Privacy Policy

Kernova Security Ltd. ('Kernova,' 'we,' 'us,' or 'our') is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard data when you visit kernova.io, request our services, or engage with our team.

We operate as a data controller under the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable data protection laws in the jurisdictions where we operate. If you have questions about this policy, contact our Data Protection Officer at [email protected].

We collect information you provide directly — including name, business email address, organization name, telephone number, and the content of messages submitted through our contact forms or CTA modal. We do not collect payment card data through our website.

We automatically collect certain technical data when you visit our site: IP address, browser type and version, operating system, referring URLs, pages visited, and time spent on pages. This data is collected via server logs and first-party analytics.

We do not use third-party tracking pixels, behavioral advertising networks, or cross-site tracking technologies. We do not sell personal data to any third party.

Contractual necessity — processing required to respond to service inquiries and deliver contracted cybersecurity services.

Legitimate interests — analytics to improve our website and communications, fraud prevention, and IT security operations, where these interests are not overridden by your rights.

Consent — where you have explicitly opted in to receive marketing communications. You may withdraw consent at any time by contacting us at [email protected].

Legal obligation — processing required to comply with applicable law, including record-keeping obligations and incident reporting under NIS2.

To respond to security assessment requests and service inquiries submitted through our website.

To deliver contracted cybersecurity services, including penetration testing reports, compliance deliverables, and training materials.

To send security intelligence updates and our blog newsletter, where you have opted in.

To operate, maintain, and improve our website and services.

To comply with legal obligations including GDPR data subject requests, regulatory reporting, and lawful orders from competent authorities.

We do not sell, rent, or trade your personal data. We share data only with carefully vetted sub-processors who assist us in delivering our services — including cloud infrastructure providers (AWS EU regions), email delivery services, and our CRM. All processors are bound by data processing agreements with GDPR-compliant terms.

We may disclose personal data to law enforcement or regulatory bodies where required by law, or to protect the rights, property, or safety of Kernova, our clients, or the public. We will notify you of such disclosures where legally permitted to do so.

Kernova operates primarily within the European Economic Area. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses.

Contact and inquiry data is retained for 24 months from the date of last contact, after which it is securely deleted unless a contractual relationship has commenced.

Client engagement data — including assessment reports, compliance documentation, and correspondence — is retained for 7 years following contract termination to meet legal and professional indemnity requirements.

Website analytics data is retained in aggregated, anonymized form and is not subject to individual data subject deletion requests.

Under GDPR, you have the right to: access the personal data we hold about you; rectify inaccurate data; request erasure (right to be forgotten) where no legal basis for retention exists; restrict or object to processing; data portability; and to lodge a complaint with your national supervisory authority.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within 30 days. Identity verification may be required before we process your request.

If you are located in the UK, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, your national Data Protection Authority is the relevant supervisory body.

We apply the same security standards to our own data as we recommend to our clients. Data in transit is encrypted with TLS 1.3. Data at rest is encrypted using AES-256. Access to personal data is restricted to personnel who require it to perform their duties, governed by role-based access controls and enforced multi-factor authentication.

We conduct regular internal security reviews and maintain an incident response plan. In the event of a personal data breach that poses risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

We use strictly necessary cookies to maintain session state and theme preferences. We do not use advertising cookies, analytics cookies that track individuals across sessions, or third-party cookies.

Your theme preference (dark/light mode) is stored in localStorage under the key 'kernova-theme'. This data never leaves your device and is not transmitted to our servers.

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via a notice on our website at least 14 days before they take effect. The date at the top of this page reflects the most recent revision.