Privacy Policy
Last updated: 1 July 2026
CyberSprouts takes privacy, confidentiality and data protection seriously. This Privacy Policy explains how we collect, use, store and share personal information when people use our website, subscribe to our content, contact us, complete surveys, request cyber-safety support, or use our services.
CyberSprouts provides cyber-safety, digital resilience and privacy support for individuals, families, households, older adults, vulnerable individuals, and private clients. Because our work may involve information about household technology, online accounts, children’s device use, security concerns and exposure checks, we aim to collect only the information we need and to handle it carefully.
1. Who we are
CyberSprouts is operated by CyberSprouts Limited, a company registered in England and Wales.
- Company number: 13031873
- Registered office: 61 Bridge Street, Kington, United Kingdom, HR5 3DJ
- Privacy contact: hello@cybersprouts.com
- ICO registration number: To be added once available
For the purposes of UK data protection law, CyberSprouts Limited is the controller of the personal information described in this Privacy Policy, except where another organisation acts as its own controller for its own services.
We have not appointed a formal Data Protection Officer. Data protection enquiries should be sent to our Privacy Contact using the email address above.
2. What this policy covers
This Privacy Policy applies to personal information we collect and use in connection with:
- our website;
- newsletter and content subscriptions;
- contact forms and enquiries;
- cyber-safety surveys;
- digital safety assessments and reports;
- exposure checks and public-source checks requested by clients;
- consultancy and advisory services;
- incident, crisis response and recovery support;
- customer relationship management and business administration;
- communications with prospective clients, clients, suppliers and business contacts.
3. The people whose information we may process
Depending on the service, we may process information about:
- clients and prospective clients;
- parents, guardians and carers;
- children and young people in a household;
- older relatives or vulnerable individuals;
- other household members;
- emergency contacts, where relevant;
- newsletter subscribers;
- website visitors;
- suppliers, partners and business contacts.
Where our work relates to children, we normally collect information from a parent, guardian or responsible adult. We do not usually collect information directly from children.
4. Information we collect
The information we collect depends on the service requested. It may include:
- name and contact details, such as email address;
- household composition, such as number of adults, children or supported relatives;
- children’s age bands, rather than exact dates of birth where possible;
- devices used in the household, such as phones, tablets, laptops, games consoles, smart speakers and connected devices;
- online services, platforms and account types used by the household;
- information about cyber-safety priorities, concerns and risks;
- information about security controls, such as use of password managers, multi-factor authentication, parental controls, backups and device protections;
- usernames, email addresses, phone numbers or online handles provided for exposure checks;
- public exposure findings, such as breach appearances or publicly visible account/profile information;
- notes from consultations, support requests or incident-response activity;
- recommendations, reports and action plans;
- newsletter subscription and engagement information;
- business records, invoices and payment-related information;
- website, technical and security information, such as device/browser data, IP address, logs and cookie data.
We do not ask clients to provide passwords, recovery codes, full payment card details, unnecessary identity documents, or unnecessary sensitive personal information.
5. Children’s information
Some of our services are designed to help parents, guardians and carers improve children’s online safety. In that context, we may process limited information about children, such as:
- age band;
- types of devices used;
- platforms, games or services used;
- household rules and parental controls;
- cyber-safety risks or concerns raised by a parent or guardian.
We aim to minimise children’s information wherever possible. We do not need children’s passwords, private messages, exact dates of birth, school details or identity documents unless there is a clear and exceptional reason, and we will explain that reason if it arises.
We do not use children’s information for marketing.
6. Sensitive information and practical needs
We do not normally ask for medical, disability or other special-category information.
However, clients may choose to tell us about practical needs, limitations or family circumstances where this helps us provide suitable cyber-safety advice. For example, a client may explain that a family member needs simpler authentication options, help managing accounts, or support from a trusted person.
We ask clients not to provide unnecessary medical, disability, safeguarding, financial hardship, criminal offence or other sensitive information. If such information is provided and is not needed, we may delete it, minimise it or avoid recording it in detail.
