and expected business practice in B2B consulting. |
| Generating and sending assessment reports | Performance of a contract (Article 6(1)(b)) | You request a report by submitting your details. Generating and delivering that report fulfils the agreement between us. |
| Sending follow-up nurture emails | Consent (Article 6(1)(a)) | You must actively opt in via a checkbox to receive our follow-up email series. You can withdraw consent at any time (see Section 5). |
| AI processing of assessment data to personalise emails | Consent (Article 6(1)(a)) | Same consent as above. Your risk scores are used to tailor the content of follow-up emails. See Section 4 for details. |
| Server log collection | Legitimate interests (Article 6(1)(f)) | Security monitoring and protection against unauthorised access to our website infrastructure. |
| Maintaining a suppression list | Legal obligation (Article 6(1)(c)) | We are required by the Privacy and Electronic Communications Regulations 2003 (PECR) to maintain a record of individuals who have opted out of marketing, to ensure we do not contact them again. |
4. Artificial intelligence and automated processing
4.1 How we use AI in our services
We use artificial intelligence in the following ways:
- Assessment follow-up emails: If you consent to receive our follow-up email series, we use your assessment risk scores and identified weak areas to generate personalised guidance emails. The email content is generated by an AI language model (provided by Anthropic) based on your scores. A human does not individually draft each email, but PTG has designed the methodology, prompts, and editorial framework that governs the AI output.
- Blog and Insights content: Our Insights articles are generated using AI from verified cybersecurity intelligence feeds. Each article undergoes an automated editorial quality review before publication. PTG assumes full editorial responsibility for all published content. See our Content Disclaimer for further detail.
- Article images: Illustrations accompanying our blog articles are AI-generated. They do not depict real people or real events.
4.2 What this means for your personal data
When you consent to receive follow-up emails, your assessment risk scores (not your individual answers) are transmitted via a secure API to Anthropic's AI model in the United States to generate the email content. No personal data beyond your first name, company name, and risk score summary is included in the AI prompt. The AI does not have access to your email address, phone number, or full assessment responses.
4.3 Automated decision-making
The personalisation of nurture emails based on your risk scores constitutes profiling under Article 4(4) of the UK GDPR. However, this processing does not produce decisions with legal or similarly significant effects on you. Receiving a personalised marketing email does not affect your legal rights, financial position, or access to services. You are not subject to solely automated decision-making of the kind restricted by Article 22 of the UK GDPR.
You have the right to object to profiling at any time by unsubscribing from the email series or contacting us directly.
5. Marketing emails and your choices
5.1 The follow-up email series
If you complete our cybersecurity assessment and opt in via the consent checkbox, we will send you a series of up to five emails over approximately 14 days. These emails contain AI-personalised guidance based on the risk areas identified in your assessment. Each email is sent from ali@pacific.london via our email provider, Resend.
5.2 Your assessment report is not marketing
The initial email delivering your assessment PDF report is a service communication, not a marketing email. You will receive this report regardless of whether you opt in to the follow-up series. The report email does not contain promotional content.
5.3 How to unsubscribe
Every follow-up email includes an unsubscribe link. When you click it, your preference is updated immediately and no further marketing emails will be sent. You can also unsubscribe at any time by emailing hello@pacific.london with the subject line "Unsubscribe".
When you unsubscribe, we move your contact record to a suppression list rather than deleting it entirely. This is required by PECR to ensure we do not inadvertently send you marketing emails in the future. If you wish to have your data fully erased instead, please see Section 9 (Your rights).
5.4 Email disclosure
Each follow-up email includes a footer note stating: "This email was personalised using AI based on your cybersecurity assessment results."
6. Who we share your data with
We share your personal data with the following third-party service providers, who process data on our behalf under Data Processing Agreements:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Vercel Inc. | Website hosting | Server logs (IP address, page requests) | United States |
| Sanity AS | Content management | Published article content only (no personal data) | United States |
| HubSpot Inc. | Customer relationship management | Name, email, company, phone, assessment scores | United States |
| Resend Inc. | Email delivery | Name, email address, email content | United States |
| Anthropic PBC | AI content generation | First name, company name, risk score summary (for nurture emails only) | United States |
| FAL AI Inc. | AI image generation | No personal data (text prompts only) | United States |
| Celonis SE (Make.com) | Workflow automation | Name, email, assessment scores, email scheduling data | United States / EU |
We do not sell, rent, or trade your personal data with any third party. We do not share your data with any organisation for their own marketing purposes.
