Legal

Privacy Policy

Effective 29 April 2026

This privacy policy explains how ShieldSelf collects, uses and protects your personal data when you use our website, membership service and breach monitoring features. We are committed to handling your data lawfully under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

ShieldSelf is a UK-based personal cybersecurity service. For the purposes of UK GDPR, ShieldSelf is the data controller for the personal data described in this policy. You can contact us at hello@shieldself.co.uk.

What we collect

We collect only the data we need to deliver the service:

  • Account data — your name, email address and password (stored securely as a salted hash by our authentication provider).
  • Billing data — your billing address and partial card details, processed by Stripe. We do not store full card numbers on our systems.
  • Monitored email addresses — up to five email addresses you choose to monitor for breach exposure, plus any breach alerts associated with them.
  • Course progress — which lessons you have viewed, tasks you have ticked off, and your ShieldSelf Score.
  • Technical data — IP address, browser type and basic server logs needed to operate the service securely.

How we use your data

  • To create and operate your membership account.
  • To check the email addresses you choose to monitor against known breach databases and notify you of new exposures.
  • To process payment for your subscription (via Stripe).
  • To send you transactional emails (account, billing, breach alerts) — we do not send marketing email without your separate consent.
  • To improve the course and service through aggregate, anonymous usage analysis.

Lawful basis

  • Contract — most processing is necessary to deliver the service you have signed up for.
  • Legitimate interests — keeping the service secure and improving it.
  • Legal obligation — keeping financial records and responding to lawful requests.

Who we share data with

We use a small number of trusted processors to operate the service. Each processes your data only on our instructions and is bound by contract under UK GDPR Article 28:

  • Stripe Payments UK Ltd — payment processing.
  • Clerk Inc. — account authentication and password management.
  • Supabase Inc. — encrypted database storage of your account, monitoring and progress data.
  • Resend Inc. — transactional email delivery (account, billing and breach-alert emails).
  • Have I Been Pwned (HIBP) — we query this service using a hash-prefix protocol to check whether your monitored email addresses have appeared in any known data breaches.
  • Vercel Inc. — website hosting and content delivery.

We do not sell your data and we do not share it with advertisers.

International transfers

Some of our processors are based outside the UK. Where data leaves the UK we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an applicable adequacy decision.

How long we keep data

  • Account, monitoring and progress data — for as long as your membership is active. You can delete your account at any time, after which we delete your personal data within 30 days, excluding records we are legally required to retain.
  • Billing records — retained for 7 years to meet UK accounting and tax law requirements.
  • Server logs — typically retained for up to 30 days for security and abuse prevention.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Have your data deleted, subject to lawful retention requirements.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, email hello@shieldself.co.uk. You also have the right to complain to the UK Information Commissioner's Office (ICO) — ico.org.uk.

Security

We apply the technical and organisational measures appropriate to the risk: HTTPS everywhere, encryption at rest, hashed passwords, least privilege access controls, and regular review of our subprocessors. No service can guarantee absolute security but we treat your data with the same controls we teach in the course.

Cookies

See our Cookie Policy for details of the cookies we use.

Changes to this policy

We may update this policy from time to time. Material changes will be notified by email at least 14 days before they take effect.

Contact

Questions or requests about your personal data: hello@shieldself.co.uk.