7. Where we get information from
We may collect information from:
- you directly;
- parents, guardians, carers or other authorised household members;
- enquiry forms, surveys and questionnaires;
- email correspondence;
- consultation notes;
- public websites, public profiles and other publicly available sources;
- breach-checking, exposure-checking and public-source research tools;
- newsletter and content platforms;
- website, hosting and security logs;
- payment, accounting or business administration systems.
We only carry out exposure checks or public-source checks where they are relevant to the service being provided or where we have been asked to do so.
8. How we use personal information
We use personal information to:
- respond to enquiries;
- provide cyber-safety assessments, consultancy and recommendations;
- prepare digital safety reports and action plans;
- carry out requested exposure checks;
- understand household technology use and cyber-safety risks;
- support clients during cyber incidents or digital-safety concerns;
- send newsletters and content updates;
- manage client relationships;
- operate, secure and improve our website and services;
- manage payments, invoices, tax and accounting records;
- comply with legal, regulatory or professional obligations;
- protect our rights, systems, clients and business.
9. Lawful bases for using personal information
We only use personal information where we have a lawful basis under UK data protection law. The lawful bases we are likely to rely on are:
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries | Legitimate interests, or steps before entering into a contract |
| Providing assessments, consultancy, reports and support | Contract, or steps before entering into a contract |
| Carrying out requested exposure checks | Contract and/or legitimate interests |
| Supporting incident or crisis response | Contract and/or legitimate interests |
| Sending newsletters to subscribers | Consent |
| Sending service-related communications | Contract and/or legitimate interests |
| Sending relevant updates to existing clients, where permitted | Legitimate interests, with an option to opt out |
| Managing invoices, payments, tax and accounting records | Legal obligation and/or legitimate interests |
| Securing our website, systems and services | Legitimate interests |
| Managing suppliers and business administration | Legitimate interests |
| Handling complaints, disputes or legal matters | Legitimate interests and/or legal obligation |
| Using non-essential cookies or similar technologies where consent is required | Consent |
Where we rely on legitimate interests, we consider whether our interests are overridden by the rights and freedoms of the people whose information we process.
10. Exposure checks and public-source checks
Some CyberSprouts services may include exposure checks. These may involve checking information such as email addresses, usernames, phone numbers or online handles against public sources, breach-notification services, public profiles or other open-source information.
The purpose of these checks is to help clients understand and reduce cyber-safety, privacy or account-security risks.
We do not carry out intrusive investigation, surveillance, covert monitoring or unauthorised access. We do not attempt to access private accounts, bypass security controls, obtain passwords, or retrieve private content without proper authorisation.
Where possible, we limit exposure findings to what is useful for risk reduction. For example, we may report that an email address appears in known breaches, but we do not need to store unnecessary breach details for longer than required.
11. Newsletters and content updates
If you subscribe to our newsletter or content updates, we use your contact details to send you the information you requested.
We may collect basic engagement information, such as whether an email was delivered, opened or clicked. This helps us understand whether our content is useful and improve future communications.
You can unsubscribe from newsletter emails at any time by using the unsubscribe link in the email or by contacting hello@cybersprouts.com.
12. Cookies and similar technologies
CyberSprouts and the third-party services we use may use cookies, pixels, server logs and similar technologies.
These technologies may be used to:
- make our website, newsletter and online services work properly;
- remember user preferences;
- understand how visitors use our website and content;
- measure newsletter performance, such as whether emails are opened or links are clicked;
- protect the security and integrity of our services.
Some cookies and similar technologies are necessary for the service to function. Others, such as analytics or marketing cookies, may require consent depending on how they are used.
Where required, we will provide cookie controls or consent options. You can also manage cookies through your browser settings.
We do not currently use cookies for targeted advertising or behavioural advertising.
13. Who we share information with
We do not sell personal information.
