Legal

Privacy Policy

Last updated: 6 May 2026 · Version 1.1

Plain-English summary.We're a UK managed security partner. We collect the minimum personal data we need to deliver our services, run our business, and keep our clients safe. We never sell your data. You have rights over how we handle your information, and we explain them below.

1. Who we are

QMC4 Cyber (“QMC4 Cyber”, “we”, “us”, “our”) is a trading division of QMC4 Group Limited, a company registered in Guernsey under company number 77766, with its registered office at Ohana, Hougues Magues Lane, St Sampson, Guernsey GY2 4WA. QMC4 Group Limited is the legal entity behind the QMC4 Cyber service.

For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), we act as a data controller for personal data we collect about prospects, clients, contacts and website visitors. When we deliver managed security or IT services on behalf of a client, we act as a data processor on their behalf, governed by the Data Processing Addendum that forms part of our services agreement.

2. The personal data we collect

Depending on how you interact with us, we may collect:

  • Identity & contact data— name, job title, business email address, business phone number, employer.
  • Engagement data— meeting notes, scoping questionnaires, statements of work, security assessment outputs, and correspondence between us.
  • Website and marketing data— IP address, device and browser type, pages viewed, referring URL, and any information you submit through contact or booking forms.
  • Service operations data— when we deliver Sentinel, Identity, Counsel or Foundation services, we process telemetry from your environment (logs, identity events, endpoint signals, alerts). This is governed by the contract with the client whose environment it relates to.
  • Supplier & recruitment data— information you provide if you apply to work with us or supply services to us.

We do not knowingly collect special category data (such as health or biometric information) unless it is strictly necessary for an engagement and we have a lawful basis to do so.

3. How we use your data and our lawful bases

We rely on the following lawful bases under UK GDPR:

  • Performance of a contract— to deliver services to you or your employer, manage the engagement, invoice and provide support.
  • Legitimate interests— to run and grow our business responsibly: responding to enquiries, delivering measured B2B marketing to business contacts, securing our own systems, preventing fraud, and improving our services. We balance these interests against your rights and freedoms.
  • Consent— where required, for example for non-essential cookies and certain marketing communications. You can withdraw consent at any time.
  • Legal obligation— to meet our regulatory, tax, accounting, employment and security obligations.

4. How we share your data

We don't sell personal data, and we don't share it for third-party advertising. We share personal data only with:

  • Trusted sub-processorswho help us deliver our services — for example, our hosting and infrastructure providers, our managed SOC partners, our identity-protection vendors, our productivity and helpdesk tooling, and our accounting providers. Each sub-processor is bound by written terms that meet UK GDPR requirements. A current list is available on request.
  • Professional advisers such as our lawyers, auditors and insurers, where we have a legal or legitimate need to do so.
  • Authorities and regulatorswhere we are legally required to disclose information, or where disclosure is necessary to protect a person's vital interests.
  • A successor entityin the event of a corporate restructure, sale, or merger — subject to equivalent data protection commitments.

5. International transfers

We try to keep personal data within the United Kingdom and the European Economic Area wherever possible. Where a sub-processor processes personal data outside the UK or EEA, we put appropriate safeguards in place — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or processing under an adequacy decision recognised by the UK Government.

6. How long we keep your data

We keep personal data only for as long as we need it for the purpose we collected it — or for as long as we're legally required to. In practice:

  • Prospect and enquiry data— up to 24 months from your last meaningful interaction with us, unless you ask us to delete it sooner.
  • Client engagement records— for the duration of the contract and for up to 7 years afterwards, to meet our accounting, regulatory and contractual obligations.
  • Service operations data— in line with the retention terms set out in the relevant client contract.
  • Website analytics— up to 26 months in aggregated form.

7. How we keep data secure

Security is what we do, and we hold ourselves to the standard we hold our clients to. We operate aligned to the NCSC Cyber Assessment Framework and NIST CSF, are Cyber Essentials and Cyber Essentials Plus certified, and apply layered controls including least-privilege identity, encryption in transit and at rest, monitored endpoints, and 24/7 detection on our own estate. Access to personal data is restricted to employees and sub-processors who need it for a defined purpose.

No system is perfect. If we ever discover a personal data breach that is likely to affect your rights and freedoms, we'll notify you and the ICO in line with our legal obligations.

8. Your rights

Under UK GDPR you have the right to:

  • be informed about how we use your personal data (this notice);
  • request access to a copy of the personal data we hold about you;
  • ask us to correct inaccurate or incomplete data;
  • ask us to delete your data, where there is no good reason for us to keep it;
  • ask us to restrict or object to certain processing;
  • ask us to transfer your data to another provider in a structured, commonly used format (data portability);
  • withdraw consent at any time, where we rely on consent;
  • object to direct marketing at any time.

To exercise any of these rights, email privacy@qmc4.com. We'll respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk), though we'd appreciate the chance to put things right first.

9. Cookies and analytics

Our website uses a small number of cookies. Strictly necessary cookies are required for the site to function. Analytics cookies are only set with your consent and help us understand which content is useful. You can manage cookie preferences through your browser at any time.

10. Children

Our services are aimed at organisations, not individuals, and we do not knowingly collect personal data from children under 16.

11. Changes to this notice

We'll update this notice from time to time. The version number and date at the top tell you when. If we make a material change, we'll let affected clients know directly.

12. Contact us

For any privacy question, request, or concern, contact our privacy team: