Privacy Policy

Your privacy and data protection are our highest priorities

ICO Registered (ZC031428) GDPR Compliant SOC 2 Type II In Progress End-to-End Encryption

Last Updated: November 9, 2025 | Effective Date: November 9, 2025 | Version: 2.1

1. Introduction

IdentityFirst Ltd ("we", "our", or "us") is committed to protecting your privacy and ensuring compliance with all applicable data protection laws, including the UK GDPR and the Data Protection Act 2018. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our enterprise identity security platform and services.

We are registered with the Information Commissioner's Office (ICO) under registration number ZC031428 and are pursuing SOC 2 Type II certification, demonstrating our commitment to the highest standards of data protection.

2. Information We Collect

2.1 Information You Provide

  • Contact Information: Name, email address, phone number, company details
  • Account Information: Username, password (encrypted), role assignments
  • Professional Information: Job title, industry, company size
  • Communication Data: Messages, support tickets, feedback
  • Identity Assessment Data: Security configurations, user permissions, system data (anonymized)

2.2 Information Collected Automatically

  • Usage Data: Platform usage patterns, feature interactions, performance metrics
  • Technical Data: IP address, browser type, device information, session data
  • Security Logs: Authentication attempts, access patterns, security events
  • Cookies and Tracking: Essential cookies for platform functionality

2.3 Information from Third Parties

  • Identity Providers: Authentication data from integrated identity platforms
  • Business Partners: Company information for service delivery
  • Public Sources: Industry data for compliance and security intelligence

3. How We Use Your Information

3.1 Service Delivery

  • Provide and maintain our identity security platform
  • Process security assessments and compliance checks
  • Deliver AI-powered security insights and recommendations
  • Manage user accounts and access controls

3.2 Security and Compliance

  • Monitor for security threats and unauthorized access
  • Ensure compliance with regulatory requirements
  • Maintain audit trails and security logs
  • Conduct security assessments and penetration testing

3.3 Communication and Support

  • Respond to inquiries and provide technical support
  • Send service updates and security notifications
  • Provide training and educational content
  • Conduct customer satisfaction surveys

3.4 Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract: To provide our services and fulfill contractual obligations
  • Legitimate Interest: To improve our services and ensure security
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: Where you have explicitly agreed to specific processing

4. Data Sharing and Disclosure

4.1 When We Share Information

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

Service Providers

  • Cloud infrastructure providers (encrypted data only)
  • Security monitoring and compliance tools
  • Customer support and communication platforms
  • Payment processors for billing (PCI DSS compliant)

Legal Requirements

  • To comply with legal obligations or court orders
  • To protect against fraud, security threats, or illegal activity
  • To enforce our terms of service or protect our rights
  • In connection with a business transfer or acquisition

With Your Consent

  • When you explicitly authorize data sharing
  • For specific business purposes you approve
  • To integrate with your chosen identity providers

5. Data Security

5.1 Security Measures

  • Encryption: AES-256 encryption for data at rest and in transit
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication
  • Network Security: Zero-trust architecture with micro-segmentation
  • Monitoring: 24/7 security monitoring and automated threat response
  • Backup: Encrypted backups with geo-redundancy and integrity verification
  • Incident Response: Comprehensive incident response plan and procedures

5.2 Data Retention

We retain your information only as long as necessary for the purposes outlined in this policy:

  • Account Data: Retained while your account is active and for 7 years after deactivation
  • Security Logs: Retained for 7 years for compliance and security purposes
  • Communication Data: Retained for 3 years for support and quality purposes
  • Assessment Data: Anonymized and retained indefinitely for AI model training

6. Your Rights Under GDPR

6.1 Data Subject Rights

You have the following rights regarding your personal data:

Right to Access

Request a copy of your personal data we hold

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data (subject to legal requirements)

Right to Restriction

Request limitation of how we process your data

Right to Portability

Request your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests

6.2 How to Exercise Your Rights

To exercise any of these rights, please contact us:

  • Email: privacy@identityfirst.net
  • Phone: +44 (0) 796 816 9571
  • Mail: Data Protection Officer, IdentityFirst Ltd, London, UK

We will respond to your request within 30 days as required by UK GDPR.

7. Cookies and Tracking

7.1 Essential Cookies

We use only essential cookies necessary for platform functionality:

  • Authentication: Session management and security
  • Security: CSRF protection and fraud prevention
  • Performance: Load balancing and error tracking

7.2 Cookie Preferences

You can control cookie settings through your browser. However, disabling essential cookies may affect platform functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. International Data Transfers

As a UK-based company, your data is primarily processed within the UK/European Economic Area (EEA). If data needs to be transferred outside the UK/EEA, we ensure appropriate safeguards are in place:

  • Adequacy decisions by the UK government
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Certification schemes and codes of conduct

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection compliance. You can contact our DPO directly for privacy-related concerns:

Data Protection Officer

Email:dpo@identityfirst.net

Phone: +44 (0) 796 816 9571

Address: IdentityFirst Ltd, Data Protection Officer, London, UK

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website
  • Update to the "Last Updated" date above

Your continued use of our services after such changes constitutes acceptance of the updated policy.

11. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

IdentityFirst Ltd

Email: privacy@identityfirst.net

Phone: +44 (0) 796 816 9571

Website: https://identityfirst.net

ICO Registration: ZC031428

SOC 2 Certification: In Progress (Type II - Security, Availability, Confidentiality)

This Privacy Policy is governed by UK law and subject to the exclusive jurisdiction of the UK courts. For data protection complaints, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).