We may share personal information with trusted third parties where necessary to operate our business, provide services or comply with legal obligations. These may include:
- website hosting and infrastructure providers;
- email, document storage and productivity providers;
- form, survey and customer management providers;
- newsletter and content distribution platforms;
- payment, invoicing and accounting providers;
- cyber-security, exposure-checking and public-source research tools;
- professional advisers, such as accountants, insurers or legal advisers;
- regulators, authorities or law enforcement where required by law or necessary to protect rights, safety or security.
We use categories of suppliers in this Privacy Policy rather than listing every individual tool. We keep our supplier arrangements under review.
Some third-party services may act as independent controllers for their own purposes, for example where you create an account with them directly or use their platform under their own terms.
14. International transfers
Some of the services we use may process personal information outside the United Kingdom.
Where this happens, we will take reasonable steps to ensure appropriate safeguards are in place. These may include adequacy regulations, approved contractual terms, supplier due diligence, technical protections, or other safeguards recognised under data protection law.
15. How long we keep information
We keep personal information only for as long as we need it for the purposes described in this Privacy Policy, including legal, accounting, tax, security and dispute-resolution purposes.
Our usual retention approach is:
| Type of information | Usual retention approach |
|---|---|
| General enquiries | Usually up to 12–24 months |
| Survey responses | Usually until the report or advice has been delivered, plus a limited review period |
| Assessment reports and recommendations | Usually up to 6–24 months, depending on the service and client relationship |
| Exposure-check working notes | Usually deleted or minimised after the report or advice has been completed |
| Client correspondence | Usually retained for the client relationship plus a reasonable period afterwards |
| Incident or crisis-response records | Retained for a period appropriate to the nature of the incident and any follow-up risk |
| Newsletter subscriber records | Until unsubscribe, plus any suppression record needed to avoid further contact |
| Accounting and invoice records | Usually 6 years |
| Website and security logs | Kept for a limited operational and security period |
| CRM or customer management records | Retained while the relationship is active, then archived or deleted after a defined period |
These periods may vary where we need to keep information for legal, regulatory, insurance, security or dispute-resolution reasons.
Clients may ask us to delete working notes or non-essential information sooner, and we will do so where we are not required to retain it.
16. How we protect information
We use appropriate technical and organisational measures to protect personal information. These may include:
- multi-factor authentication on business accounts;
- use of password management;
- access controls and least-privilege access;
- encryption in transit and at rest where available;
- device security controls;
- secure storage and deletion practices;
- separation of business information from personal accounts where practical;
- supplier review and due diligence;
- backup and recovery controls;
- limiting the amount of personal information we collect and retain.
No system is completely secure. We encourage clients not to send unnecessary sensitive information and not to send passwords or recovery codes.
17. Client responsibilities when sharing information
To help us protect information, clients should:
- avoid sending passwords, recovery codes or unnecessary identity documents;
- avoid sending unnecessary sensitive information;
- provide age bands for children rather than exact dates of birth where possible;
- only provide information about other household members where they have a proper reason to do so;
- tell us if information needs special handling;
- use agreed communication methods for sensitive material.
If we receive information that appears unnecessary for the service, we may delete it or ask for a safer way to proceed.
18. Your rights
Depending on the circumstances, you may have the right to:
- ask for a copy of your personal information;
- ask us to correct inaccurate or incomplete information;
- ask us to delete personal information;
- ask us to restrict how we use personal information;
- object to certain uses of personal information;
- ask for personal information to be transferred to you or another provider;
- withdraw consent where we rely on consent;
- complain to the Information Commissioner’s Office.
These rights are not absolute and may depend on the lawful basis, the type of information and why we hold it.
To exercise your rights, contact hello@cybersprouts.com.
19. Complaints
If you have concerns about how we use personal information, please contact us first so we can try to resolve the issue.
You also have the right to complain to the UK Information Commissioner’s Office.
The ICO can be contacted through its website or by post at:
Information Commissioner’s OfficeWycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
20. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example if our services, suppliers, website features or legal obligations change.
The latest version will be published on our website with the date it was last updated.
Trust • Protection • Confidence • Resilience