Privacy Policy

Pyramid Ledger Ltd is the "controller" of the personal data described in this policy. This means we are responsible for deciding how and why your personal data is processed. We are a company registered in England & Wales.

You can reach us using the details below, and we encourage you to use them for any question about this policy or about how we handle your personal data:

• Company: Pyramid Ledger Ltd, registered in England & Wales
• Address: EC1V 2NX, London, United Kingdom
• Email (general and privacy enquiries): info@pyramidledger.com
• Email (security incidents): ir@pyramidledger.com
• Telephone: +44 (0) 20 4584 2944
• Website: pyramidledger.com

We are not required to appoint a statutory Data Protection Officer and have not done so. Day-to-day responsibility for data protection rests with our management team, who can be contacted at info@pyramidledger.com.

Our website is a marketing site. We do not operate user accounts, take payments, or run a newsletter. The only personal data you provide to us directly is submitted through our "Contact" form and our "Get a Quote" form.

Information you give us through our forms

When you complete the Contact form or the Get a Quote form, we collect the information you choose to enter, which may include:

• Your full name
• Your email address
• Your telephone number (optional)
• Your company name (optional)
• The service you are interested in (optional)
• Your project timeline (optional)
• The criticality or urgency of your enquiry (optional)
• The free-text message or enquiry you type into the form

Please include in the free-text message only the information that is necessary for your enquiry. We ask that you do not send us special category data (such as information about health, race or ethnicity, political opinions, or religious beliefs) through the website forms.

Technical and usage data

Our website is hosted and protected by Cloudflare. As part of delivering and securing the site, Cloudflare automatically processes limited technical data on our behalf, which may include:

• Your IP address
• Browser type and device or operating-system information
• Request logs, including the pages requested, dates, and times
• Security signals used to detect and block malicious or automated traffic

We also use Cloudflare Turnstile, a privacy-friendly CAPTCHA, to protect our forms from spam and bots. Turnstile assesses the technical characteristics of a request to confirm it is likely to come from a genuine person, without the cross-site tracking associated with conventional advertising tools. We do not use Google Analytics, advertising cookies, marketing pixels, or any other cross-site or third-party tracking.

We use the personal data described above only for clearly defined purposes, and we always rely on a lawful basis under Article 6 of the UK GDPR. The headings below set out what we do and why.

Responding to and managing your enquiry

We use the information you submit through our forms, including any optional fields and free-text details you choose to provide, to read, respond to, and manage your enquiry or quote request, to assess whether and how we can help, and to maintain a record of our communications with you. Where you are enquiring as a prospective client, this also helps us take steps to provide our services to you.

• Lawful basis - taking steps at your request prior to entering into a contract, where your enquiry is a step towards engaging our services (Article 6(1)(b)).
• Lawful basis - our legitimate interests in responding to, managing, and following up on business enquiries and in operating and growing our consultancy (Article 6(1)(f)). We have considered your interests, rights, and reasonable expectations and do not believe this processing is unduly intrusive, particularly as the information is provided to us voluntarily for the purpose of contacting us.

Securing our website and preventing abuse

We use technical data and Cloudflare Turnstile to keep our website available, to protect our forms from spam and automated abuse, and to safeguard our systems and other users.

• Lawful basis - our legitimate interests in maintaining the security, integrity, and availability of our website (Article 6(1)(f)).

Complying with our legal and regulatory obligations

We may use personal data to comply with legal, regulatory, accounting, or reporting obligations, and to establish, exercise, or defend legal claims.

• Lawful basis - compliance with a legal obligation to which we are subject (Article 6(1)(c)), and our legitimate interests in protecting our legal position (Article 6(1)(f)).

Our website uses only strictly necessary cookies and similar technologies. We do not use Google Analytics, advertising cookies, marketing pixels, or any cross-site or third-party tracking.

The only cookies we set are those used by Cloudflare for security and by Cloudflare Turnstile to protect our forms. We also use a small amount of browser sessionStorage to remember user-interface state (for example, that a blog pop-up has been dismissed). sessionStorage is not a cookie; it stays in your browser, is not transmitted to us as a cookie, and is automatically cleared when you close the browser tab.

Cookies and similar technologies are governed in the UK by the Privacy and Electronic Communications Regulations 2003 (PECR), alongside the UK GDPR. Because we use only strictly necessary technologies, which are exempt from the PECR consent requirement, we do not display a consent banner for non-essential cookies. For full details, please see our Cookie Policy.

We do not sell your personal data, and we do not share it for advertising purposes. We share personal data only with the limited categories of recipient described below, and only as necessary for the purposes set out in this policy.

Our service providers (processors)

• Cloudflare, Inc. - provides our website hosting, content delivery network (CDN), security services, and the Turnstile anti-bot tool. Cloudflare processes technical data such as IP addresses and request logs on our behalf.
• Brevo (formerly Sendinblue) - our transactional-email processor, which delivers your form submissions to us by email so that we can read and respond to your enquiry.

These providers act as our processors and are permitted to use your personal data only in accordance with our instructions and under a written contract that requires them to keep it secure and confidential.

Professional advisers and legal disclosures

• Professional advisers - such as our lawyers, accountants, insurers, and IT or security consultants, where reasonably necessary and subject to appropriate confidentiality obligations.
• Legal and regulatory disclosures - where we are required to disclose personal data to comply with a legal obligation, a court order, or a request from a competent authority, or to establish, exercise, or defend legal claims.
• Business transfers - if we reorganise our business or transfer assets, personal data may be disclosed to a prospective buyer or successor, subject to appropriate confidentiality protections.

Some of our service providers, including Cloudflare and Brevo, may process personal data outside the United Kingdom, including in the United States. Whenever we transfer personal data outside the UK, we take steps to ensure it receives an essentially equivalent level of protection to that guaranteed under UK data protection law.

We rely on one or more of the following safeguards recognised under the UK GDPR:

• UK adequacy regulations, where the destination country (or a relevant framework) has been recognised by the UK Government as providing an adequate level of protection;
• the UK International Data Transfer Agreement (IDTA); or
• the UK Addendum to the EU Standard Contractual Clauses, together with any additional measures required to protect the data.

If you would like more information about the safeguards we use for international transfers, please contact us at info@pyramidledger.com.

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. When personal data is no longer needed, we securely delete or anonymise it.

• Enquiries that do not lead to an engagement - where an enquiry does not result in a business relationship, we generally retain the enquiry and related correspondence for up to 24 months from our last meaningful contact, so that we can deal with follow-up questions and maintain a record of communications, after which it is deleted.
• Enquiries that lead to an engagement - where your enquiry leads to a contract or ongoing relationship, we retain the relevant records for the duration of that relationship and for a further period afterwards (typically up to 6 years from the end of the relationship) to comply with legal, tax, and accounting obligations and to manage potential claims.
• Technical and security logs - Cloudflare's technical and security logs are retained for the limited periods determined by Cloudflare's standard service configuration, after which they are deleted or aggregated.

These periods are guidelines; in specific cases we may retain data for longer where required to establish, exercise, or defend legal claims, or where the law otherwise requires.

Under the UK GDPR, you have a number of rights in relation to your personal data. Depending on the circumstances and the lawful basis on which we rely, these are:

• The right to be informed - to be told how we use your personal data, as set out in this policy.
• The right of access - to request a copy of the personal data we hold about you.
• The right to rectification - to have inaccurate personal data corrected or incomplete data completed.
• The right to erasure - to ask us to delete your personal data in certain circumstances (also known as the "right to be forgotten").
• The right to restrict processing - to ask us to limit how we use your personal data in certain circumstances.
• The right to data portability - to receive certain personal data in a structured, commonly used, machine-readable format, or to have it transferred to another controller, where this right applies.
• The right to object - to object to our processing of your personal data where we rely on legitimate interests, taking into account your particular situation.

We do not currently rely on your consent as a lawful basis for processing, and we do not carry out direct marketing through this website. Where in future we were to rely on your consent for any processing, you would be able to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.

How to exercise your rights

To exercise any of these rights, please contact us at info@pyramidledger.com. We may need to verify your identity before responding. We will respond within one month of receiving your request, although we may extend this by up to two further months for complex or numerous requests, in which case we will let you know within the first month. Exercising your rights is normally free of charge.

Your right to complain

If you are unhappy with how we have handled your personal data, we would welcome the chance to put things right, so please contact us first. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk.

As a cybersecurity consultancy, we take the protection of personal data seriously. We have implemented appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

• Encryption of data in transit using HTTPS/TLS across our website.
• Use of Cloudflare for network security, traffic filtering, and protection against common web threats, together with Turnstile to limit automated abuse of our forms.
• Restricting access to personal data to those who need it to carry out their role, on a need-to-know basis.
• Use of reputable processors that are contractually required to maintain appropriate security measures.

No method of transmission over the internet or method of storage is completely secure, so while we strive to protect your personal data, we cannot guarantee absolute security. If you become aware of a security concern relating to our website, please contact our incident team at ir@pyramidledger.com.

Our website and services are intended for businesses and the professionals who work for them. They are not directed at children, and we do not knowingly collect personal data from anyone under the age of 18.

If you believe that a child has provided us with personal data through our website, please contact us at info@pyramidledger.com and we will take appropriate steps to delete it.

Our website may contain links to third-party websites, services, or resources that are not operated by us. This Privacy Policy applies only to our website and services.

We are not responsible for the privacy practices or content of third-party websites. If you follow a link to a third-party site, we encourage you to read the privacy policy of every site you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will revise the review date shown in this policy and publish the updated version on this page. Where the changes are significant, we will take reasonable steps to bring them to your attention.

We encourage you to review this policy periodically so that you are aware of how we are protecting your personal data.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or would like more information about how we handle your personal data, please contact us using the details below:

• Email (general and privacy enquiries): info@pyramidledger.com
• Email (security incidents): ir@pyramidledger.com
• Telephone: +44 (0) 20 4584 2944
• Post: Pyramid Ledger Ltd, EC1V 2NX, London, United Kingdom

We will do our best to resolve any concern you may have. You also have the right to complain to the Information Commissioner's Office at ico.org.uk at any time.