Privacy Policy
Last updated: 12 February 20261. Who We Are
Varangian Group Ltd ("Varangian", "we", "us", "our"), trading as varangian.ai, is a cybersecurity consultancy registered in England and Wales.
| Detail | Information |
|---|---|
| Company name | Varangian Group Ltd |
| Company number | 16957867 |
| Registered address | 71-75 Shelton Street, Covent Garden, London WC2H 9JQ |
| Data protection contact | privacy@varangian.ai |
| ICO registration | Registration number to be inserted |
| EU Representative | To be appointed — details will be inserted here per EU GDPR Article 27 |
We are the data controller for personal data processed through our websites (varangian.ai, varangian.co.uk) and our cybersecurity services.
2. What This Policy Covers
This policy explains how we collect, use, store, and share personal data when you:
- Visit our websites
- Enquire about or use our services
- Communicate with us
- Are identified in our cyber threat intelligence operations (see Section 8)
This policy applies to both our UK and EU website visitors and clients. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.
3. Personal Data We Collect
3.1 Data You Provide Directly
| Data Category | Examples | When Collected |
|---|---|---|
| Contact information | Name, email address, phone number, job title, company name | Contact forms, email enquiries, service agreements |
| Business information | Company details, technical infrastructure information, IP ranges, domain names | Service onboarding, scoping calls |
| Account credentials | Username, password (hashed) | If we provide portal access |
| Communication records | Emails, messages, call notes | Correspondence with us |
| Payment information | Bank details, billing address | Invoicing (processed via our accounting provider) |
3.2 Data We Collect Automatically
| Data Category | Examples | Mechanism |
|---|---|---|
| Technical data | IP address, browser type/version, operating system, device type | Web server logs |
| Usage data | Pages visited, time on site, referral source, click patterns | Analytics (with consent) |
| Cookie data | Session identifiers, preferences | Cookies (see our Cookie Policy) |
3.3 Data from Third-Party Sources
| Data Category | Source | Purpose |
|---|---|---|
| Professional profiles | LinkedIn, company websites | Business development, client research |
| Threat intelligence data | Dark web sources, OSINT feeds, community sharing platforms | Cyber threat intelligence services (see Section 8) |
4. How and Why We Use Your Data
4.1 Website Visitors
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Responding to enquiries | Legitimate interest (Article 6(1)(f)) — responding to business communications | Contact information, communication records |
| Website operation and security | Legitimate interest — ensuring website availability and security | Technical data, server logs |
| Analytics (with consent) | Consent (Article 6(1)(a)) | Usage data, cookie data |
| Marketing communications (with consent) | Consent (Article 6(1)(a)) | Contact information |
4.2 Clients and Prospective Clients
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing contracted services | Contract performance (Article 6(1)(b)) | Contact information, business information, communication records |
| Service scoping and proposals | Legitimate interest — pre-contractual business activity | Contact information, business information |
| Invoicing and payment | Contract performance; legal obligation (tax/accounting) | Payment information, contact information |
| Service improvement | Legitimate interest — improving our services | Anonymised service data |
4.3 Penetration Testing and Security Assessments
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Conducting authorised security testing | Contract performance (Article 6(1)(b)) — under signed engagement agreement | Technical data discovered during testing (IP addresses, system configurations, vulnerabilities) |
| Reporting findings | Contract performance | Assessment results, evidence of vulnerabilities |
| Retaining evidence | Legitimate interest — professional records, potential legal proceedings | Assessment reports, supporting evidence |
4.4 Cyber Threat Intelligence (see Section 8 for detail)
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Network and information security | Legitimate interest (Article 6(1)(f)) — Recital 49 | IOCs, threat actor identifiers, compromised credentials |
| Crime detection and prevention | Recognised legitimate interest (Article 6(1)(ea) — DUAA 2025) | Criminal offence data |
| Client threat alerting | Legitimate interest (third-party interest) | Relevant threat indicators |
5. Who We Share Data With
We do not sell personal data. We share data only as follows:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Clients (under contract) | Threat intelligence reports, assessment findings | Data processing agreements; TLP markings; encrypted delivery |
| Professional advisers | Legal, accounting, insurance | Professional confidentiality obligations |
| IT service providers | Email hosting (Google Workspace), website hosting | Data processing agreements; UK/EEA processing |
| Law enforcement | When legally required or in response to lawful requests | Documented legal basis; minimum necessary disclosure |
| Threat intelligence community | Anonymised/pseudonymised IOCs via MISP sharing groups | TLP protocols; anonymisation; no raw personal data |
| Regulatory bodies | ICO, Companies House | Legal obligations |
6. International Data Transfers
All our core data processing occurs in the United Kingdom on self-hosted infrastructure. We do not routinely transfer personal data outside the UK.
Where transfers occur:
| Destination | Mechanism | Purpose |
|---|---|---|
| EEA/EU | UK adequacy regulations (the EU has granted the UK an adequacy decision, renewed December 2025, valid until December 2031) | Client communications, service delivery |
| United States | UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) | Email hosting (Google Workspace) |
We do not transfer personal data to countries without adequate protection unless appropriate safeguards are in place (International Data Transfer Agreement or Standard Contractual Clauses with UK Addendum).
7. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Website analytics | 26 months from collection | Industry standard; anonymised after retention |
| Contact form enquiries | 2 years from last contact | Legitimate interest; deleted if no ongoing relationship |
| Client records | Duration of contract + 6 years | Legal obligation (Limitation Act 1980); tax records |
| Penetration test reports | Duration of contract + 6 years | Professional records; limitation period |
| Threat intelligence (processed IOCs) | 2 years | Operational relevance; reviewed annually |
| Threat intelligence (raw data) | 90 days maximum | Processing window; automatically deleted |
| Server logs | 90 days | Security monitoring |
| Cookie consent records | 2 years | Accountability (proof of consent) |
We review all retained data periodically and delete it when the retention period expires or when it is no longer necessary for the stated purpose.
8. Cyber Threat Intelligence Processing
8.1 What We Do
As part of our cybersecurity services, we operate a passive dark web and open-source intelligence (OSINT) collection capability. This involves monitoring publicly accessible dark web forums, paste sites, Telegram channels, ransomware leak sites, and other sources for indicators of cyber threats.
8.2 Personal Data We May Encounter
During this monitoring, we may encounter personal data that has been published by third parties on the dark web, including:
- Compromised credentials (email addresses, usernames, password hashes)
- Contact information appearing in data breaches
- Online identifiers (forum handles, IP addresses, cryptocurrency wallets)
- Information relating to criminal activity by threat actors
8.3 Why We Process This Data
We process this data to:
- Protect our clients from cyber threats by providing early warning of compromised credentials, planned attacks, and data breaches
- Detect and prevent crime — identifying cybercrime threats before they cause harm
- Contribute to public cybersecurity — sharing anonymised threat indicators with the cybersecurity community
8.4 Legal Basis
- UK GDPR Article 6(1)(f) — Legitimate interests (network and information security, as recognised by Recital 49 for "providers of security technologies and services")
- UK GDPR Article 6(1)(ea) — Recognised legitimate interests for crime detection and prevention (Data Use and Access Act 2025)
- DPA 2018 Schedule 1, Paragraph 10 — For criminal offence data (preventing or detecting unlawful acts)
A full Legitimate Interest Assessment and Data Protection Impact Assessment have been completed and are available upon request.
8.5 Your Data in Our Threat Intelligence
If your personal data has been identified in our threat intelligence operations (for example, your credentials appeared in a dark web data breach), you have the right to:
- Request access to the data we hold about you
- Request erasure of your data (subject to limited exceptions where retention is necessary for crime prevention)
- Object to the processing of your data
To exercise these rights, contact us at privacy@varangian.ai (see Section 10).
8.6 How We Protect This Data
- All threat intelligence data is encrypted at rest and in transit
- Collection infrastructure is isolated on a dedicated network segment
- Access is restricted to authorised analysts on a need-to-know basis
- Raw data is deleted within 90 days; only processed intelligence is retained
- Personal data is pseudonymised where operationally feasible
9. Cookies
We use cookies on our websites. For full details of the cookies we use, why we use them, and how to manage your preferences, please see our Cookie Policy.
In brief:
- We use strictly necessary cookies (no consent required) for website functionality and security
- We use analytics cookies (consent required) to understand how visitors use our site
- We do not use advertising or tracking cookies
- You can manage your cookie preferences at any time via the cookie settings link in our website footer
10. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Article 15) | Request a copy of the personal data we hold about you |
| Rectification (Article 16) | Request correction of inaccurate data |
| Erasure (Article 17) | Request deletion of your data ("right to be forgotten") |
| Restriction (Article 18) | Request that we limit how we use your data |
| Data portability (Article 20) | Request your data in a structured, machine-readable format |
| Objection (Article 21) | Object to processing based on legitimate interests |
| Withdraw consent (Article 7) | Withdraw consent at any time (where consent is the legal basis) |
| Automated decisions (Article 22) | Not be subject to decisions based solely on automated processing |
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.
How to Exercise Your Rights
Contact us at: privacy@varangian.ai
Or write to: Data Protection, Varangian Group Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
We will respond within one month of receiving your request. If your request is complex, we may extend this by a further two months, and we will inform you of the reason for the extension.
There is no fee for exercising your rights. However, if your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request.
Right to Complain
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with:
UK: Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
EU: You may also complain to the supervisory authority in your EU Member State of residence or place of work.
11. Children's Data
Our services are directed at businesses, not children. We do not knowingly collect personal data from children under 18 through our websites.
If we encounter children's data during threat intelligence operations (for example, in breach datasets), we apply heightened protections including accelerated deletion and restricted access. See Section 8 for details.
12. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. Material changes will be communicated via a notice on our website.
13. Contact Us
| Method | Detail |
|---|---|
| privacy@varangian.ai | |
| Post | Data Protection, Varangian Group Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ |
| EU Representative | To be appointed — details will be inserted here |