7. International data transfers
All of our third-party processors are based in, or transfer data to, the United States. Transfers of personal data from the UK to the US require appropriate safeguards under Chapter V of the UK GDPR.
Where our processors are certified under the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge"), we rely on this as an adequate transfer mechanism. The following processors hold active Data Privacy Framework certification: HubSpot, Vercel, Resend, and Celonis (Make.com).
For any processor not covered by the Data Privacy Framework, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment, to ensure your data receives an equivalent level of protection.
You can verify a processor's Data Privacy Framework certification at dataprivacyframework.gov.
8. How long we keep your data
| Data type | Retention period | Reason |
|---|---|---|
| Contact form submissions | 24 months from last engagement | To manage the business relationship and follow up on enquiries |
| CRM contact records | 24 months from last engagement | Reviewed annually; deleted if no ongoing relationship |
| Assessment risk scores | 12 months from assessment date | To inform any consented follow-up communications |
| Assessment answers (detailed) | Deleted after report generation | Required only for the report; not retained |
| Server logs | 90 days | Security monitoring and incident investigation |
| Suppression list records | Indefinitely | Legal obligation under PECR to prevent re-contacting opted-out individuals |
| Nurture email queue records | 30 days after sequence completion | Operational; deleted once the sequence concludes |
We review all retained data at least annually. If we have no ongoing legitimate reason to keep your data, we will securely delete it.
9. Your rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Access: You can request a copy of the personal data we hold about you.
- Rectification: You can ask us to correct inaccurate or incomplete data.
- Erasure: You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Restriction: You can ask us to restrict the processing of your data in certain circumstances.
- Portability: You can request your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
- Object: You can object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
- Withdraw consent: Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, email hello@pacific.london with the subject line "Data Rights Request". We will acknowledge your request within 7 days and respond substantively within 30 days, as required by law. There is no fee for exercising your rights unless your request is manifestly unfounded or excessive.
10. How to complain
If you are unhappy with how we have handled your personal data, we encourage you to contact us first so we can try to resolve the issue. Email hello@pacific.london with the subject line "Data Protection Complaint". Under the Data (Use and Access) Act 2025, we are required to acknowledge your complaint within 30 days and provide a substantive response without undue delay.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint
If you are based in the European Union, you may also have the right to complain to your local data protection supervisory authority.
11. Cookies and tracking
This website does not use cookies. We do not use analytics tracking, advertising pixels, session cookies, or any other client-side tracking technology. We do not track your activity across other websites. There is no cookie banner because there are no cookies to consent to.
This is a deliberate choice. As a cybersecurity consultancy, we believe in minimising data collection to what is strictly necessary.
12. Children
Our services are designed for business professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@pacific.london and we will delete it without delay.
13. Related entities
Pacific Technology Group Ltd operates independently from Pacific Infotech Ltd (pacificinfotech.co.uk). While both companies share common leadership, they are separate legal entities with independent data processing operations. We do not share your personal data with Pacific Infotech unless you specifically request a managed IT services referral, in which case we will inform you before any data is transferred.
14. Changes to this policy
We may update this policy from time to time to reflect changes in our processing activities, legal requirements, or best practice. The "Last updated" date at the top of this page indicates when the most recent revision took effect.
For material changes that affect how we use your data (such as new processing activities, new data sharing arrangements, or changes to your rights), we will notify you directly by email if we hold your contact details, or by a prominent notice on our website, before the changes take effect.
For non-material changes (such as clarifications or formatting improvements), updating the date on this page is sufficient notice.
15. Contact us
For any questions about this Privacy Policy or how we handle your personal data:
Pacific Technology Group Ltd
167-169 Great Portland Street, 5th Floor
London W1W 5PF
Email: hello@pacific.london
Phone: 0203 137 6707
Your use of this website is also subject to our Terms of Use and Content Disclaimer.