We hold your data carefully — and only what we need.

This privacy notice is issued jointly by:

• Intellix IT Solutions Limited — UK parent, registered in England & Wales. Address: 82A James Carter Rd, Mildenhall, Bury Saint Edmunds, IP28 7DE, United Kingdom. Controller for personal data of UK residents.
• Cloudvoro Ltd — Irish subsidiary, registered in Ireland. Address: 1 Emmett St, Thurles Townparks, Thurles, Co. Tipperary, E41 YH05, Ireland. Controller for personal data of EU/EEA residents.

The two entities operate this website jointly. You can reach the Data Protection Officer at hello@cloudvoro.com.

We only collect what we need to deliver the service you asked for. Concretely:

2.1 Contact form & lead enquiries

• Your name, work email, company name, optional phone number.
• The free-text message you submit.
• The consent text shown to you at submission, with a server-side timestamp.
• The interest tag (e.g. cybersecurity-audit, scan-full-report) attached to the enquiry.
• The IP address and User-Agent string of the device that submitted the form — recorded once, only with the submitted lead, to evidence consent and to deter abuse.

2.2 Free Attack Surface Scan

• The domain you submit for scanning (this is not personal data in itself, but is logged).
• The IP address that initiated the scan, the country derived from that IP, the User-Agent string, and the timestamp.
• The computed grades (A–F per control family + overall) and the count of findings.
• The industry label you optionally select for benchmarking comparison.

Scan log entries are retained for 90 days. After 90 days, we keep only the aggregated, anonymised industry-benchmark statistics (the rolling average grade per industry) — never the domain, IP or user-agent. See Data Processing for the full pipeline.

2.3 Administrator authentication

• Staff email + bcrypt password hash.
• Optional WebAuthn passkey credentials (public key + sign counter — never the private key, which stays on the device).
• Optional TOTP (Authenticator app) secret, stored encrypted; single-use recovery codes stored as bcrypt hashes.
• HttpOnly authentication cookie (24h expiry), brute-force-attempt audit, immutable audit log of admin actions (12 months).

2.4 Visitor analytics (first-party only)

• We do not embed Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar or any third-party tracker.
• We record a privacy-preserving first-party visit row per page view: timestamp, country (derived from IP at request time, IP not stored long-term in the visit row), the page path and referrer.
• Visit rows are retained for 12 months on a TTL index and automatically deleted.

• Consent — Art. 6(1)(a): for contact-form submissions and PDF report requests. The consent text shown is recorded with a server timestamp. You can withdraw consent at any time by emailing hello@cloudvoro.com.
• Legitimate interests — Art. 6(1)(f): to operate the CMS, to log scans for abuse-prevention and aggregate benchmarking, to record admin actions for audit, and to deter brute-force login attempts. We've balanced this against your reasonable expectations — see Data Processing.
• Contract — Art. 6(1)(b): once you become a paying client, processing necessary to deliver the engagement.
• Legal obligation — Art. 6(1)(c): where Irish or UK tax, anti-fraud or law-enforcement legislation requires us to retain or disclose information.

• Contact-form / lead enquiries: 24 months from last contact, then deleted.
• Free-scan raw log (domain, IP, UA, grades): 90 days, then deleted; anonymised aggregate persists.
• Visitor analytics rows: 12 months, auto-deleted by TTL index.
• Authentication cookies: 24 hours.
• Admin audit log: 12 months.
• Brute-force login attempts: 30 days, then auto-purged.
• Paying-client engagement records: 6 years per Irish & UK tax and statutory limitation requirements.

• Access — request a copy of personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — request deletion. We will action this within 30 days unless we have an over-riding legal obligation.
• Restriction — limit how we process your data.
• Data portability — receive your data in a structured, machine-readable format.
• Object — to processing based on legitimate interests, including profiling.
• Withdraw consent at any time, without prejudice to processing already carried out lawfully.
• Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email hello@cloudvoro.com. We respond within the 30-day window required by Art. 12(3) — usually within 5 working days. We do not charge for routine requests.

This site uses a minimal set of strictly-necessary first-party cookies. We do not set advertising or analytics cookies without your explicit consent. See the dedicated Cookie Policy for the full inventory (name, purpose, expiry, controller).

We use a small, deliberately-scoped set of sub-processors for hosting, email delivery and edge protection. The full list — name, role, jurisdiction, transfer mechanism, contractual basis — is published on the Subprocessors page and updated whenever we change a vendor.

Personal data is hosted in EU jurisdiction (Ireland or other EU member state) for Cloudvoro and in the UK for Intellix. Where a sub-processor or vendor sits outside the EU/UK (a small minority of our stack), transfers are protected by Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 and the UK International Data Transfer Addendum. The subprocessor page indicates this per vendor.

Designed against ISO/IEC 27001:2022. We do not currently hold a formal ISO 27001 certification. Specific controls in place:

• All data encrypted in transit (TLS 1.3) and at rest (AES-256 at the storage layer).
• Passwords stored as bcrypt hashes with current work-factor; never reversible.
• Multi-factor authentication required for every staff account (WebAuthn passkeys or TOTP).
• Brute-force login attempts rate-limited and locked out; every admin action is logged immutably.
• Public OpenAPI schema is suppressed in production to reduce information disclosure.
• Edge protection via Cloudflare; security headers (CSP, HSTS, frame-ancestors, Referrer-Policy) enforced site-wide.
• Quarterly access review of every staff credential.
• Vulnerability disclosure policy at /.well-known/security.txt — researchers can report safely without legal risk.

This site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted information through this site, email hello@cloudvoro.com and we will delete it.

The free attack-surface scan produces an automated A–F grade. The grade is informational, does not produce a legal or similarly-significant effect on you, and is not used to make decisions about access to services. You are not subject to Art. 22 automated decision-making.

We will update this notice when our practices change. Material changes are dated at the top. If you have an active engagement with us, we will email you when a material change affects you.

hello@cloudvoro.com

Postal address (EU controller): Cloudvoro Ltd, 1 Emmett St, Thurles, Co. Tipperary, E41 YH05, Ireland.

Postal address (UK controller): Intellix IT Solutions Limited, 82A James Carter Rd, Mildenhall, Bury Saint Edmunds, IP28 7DE, United Kingdom.