Privacy Policy
Plain-language summary: BastionIQ is a UK-based cyber resilience SaaS platform. We are transparent about where your data is stored, how it is used, and who can access it. Your organisation's cyber resilience content — the plans, assessments, and documents you create inside BastionIQ — stays in the data region you chose at sign-up and never leaves it. We don't sell your data. You can request deletion at any time.
1. Who we are
BastionIQ Ltd ("BastionIQ", "we", "us", "our") is a UK-based software company providing a cyber resilience platform for organisations. Our registered address is Aylesbury, Buckinghamshire, UK.
For personal data collected through our website (bastioniq.ai) and related to our own business operations — such as enquiries, account contacts, and billing records — BastionIQ acts as the data controller under UK GDPR, EU GDPR, and the Data Protection Act 2018.
For personal data that your organisation inputs or generates within the BastionIQ platform (for example, staff names in incident records, risk register entries, or exercise scenarios), BastionIQ acts as a data processor on your behalf. Your organisation remains the data controller for that content.
A Data Processing Agreement (DPA) governing the controller/processor relationship is available on request at privacy@bastioniq.ai.
2. Scope of this policy
This policy covers website visitors, enquiry and registration data, platform accounts, and communications. It does not govern the content your organisation creates inside the platform (risk registers, incident records, playbooks, vault documents, etc.). That content is processed under the controller/processor relationship described in Section 1 and governed by your Data Processing Agreement.
3. Data we collect
Website and enquiry data: contact identity (name, job title), business contact (work email), organisation details, use-case context (optional), and technical metadata (IP address, browser type, referral source, timestamp).
Platform account data: account identity, organisation profile, authentication credentials (Cognito-managed; raw passwords are never stored), usage metadata, support records, and billing contact information. Payment card data is never held by BastionIQ.
We do not knowingly collect special-category data or payment card numbers.
4. How we use your data
| Purpose | Description |
|---|---|
| Service delivery | Provisioning and operating your organisation's platform account |
| Authentication & security | Verifying identity, enforcing MFA, detecting suspicious access |
| Communications | Account notifications, product updates, and support responses |
| Billing | Managing subscriptions and invoicing |
| Product improvement | Aggregated, anonymised usage analytics to inform feature development |
| User research (opt-in) | Voluntary interviews or surveys; participation is always your choice |
| Legal compliance | Meeting regulatory obligations under UK/EU law |
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. Lawful basis for processing
| Processing activity | Lawful basis |
|---|---|
| Delivering the platform service | Performance of contract (Article 6(1)(b)) |
| Account provisioning and billing | Performance of contract (Article 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Website enquiries and follow-up | Legitimate interests (Article 6(1)(f)) |
| Marketing beyond initial contact | Consent (Article 6(1)(a)) |
| User research participation | Consent (Article 6(1)(a)) |
| Legal obligation compliance | Legal obligation (Article 6(1)(c)) |
6. Data residency and where your data is stored
Data residency is central to BastionIQ's architecture. We operate in multiple AWS regions and honour the sovereign boundaries of the region your organisation was provisioned in.
Your cyber resilience content never leaves the region it was provisioned in. All plans, risk registers, incident records, playbooks, exercise scenarios, vault documents, and AI-generated outputs are stored exclusively in your organisation's data region and are never replicated to another region.
| Region label | AWS region | Location |
|---|---|---|
| United Kingdom | eu-west-2 | London, England |
| United States | us-east-1 | Northern Virginia, USA |
Account administration records (account name, status, subscription tier) are held in our primary region eu-west-2 (London, UK) regardless of your platform data region. This is BastionIQ's internal account management data — it is not your cyber resilience content. Authentication is handled through AWS Cognito user pools provisioned in your data region.
7. Data retention
| Data category | Retention period | Reason |
|---|---|---|
| Platform content (tenant data) | Duration of subscription + 90 days | Allows data export before permanent deletion |
| Account contact records | 24 months after account closure | Regulatory and support obligations |
| Authentication logs | 90 days | Security and fraud prevention |
| Technical metadata / API logs | 90 days | Security monitoring |
| Billing records | 7 years | UK legal and tax requirements |
| Consent records | Until withdrawn + 6 years | Legal compliance evidence |
| Support records | 3 years after ticket closure | Dispute resolution |
8. Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute, authentication | UK (eu-west-2) · US (us-east-1) |
| Email delivery provider | Transactional platform emails | EU/UK |
| Payment processor | Subscription billing (card data never touches BastionIQ) | UK/EU |
| Analytics (aggregated only) | Privacy-preserving product usage analytics | UK |
An up-to-date sub-processor list is available on request at privacy@bastioniq.ai.
9. International transfers
UK-based organisations: All platform content is stored in AWS eu-west-2 (London). No international transfer of platform content data occurs.
US-based organisations: Platform content is stored in AWS us-east-1 (Northern Virginia). BastionIQ's internal account record is held in eu-west-2 (UK). This transfer is governed by Standard Contractual Clauses (SCCs) supplemented by a Transfer Impact Assessment.
10. Your rights
Under UK GDPR (and EU GDPR where applicable), you have the right to: access, rectification, erasure, restriction, portability, objection to legitimate-interest processing, withdrawal of consent, and protection from solely automated significant decisions.
We respond within one calendar month. To exercise any right, contact privacy@bastioniq.ai. Platform users may also export their organisation's data directly from Settings → Data Export.
11. Security
BastionIQ implements TLS 1.2+ encryption in transit, AES-256 encryption at rest via AWS KMS customer-managed keys, role-based access controls, enforced MFA for all accounts, audit logging of administrative actions, regular security assessments, and a documented incident response procedure with 72-hour supervisory authority notification where required.
12. Cookies
We use minimal cookies. Strictly necessary cookies (session management, CSRF protection) require no consent. Analytics or preference cookies are only set following your consent, requested on your first visit. Full details are in our Cookie Policy. You can update your preferences at any time via the cookie settings link in the site footer.
13. Children's data
The BastionIQ platform is intended for business professionals. It is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child's data has been submitted, contact privacy@bastioniq.ai immediately.
14. Changes to this policy
We may update this policy as the platform evolves or legal requirements change. For material changes we will send an in-platform notification to all active account holders, email registered contacts, and update the effective date. The current version is always at bastioniq.ai/privacy.
15. Contact & complaints
For any questions, concerns, or to exercise your data rights:
- Email: privacy@bastioniq.ai
- Address: BastionIQ Ltd, Aylesbury, Buckinghamshire, UK
We would always prefer to resolve concerns directly before a formal complaint. If you remain unsatisfied, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local EU/EEA Data Protection Authority.