CyberHire
Request invitation

Legal

Privacy Policy

Last updated: 20 April 2026

Introduction

This Privacy Policy explains how CyberHire ("CyberHire", "we", "us" or "our") collects, uses, shares and protects personal data when you visit cyber-hire.com, create or use an account on our technical screening platform, or otherwise interact with us.

CyberHire is operated by CyberHire Limited (a company in formation under the laws of England and Wales; company registration and ICO notification pending). Our registered office address will be published once the company is incorporated. Until then, our contactable address for data-protection matters is legal@cyber-hire.com.

This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (GDPR) where applicable, and the Privacy and Electronic Communications Regulations (PECR). Separate policies apply to specific groups - if you are a candidate taking an assessment, also see our Candidate Privacy Notice; if you are a business customer, also see our Data Processing Addendum.

Who we are and our role

CyberHire operates a technical screening platform that lets employers ("Customers") create cybersecurity assessments and invite candidates to complete them in realistic challenge environments.

For the purposes of data-protection law, CyberHire acts in two distinct roles:

  • As a controller of personal data we collect directly - for example, when you visit our marketing site, fill in the request-invitation form, sign up for an admin account, pay for a subscription, or contact us.
  • As a processor of personal data we handle on behalf of our Customers - principally candidate data processed as part of an assessment. In that role, our Customer is the controller and decides the purposes and means of processing. Our processor obligations are set out in our Data Processing Addendum.

This policy focuses on processing where CyberHire is the controller. Candidates should also read our separate Candidate Privacy Notice, which explains how candidate assessment data is handled.

What personal data we collect

We collect the following categories of personal data about you:

Information you give us

  • Account data: your first and last name, business email address, password (stored as a bcrypt hash - never in plain text), and optional profile picture.
  • Company data: the company you represent, your job title (where provided), and billing information you submit during subscription.
  • Communications: any information you send us when you fill in the contact form, request an invitation, email us at legal@cyber-hire.com, or otherwise get in touch.
  • Authentication data: if you enable multi-factor authentication, the secret used to generate time-based codes (stored encrypted). If you sign in using Google or Microsoft, we receive your email, name and profile picture from that identity provider.

Information we collect automatically

  • Technical data: IP address, approximate location derived from that address using an offline GeoIP database (country, country code, and city only - we do not resolve precise coordinates), User-Agent string, device type, browser, operating system, referring URL, and pages viewed.
  • Session data: authentication tokens, login timestamps, session duration, and features used within the admin console.
  • Security and audit logs: records of account actions (logins, password resets, permission changes, impersonation sessions by our support staff, subscription changes) and failed authentication attempts.

Information we receive from third parties

  • From single sign-on providers (Google, Microsoft): when you choose to sign in with SSO, we receive your name, email, profile picture, and a provider-issued identifier. We do not receive your password.
  • From Stripe: payment confirmations, subscription status, the last four digits of the card used, expiry month/year, and issuing country. We do not store full card numbers or CVC values; these are handled directly by Stripe as an independent controller.

How we use your personal data

We use personal data for the following purposes, with the legal bases (UK GDPR Article 6) set out in each case:

Purpose Data used Legal basis
Providing the platform to Customer admins Account, company, authentication, session data Performance of a contract (Art. 6(1)(b))
Billing, subscription management, and tax compliance Company, billing, subscription data Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Platform security, fraud detection, abuse prevention Technical, session, security-log data Legitimate interests (Art. 6(1)(f)) - keeping the platform secure
Service emails (invitations, notifications, security alerts) Name, email address Contract (Art. 6(1)(b))
Marketing emails about CyberHire's own products Name, email, engagement data Legitimate interests (Art. 6(1)(f)) for existing business contacts; consent (Art. 6(1)(a)) where required
Responding to support queries or legal requests Communications, account data Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Improving our product (aggregated analytics) Session, technical data (aggregated/pseudonymised where possible) Legitimate interests (Art. 6(1)(f))

Where our legal basis is legitimate interests, we have carried out a balancing assessment and concluded that our interests do not override your rights and freedoms. You may object to processing on this basis at any time (see "Your rights", below).

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Cookies and similar technologies

We use a minimal set of cookies and similar technologies. We do not run third-party advertising pixels on our marketing site. Full details, including purposes, retention periods, and how to opt out, are set out in our Cookies Policy.

Who we share your personal data with

We share personal data only with a small set of vetted service providers acting as our data processors, and in a limited number of other circumstances. We do not sell personal data. Our current list of sub-processors (including names, purposes, and processing locations) is maintained at Sub-processors.

We disclose personal data in the following situations:

  • To our service providers (sub-processors) who help us run the platform - for example, Postmark (transactional email), Stripe (payments), Supabase (file storage), Fly.io (the infrastructure that hosts challenge environments), and Anthropic (AI challenge generation). Each processor is bound by a written contract containing UK GDPR Article 28 terms.
  • To authentication providers you choose to use (Google, Microsoft). These act as independent controllers of the data they hold.
  • To our Customers, where you are a candidate taking one of their assessments. In that case, CyberHire is processing on behalf of the Customer - see the Candidate Privacy Notice.
  • To our professional advisors (lawyers, accountants, auditors) and potential or actual acquirers or successors in a corporate transaction, subject to appropriate confidentiality obligations.
  • To law enforcement, regulators or courts where we are legally required to do so or where disclosure is necessary to protect our rights, property, or the safety of our users or the public.

International transfers

CyberHire is based in the United Kingdom and our primary data is stored in the United Kingdom or European Economic Area (EEA). Some of our sub-processors are established outside the UK / EEA (for example, Anthropic and Stripe have infrastructure in the United States).

Where personal data is transferred outside the UK, we rely on one of the following safeguards:

  • UK adequacy regulations for transfers to jurisdictions the UK Government has determined provide an adequate level of data protection;
  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the European Commission's Standard Contractual Clauses, for transfers to countries without an adequacy decision;
  • The EU-US Data Privacy Framework and its UK Extension, where the recipient is certified under that framework.

You can request a copy of the safeguards in place for a specific transfer by emailing legal@cyber-hire.com.

How long we keep your personal data

We retain personal data only for as long as necessary for the purposes for which it was collected, plus any period required by law. Specifically:

  • Active account data: for the duration of your account with us, plus 30 days after account closure for recovery.
  • Billing and tax records: 6 years from the end of the relevant financial year, as required by HMRC.
  • Marketing enquiries and contact form submissions: 24 months from the last interaction.
  • Security and audit logs: 24 months from the log event.
  • Candidate assessment results: 24 months from the date the assessment closes - see the Candidate Privacy Notice for full details.

When the applicable retention period ends, we delete or anonymise the data so that it can no longer be associated with you.

How we protect your personal data

We apply appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for all customer data stores.
  • Passwords stored as bcrypt hashes, never in plain text; MFA secrets encrypted at rest.
  • Role-based access control with the principle of least privilege; administrative access limited to staff who need it.
  • Every administrative access is logged (including impersonation sessions by our support staff, which are time-limited and auditable).
  • Dependency scanning, code review, and periodic security review of the platform.
  • A written incident-response plan and breach-notification process aligned with UK GDPR Article 33 (notification to the ICO within 72 hours where applicable).

Full technical and organisational measures are detailed in Annex II of our Data Processing Addendum.

Your rights

Under UK GDPR you have the following rights:

  • Right of access - to obtain a copy of the personal data we hold about you.
  • Right to rectification - to have inaccurate personal data corrected.
  • Right to erasure ("right to be forgotten") - to have personal data deleted in defined circumstances.
  • Right to restrict processing - to have processing limited in defined circumstances.
  • Right to data portability - to receive personal data in a structured, commonly used, machine-readable format.
  • Right to object - to object to processing based on legitimate interests, including profiling and direct marketing.
  • Right to withdraw consent - where processing is based on consent, to withdraw that consent at any time.
  • Right not to be subject to automated decision-making - including profiling that produces legal or similarly significant effects.

To exercise any of these rights, please email legal@cyber-hire.com. We will respond within one calendar month; we may extend that by up to two further months for complex requests, in which case we will tell you within the first month.

If you are a candidate, please see the Candidate Privacy Notice - many candidate rights are exercised through the Customer who invited you to the assessment, because that Customer is the controller of your data.

How to complain

If you have concerns about how we handle your personal data, please contact us first at legal@cyber-hire.com. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

If you are in the European Economic Area, you may also lodge a complaint with your local supervisory authority.

Data Protection Officer

Our Data Protection Officer is Michael Carthy. You can contact the DPO directly at legal@cyber-hire.com.

Children

CyberHire is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have collected personal data from a child, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time to reflect changes in how we operate or in applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and - where required by law or where the change materially affects you - notify you by email or in-product notice before the changes take effect.

Contact

For any question about this policy, contact the Data Protection Officer at legal@cyber-hire.com.

Questions?

Contact our Data Protection Officer, Michael Carthy, at legal@cyber-hire.com .