Policy

Privacy notice

This notice explains what personal data CipherCue collects, why we collect it, how long we keep it, and what rights you have over it. We have written it in the same posture as the rest of our published policies: precise, cited, and updated openly through a versioned changelog.

Data controller

CipherCue is a trading name of Justni Ltd, a private limited company registered in Northern Ireland. Justni Ltd is the data controller for the personal data described in this notice.

• Privacy & data protection contact: legal@ciphercue.com
• Postal contact available on request via the address above.

What we collect, why, and on what basis

Demo requests and inbound contact

When you fill in the demo form at /demo or email us directly, we collect:

• Your name and email address.
• Your organisation name and your role, where you provide them.
• Any free-text details you choose to include.

Why: to respond to your enquiry and, if a commercial conversation follows, to maintain that record.

Lawful basis: legitimate interest (Article 6(1)(f) UK GDPR) in responding to inbound business enquiries. You can object at any time by emailing legal@ciphercue.com.

Customer accounts

If your organisation becomes a CipherCue customer and you are issued account credentials, we collect:

• Your name, email address, and any role or workspace identifiers needed to operate the service.
• Authentication metadata: session timestamps, IP at login, and similar audit information.

Why: to provide the contracted service and maintain its security.

Lawful basis: performance of a contract (Article 6(1)(b) UK GDPR) between Justni Ltd and the customer organisation.

Website analytics

The CipherCue public website uses Matomo, a self-hosted analytics platform we run on our own infrastructure. Analytics data is not shared with any third party.

We collect:

• Page views and referrers.
• A truncated IP address — the last two octets of the IPv4 address are masked before storage.

Our Matomo installation is configured for cookieless tracking: no analytics cookies are placed in your browser. We honour the browser Do Not Track signal — if your browser sends it, Matomo will not record your visit at all.

Lawful basis: legitimate interest (Article 6(1)(f) UK GDPR) in understanding how our public information is used. Our data minimisation (truncated IP, cookieless, no cross-site tracking, no third-party sharing, DNT respected) is intended to keep this interest balanced against your privacy.

Continuous external observation (subjects we observe)

CipherCue's core product is the continuous external observation of organisations — primarily public companies and other entities of commercial interest. This observation uses only publicly accessible information: certificate transparency logs, DNS records, regulator filings, and similar sources.

We do not target individual people. Where personal data of named individuals appears in our observations (for example, an officer named in a Companies House filing or a security contact named in a published security.txt), it is incidental to entity-level intelligence and was already public.

Subjects of observation can opt out at any time via the methods on our opt-out page. We honour opt-outs within seven days.

Who else handles your data (sub-processors)

We rely on a small number of trusted infrastructure providers to operate CipherCue. None of them have unrestricted access to your data; they process it solely on our instructions.

• Laravel Forge / DigitalOcean — application hosting and managed infrastructure for the CipherCue web platform and US scanner workers.
• Resend — transactional email delivery (demo response, account notifications).
• Matomo — self-hosted on our own infrastructure; not a third party in the conventional sense, but listed here for transparency.

We do not use third-party advertising trackers, marketing pixels, session-replay tools, or behavioural analytics. We do not sell, rent, or trade personal data, ever.

How long we keep your data

• Demo requests and inbound enquiries — retained for up to 24 months after the last contact, then deleted unless an active commercial relationship continues.
• Customer accounts — retained for the duration of the customer contract plus 12 months for audit and dispute resolution. Deleted on written request after that period.
• Analytics — Matomo raw visit data is retained for 14 months and then aggregated; aggregated metrics are retained indefinitely.
• Email correspondence — retained as long as the conversation is active and for a reasonable archival period afterwards.

Where your data is held

CipherCue's web application and database are hosted in the United Kingdom. Our US scanner infrastructure (which handles observational scanning, not personal data) is hosted in the United States. Transactional email may transit Resend's infrastructure, which operates in the US under a UK-adequate transfer mechanism.

Your rights

Under UK GDPR you have the right to:

• Request a copy of the personal data we hold about you (right of access).
• Ask us to correct inaccurate data (right to rectification).
• Ask us to delete data we no longer need a lawful basis to hold (right to erasure).
• Object to processing based on legitimate interest (right to object).
• Restrict processing in certain circumstances.
• Receive a portable copy of data you have provided to us.

Email legal@ciphercue.com to exercise any of these. We will respond within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

Children

CipherCue is a business-to-business product. We do not knowingly collect personal data from anyone under 18, and our service is not directed to children.

Changes to this notice

We revise this notice openly. Material changes are recorded in the changelog below. We do not retroactively reduce the protections that applied when you provided your data.