Privacy Policy — KIXK Systems Ltd

Section 01

Data Controller

KIXK Systems Ltd ("we", "us", "our") is a Data Controller registered with the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018. We process limited business contact information strictly for direct B2B marketing communications related to our digital security services.

Data Controller: KIXK Systems Ltd
Company No. 17244535 · Registered in England & Wales
Contact: nino@kixk.systems

Section 02

Lawful Basis for Processing

Our lawful basis for processing professional contact data under UK GDPR is Legitimate Interests (Article 6(1)(f)).

Before contacting any prospective business, we conduct passive, public-facing perimeter security checks using exclusively public tools — MxToolbox, Shodan (cached data only), HaveIBeenPwned, and crt.sh. These checks do not involve accessing any private systems or requesting any consent from the target organisation.

We have conducted a Legitimate Interests Assessment (LIA) to confirm this basis and concluded that the processing does not override the interests, rights, or freedoms of the data subjects given the strictly B2B nature of all communications.

Section 03

Data We Collect

We collect only the minimum corporate contact data required to facilitate B2B communication:

Full name
Corporate email address
Job title
Company name
Company domain (for passive security assessment purposes)

We do not collect personal home addresses, financial data, National Insurance numbers, health information, or any other special category data as defined under UK GDPR Article 9.

Section 04

How We Use Your Data

Data collected is used solely for the following purposes:

Sending targeted B2B direct marketing communications about our digital security services
Conducting passive public-facing security assessments to identify vulnerabilities relevant to your organisation
Following up with prospects who have engaged with our initial communications
Managing ongoing client relationships where an engagement has been entered into

We do not sell, rent, share, or transfer your personal data to any third party for their own marketing purposes.

Section 05

Data Retention & Suppression

Prospects who do not respond: data retained for one active outreach campaign cycle (maximum 30 days) before permanent deletion
Prospects who request removal: data transferred to our suppression list within 24 hours of the request
Active clients: data retained for the duration of the engagement plus six years in accordance with UK limitation periods
Suppressed contacts: permanently excluded from all future outreach campaigns

To request removal: Reply "remove" to any of our communications. Your data will be added to our permanent suppression list within 24 hours. Alternatively, email nino@kixk.systems directly.

Section 06

PECR Compliance

All direct marketing emails we send include a clear, prominent opt-out mechanism in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). Every email includes the line: "Not relevant? Reply 'remove' and I won't contact you again."

We process all removal requests within 24 hours and maintain a permanent suppression list. Suppressed email addresses and domains are never contacted again.

Section 07

Your Rights

Under UK GDPR, you have the following rights:

Right of access: Request a copy of the data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your data
Right to object: Object to our processing under Legitimate Interests
Right to restriction: Request restriction of processing in certain circumstances
Right to data portability: Receive your data in a structured, machine-readable format

To exercise any of these rights, contact us at nino@kixk.systems. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk.

Section 08

Security of Your Data

We implement appropriate technical and organisational measures to protect business contact data against unauthorised access, loss, or disclosure — including encrypted storage and access controls. Client credentials obtained during active engagements are stored exclusively in a dedicated encrypted password manager and are permanently deleted at engagement termination.

Section 09

Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects any changes. For questions about this policy: nino@kixk.systems

Privacy &Data Handling Policy