Legal

Privacy Policy

Last updated: 29 May 2026  ·  EPC Network

This Privacy Policy explains how EPC Network ("EPC Network", "we", "us", or "our") collects, uses, stores, and protects your personal data when you interact with our website, consultancy services, or engage with our team. We are committed to handling your data with the highest standards of care, in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

EPC Network is a cybersecurity and AI consultancy registered in England and Wales. We provide specialist services including cybersecurity assessments, AI strategy and implementation, AI/ML fine-tuning and research, and emerging threat advisory.

Given the sensitive nature of cybersecurity and AI consultancy, we take data protection exceptionally seriously. If you have any privacy-related queries, please contact us via our contact form.

2. Data We Collect

2.1 Website Enquiry Form

When you submit an enquiry through our website, we collect:

  • Full name
  • Organisation name
  • Email address
  • Service of interest
  • Message content

This information is used solely to respond to your enquiry and assess how we can best assist you. It is not used for marketing purposes without your explicit consent.

2.2 Consultancy Engagement Data

During a consultancy engagement, we may process data related to your organisation's systems, infrastructure, and personnel as part of delivering our services. This is governed by a separate Data Processing Agreement (DPA) and client service contract, which takes precedence for all engagement-specific data handling.

2.3 Usage and Technical Data

We may collect anonymised technical data such as browser type, referring pages, and visit timestamps for the purpose of website performance monitoring and security. This data does not identify individual users and is not shared with third-party analytics providers.

3. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Legitimate interests — responding to enquiries and delivering consultancy services to clients
  • Contract performance — processing data necessary to fulfil our consultancy agreements
  • Legal obligation — where required to comply with applicable laws and regulations
  • Consent — where you have explicitly agreed, for example to receive communications

4. How We Use Your Data

  • To respond to your enquiries and arrange initial consultations
  • To deliver contracted cybersecurity and AI consultancy services
  • To provide security assessment reports, findings, and recommendations
  • To maintain records of our professional obligations and engagements
  • To comply with legal, regulatory, and professional requirements
  • To protect the security of our own systems and communications

5. Data Sharing

EPC Network does not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

  • EmailJS — used to process website contact form submissions
  • Professional advisers — legal, accounting, or insurance professionals where required
  • Law enforcement or regulators — where required by law, court order, or regulatory obligation
  • Sub-contractors — where specialist third-party expertise is engaged as part of a client project, subject to appropriate confidentiality agreements

All third parties with whom we share data are subject to appropriate contractual obligations to protect your information.

6. Confidentiality & Security Engagements

EPC Network operates under strict professional confidentiality obligations. All information shared by clients in the context of a cybersecurity or AI engagement — including system architecture, vulnerability data, source code, and business information — is treated as strictly confidential. We maintain non-disclosure agreements (NDAs) as standard practice for all client engagements.

Penetration testing findings, security assessment reports, and AI audit outputs are handled with the highest levels of access control and are never shared beyond the contracted client team without explicit written consent.

7. Data Retention

  • Website enquiry data — retained for up to 12 months from the date of submission
  • Client engagement records — retained for 7 years from the end of the engagement, in line with professional and legal obligations
  • Security assessment reports — retained for the duration agreed in the client contract, then securely destroyed
  • Website technical logs — retained for up to 30 days

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data where there is no legal basis for retention
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us via our contact form. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

As a cybersecurity consultancy, we hold ourselves to the highest standards of information security. Our security measures include:

  • All communications transmitted over encrypted HTTPS/TLS connections
  • End-to-end encryption for sensitive client deliverables
  • Multi-factor authentication (MFA) on all internal systems
  • Role-based access controls with least-privilege principles
  • Regular internal security assessments and vulnerability reviews
  • Secure deletion of client data at end of retention period
  • Incident response procedures for any data breach events

10. Cookies

Our website does not use tracking or advertising cookies. The only third-party script loaded is EmailJS, used exclusively for processing contact form submissions. We do not use Google Analytics, Meta Pixel, or any other behavioural tracking tools.

11. International Data Transfers

We primarily process data within the United Kingdom and European Economic Area. Where any transfer outside these regions is necessary, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. The date at the top of this page indicates the most recent revision. We recommend reviewing this policy periodically.

13. Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact us via our contact form. EPC Network, registered in England and Wales.