Privacy notice

Updated: 19/02/2024

1. Introduction

Pentest Limited is committed to safeguarding the privacy of personal and sensitive personal data and is bound to comply with the UK Data Protection Act 2018, the UK General Data Protection Regulation and the EU General Data Protection Regulation (collectively referred to henceforth as “the GDPR”), along with similar and applicable laws in other countries around the world. This Privacy Notice forms part of Pentest’s obligation to be open and fair with all individuals whose personal and sensitive personal data Pentest processes and to provide details around how it processes such personal data and what it does with it.

Pentest processes the personal data of its clients and partners such as names, contact details and email addresses, amongst other things. Processing of this data implies collecting, storing, using, disclosing or disposing of individuals’ personal data.

Individuals of existing or prospective clients and partners who leverage Pentest’s solutions and services, or use the Pentest website, may be provided with further privacy notices which may be contained in a separate supplemental notice. These additional privacy notices shall supplement this Privacy Notice.

This Privacy Notice relates to the processing of personal data by Pentest Limited. Unless otherwise stated, all references to “we” or “our” shall imply all Pentest lines of business that process personal or sensitive personal data.

None of the lists, or examples provided in this Privacy Notice, are intended to be exhaustive or fully representative of every individual.

2. Scope

The scope of this Privacy Notice covers clients’ (existing and prospective) and partners’ (existing and prospective) personal data in respect of the following: –

  • Collecting Personal Data
  • Using Personal Data
  • Disclosing Personal Data
  • Retaining Personal Data
  • Securing Personal Data
  • International Data Transfers
  • Your legal rights
  • Updates / Amendments
  • Third Party Websites
  • Pentest Website – Use of Cookies
  • Opt-in / Opt-out
  • Our Details
  • Complaints

3. Collecting personal data

We may collect and store the following kinds of personal data: –

a) Information about your computer and about your visits to the Pentest website, including your IP address, geographical location, browser type and version.
b) Information that you provide to us when you request content though our website.
c) Information that you provide to us for the purpose of subscribing to our marketing communications.
d) Information that you provide to us when using any of the solutions and services we provide, or that is generated during the course of using those solutions and services.
e) Information that you post on our social media platforms.
f) Information contained in, or relating to, any communication that you send to us through our website, email or in writing.
g) Information that you provide as part of performing money laundering, financial and credit checks as well as for fraud and crime prevention and detection purposes.
h) Information related to the security and access of our premises, systems and applications.
i) Information to help us comply with our legal and regulatory obligations, including reporting to and being audited by regulators and external auditors.
j) Information to help us comply with court orders and to exercise and defend our legal rights.
k) Health data such as information related to your medical history, allergies or occupational health (please note that this information will only be collected for employment law and health and safety purposes). Any other personal information that may be sent to us and which we use for legitimate business purposes.

Before you disclose to us the personal data of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal data in accordance with this Privacy Notice.

4. Using personal data

We may use your personal information to:

a) Administer, personalise and secure our website.
b) Enable your use of any solution or service that we may provide through our website.
c) Supply you with our solutions and services.
d) Send invoices and payment reminders to you or collect payments from you.
e) Send you marketing communications.
f) Deal with enquiries and complaints.
g) Perform money laundering, financial and credit checks.
h) Ensure appropriate access to premises, systems and applications.
i) Comply with our legal and regulatory obligations.

Lawful basis

Pentest operates under a number of lawful bases as required under the data protection laws.  These include:

  • Consent
  • Legitimate interests
  • Performance of a contract
  • Compliance with a legal obligation

We have provided below, examples of some data processing activities that we carry out, along with the respective lawful bases being relied upon.

Purpose of processing

Types of personal data

Lawful basis relied upon

Sending marketing emails (business to business)

Name, email address, marketing preferences

Legitimate interests

Sending marketing emails (business to customer)

Name, email address, marketing preferences


Providing a service for a client

Name, email address and job role of contact


Carrying out an audit for a client

Name, email address and job role of contact


5. Disclosing personal data

We only disclose your personal data in the ways set out in this Privacy Notice or subject to any agreements in place between us. The following circumstances may apply:

a) Across our different lines of business, as part of a need to know or as part of improving our existing solutions and services or as part of providing new solutions and services.
b) To third parties who process personal data on our behalf, such as systems providers.
c) To third parties who process personal data on their own behalf but provide us, or you, with a service on behalf of us.
d) To third parties with whom information is shared for money laundering checks, credit risk reduction and other fraud and crime prevention purposes.
e) To any prospective buyer in the event we sell any part of our business, or its assets, or if substantially all of our assets are acquired by a third party.
f) To any regulator, external auditor or applicable body or court where we are required to do so by law or regulation or as part of any investigation.
g) To any central or local government department and other statutory or public bodies, such as HMRC.

