Privacy Policy

Privacy Policy

Last updated: June 2026

OR Security handles personal data with restraint. We collect what is needed to operate the website, respond to enquiries, deliver agreed services, and meet our legal obligations. This policy explains the main categories of data we process and the rights available under the General Data Protection Regulation (GDPR) and applicable European data protection law.

1. Controller and contact

OR Security acts as controller for the processing described in this policy, unless a client contract states otherwise.

Questions about privacy or data protection can be sent to [email protected].

2. Personal data we may process

The exact data depends on how you interact with us.

a) Enquiries and business communication

  • Name, role, organisation, and contact details
  • Message content and related correspondence
  • Information you choose to provide about your organisation, project, or request

b) Website operation and security

  • Basic technical request data, such as IP address, browser information, requested page, date, and time
  • Security and diagnostic logs needed to operate and protect the website

These records are used for security, troubleshooting, abuse prevention, and reliable operation of the site.

c) Client service delivery

During vCISO, vDPO, technical security, training, or advisory work, we may process information provided by clients or generated during the engagement. That data is handled according to the applicable contract, confidentiality obligations, and any data processing agreement in place.

3. Purposes and legal bases

  • Responding to enquiries and preparing work: contract preparation or legitimate interest.
  • Delivering agreed services: contract performance and, where applicable, client-specific data processing terms.
  • Website operation and security: legitimate interest in maintaining a secure and reliable website.
  • Billing, accounting, and legal obligations: compliance with applicable legal obligations.
  • Optional communication or consent-based activities: consent, where consent is explicitly requested.

We do not sell personal data.

4. Cookies and tracking

We do not use advertising cookies or tracking pixels. If this changes, we will update this notice and request consent where required.

This website is intended to operate without advertising cookies, behavioural profiling, or third-party tracking pixels. If non-essential cookies, analytics, or similar technologies are introduced later, we will update this policy and add an appropriate consent mechanism before enabling them.

Strictly necessary technical processing, such as security logging by hosting infrastructure, may still occur to keep the site available and secure.

5. Recipients and processors

Personal data may be processed by trusted service providers that help us operate our website, email, communication, hosting, administration, or service delivery. Where required, these providers act under appropriate contractual and confidentiality safeguards.

Client engagement data may also be shared with approved subcontractors or specialists only where this is necessary for the agreed work and permitted by the relevant contract.

6. International transfers

We prefer European processing locations where practical. If personal data is transferred outside the European Economic Area, we use appropriate safeguards where required, such as contractual protections or other GDPR-recognised transfer mechanisms.

7. Retention

We keep personal data only for as long as needed for the relevant purpose, including communication, service delivery, security, accounting, legal, or dispute-resolution requirements. Retention periods may differ depending on the type of data and the applicable obligation.

8. Security

We apply organisational and technical measures intended to protect personal data against unauthorised access, misuse, loss, or disclosure. The specific measures depend on the nature of the data and the service context.

9. Your rights

Subject to the conditions set out in GDPR, you may have the right to request access, rectification, erasure, restriction, portability, objection to processing, and withdrawal of consent where processing is based on consent.

To exercise these rights, contact [email protected]. You also have the right to lodge a complaint with a competent supervisory authority.

10. External links

Our website may link to external websites or social media pages. Those services are operated by third parties and are subject to their own privacy practices.

11. Updates

We may update this policy when our services, website operation, processors, or legal requirements change. The current version is published on this page.