Privacy Policy

Last updated: 20 June 2026

This Privacy Policy explains how SubZeroSec (Pvt) Ltd. ("SubZeroSec", "we", "us" or "our") collects, uses, discloses and safeguards personal data when you visit our website, engage our services, or otherwise interact with us. We are committed to protecting your privacy and handling your data in an open, lawful and proportionate manner.

If you have any questions about this policy or how we handle your personal data, contact our Data Protection Officer at [DPO email].

1. Who we are

SubZeroSec (Pvt) Ltd. is the data controller responsible for your personal data, registered in Pakistan at [registered office address]. Where we process personal data on behalf of clients during a security engagement, we act as a data processor under the terms of the relevant engagement agreement.

2. Data we collect

We collect only the data we need to operate our business and deliver our services. Depending on how you interact with us, this may include:

• Identity and contact data — name, job title, employer, email address, telephone number and postal address.
• Engagement data — information you provide when scoping, contracting or receiving a security assessment, including authorized testing scope, points of contact and technical details necessary to perform the work.
• Recruitment data — where you apply for a role, your CV, work history, qualifications and any information you choose to share.
• Technical and usage data — IP address, browser type, device information, referring pages, and interactions with our site, collected through cookies and similar technologies (see our Cookie Policy).
• Communications — the content of enquiries, support requests and correspondence you send to us.

We do not intentionally collect special category personal data through our website. Please do not submit sensitive personal data unless we have specifically requested it for a defined purpose.

3. How and why we use your data

We use personal data for the following purposes:

• To respond to enquiries and provide information you request.
• To scope, deliver, manage and invoice for our security services.
• To manage our relationship with clients, prospects and suppliers.
• To assess and process job applications.
• To operate, secure, maintain and improve our website and services.
• To send service updates and, where permitted, relevant marketing communications.
• To comply with legal, regulatory and contractual obligations.

4. Lawful basis for processing

We rely on one or more of the following lawful bases under applicable data protection law (including the UK GDPR / EU GDPR where relevant):

• Contract — where processing is necessary to enter into or perform a contract with you or your organization.
• Legitimate interests — to run, promote and secure our business, provided your interests and rights do not override those interests.
• Consent — for certain marketing and non-essential cookies, which you may withdraw at any time.
• Legal obligation — where we must process data to comply with the law.

5. Cookies and tracking

Our website uses cookies and similar technologies. You can control non-essential cookies through your browser settings and our consent tools. Full details are set out in our Cookie Policy.

6. Sharing and disclosure

We do not sell your personal data. We may share it with:

• Service providers and sub-processors who support our operations (e.g. hosting, infrastructure, email and analytics), bound by appropriate contractual safeguards.
• Professional advisers such as auditors, lawyers and accountants.
• Authorities and regulators where required by law or to protect our rights.
• A successor entity in connection with a merger, acquisition or reorganization.

Where data is transferred outside your jurisdiction, we put appropriate safeguards in place, such as standard contractual clauses or an equivalent recognized mechanism.

7. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, contractual or reporting requirements. Engagement deliverables and associated records are retained in accordance with the relevant engagement agreement and our internal retention schedule, after which they are securely deleted or anonymized.

8. How we protect your data

As an offensive security firm, data protection is core to our practice. We apply technical and organizational measures appropriate to the risk, including encryption in transit and at rest, strict access controls, network segmentation, logging and monitoring, and regular security testing of our own systems.

9. Your rights

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request erasure of your data in certain circumstances.
• Restrict or object to certain processing.
• Request portability of data you provided to us.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ICO).

To exercise any of these rights, contact us at [DPO email]. We will respond within the timeframe required by applicable law.

10. Third-party links

Our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites and encourage you to review their policies.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the most recent revision. Material changes will be communicated through our website or directly where appropriate.

12. Contact us

If you have questions, concerns or requests regarding this policy or your personal data, please contact:

SubZeroSec (Pvt) Ltd. Data Protection Officer — [DPO email] [registered office address], Pakistan