We do not sell, rent or trade any of your personal data. We will not, without your consent, disclose or supply your personal data to any third party for the purpose of their or any other third party’s direct marketing.

6. Retaining personal data

Personal data that we process, for any purpose or purposes, shall not be kept for longer than is necessary. Pentest bases its record retention on any legal, regulatory or contractual obligations.

We have provided below, examples of the record retention periods applied for different types of personal data.

Type of personal data

Retention period


Invoices from suppliers

7 years from invoice date

Limitation Act 1980

Employee personnel files


7 years after employee leaves the company

Limitation Act 1980

Payroll/salary records

7 years after employee leaves the company

Limitation Act 1980

Applications relating to unsuccessful job applicants

6 months from date of application

Business need/best practice

You have the right to request we erase your data, where we do not have any overriding legal, regulatory or contractual obligations.

7. Securing personal data

Where Pentest acts as the controller of personal data, it will ensure that necessary and adequate safeguards are in place to prevent unauthorised access, loss, misuse or alteration of your personal data.

We store all personal information on secure servers with relevant access and firewall controls.

Any personal data sent to us, either in writing or email, may be insecure in transit and we cannot guarantee its delivery.

Passwords must be kept confidential and not disclosed to a third party. Pentest does not ask you for your password.

8. International data transfers

Personal data that we collect is only stored in the UK, the EU and the USA. Where data is stored outside the UK or the EU, we ensure that there are adequate security controls in place, such as contractual arrangements, to ensure it is processed appropriately.

9. Your legal rights

Pentest tries to be as open as it can be in terms of giving people access to their personal information and we have outlined your rights below.

You have the right to ask us:

  • whether we are processing your personal information and the purposes it is processed for (the right to be informed) – this is delivered through ‘fair processing information’ such as this Privacy Notice;
  • for a copy of the personal information that we hold about you (the right of access); we will need appropriate evidence of your identity.
  • to update or correct your personal information (the right to rectification);
  • to delete your information (the right to erasure); and
  • to restrict processing of your personal information where appropriate (the right to restrict processing).

In certain circumstances you also have the right to:

  • object to the processing of your personal information (the right to object);
  • object to automated decision making and profiling (the right not to be subject to automated decision-making including profiling); and
  • request that information about you is provided to a third party in a commonly used, machine readable form (the right to data portability)

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable admin fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex. In such instances, we will notify you and keep you updated.

How to manage your marketing consents

You may give and withdraw consent to the receipt of marketing information and tell us your communication preferences at any time. If you wish to change your preferences regarding the receipt of marketing or other communications from us please contact, You may also use the ‘unsubscribe’ link at the bottom of any marketing communication.

10. Updates / Amendments

In order to remain compliant with any legal and regulatory obligations, or as part of our evolving business practices, we may update this Privacy Notice from time to time by publishing a new version. In certain instances, we may notify you.

11. Third party websites

We are not responsible for the practices employed by Third Party Websites linked to or from our Website nor the information or content contained therein. Often links to other websites are provided solely as reference points to information on topics that may be useful to the users of our Website. Please remember that when you use a link to go from our Website to a Third-Party Website, our Privacy Notice will no longer apply. Your browsing and interaction on any other Website, including Third Party Websites, which have a link on our Website, are subject to that Website’s own Privacy Notice.

12. Pentest website – use of cookies

Pentest records the number of visitors to the relevant sections of our Website and tracks movement between the sections by means of ‘cookies’. Cookies are small data files containing anonymous information placed on your computer and are automatically downloaded to a user’s hard drive in order to recognise a user that has visited our Website previously. Pentest reserves the right to use cookies in order to analyse trends and to improve the design and layout of its Website. You cannot be identified as an individual from this type of information.

For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Policy.

13. Opt-in / opt-out

You have the right, at any time, to ask us not to process your personal data for marketing purposes.

You can opt-out of receiving marketing communications simply by clicking the unsubscribe link, which is contained within marketing emails or by emailing us via

Please note it can take up to 30 days for a request to be fulfilled because of pre-planned or ongoing marketing activity.

14. Our details

Pentest Limited is registered in England and Wales under company number 11925182.

It’s registered address is at 22 Great James Street, London, WC1N 3ES

15. Data Protection Registrations

Pentest is registered as a data controller with the UK Information Commissioner’s Office and our data protection registration number is ZA550826

You can contact us as follows: –

Telephone: +44 (0)161 233 0100
In Writing:

Data Protection Officer
Pentest Limited
26a The Downs,
WA14 2PU

16. Complaints

If you feel your rights have not been respected, or do not feel a situation was resolved satisfactorily, you have the right to raise a complaint with the UK Information Commissioner.

You can contact them as follows: –

Information Commissioner’s Office
Wycliffe House, Water Lane

+44 (0)303 123 1113

Live Chat: