Privacy policy

MWR InfoSecurity Limited (“Us” or “We”) are committed to protecting and respecting your privacy.
  1. Who we are
  2. What information we process and how
    1. Information you give us
    2. Information we collect and sources
    3. Information we receive from other sources
  3. Use made of the information
  4. Lawful basis for processing
  5. Third parties, data processors and disclosing
  6. Where we store your personal data
  7. Your rights and how to engage them
  8. Changes to our policy
  9. Contacting us


Who we are

This policy (together with our terms of use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting sites hosted at you are accepting and consenting to the practices described in this policy.

For the purpose of the Data Protection Bill 2018 the data controller is MWRInfoSecurity Limited of Matrix House, Basing View, Basingstoke, RG21 4DZ.

Countercept operates as a division of MWR and adheres to the same data management policy.

phishd operates as a division of MWR and adheres to the same data management policy.


What information we process and why

We may collect and process personal information about you from the following data categories:

Information you give us 

You may give us information about you by filling in forms on our websites or by corresponding with us by phone, email or otherwise. This includes information you provide when you register to use our site, subscribe to our services, search for a product, place an order on our site, participate in discussion boards or other social media functions on our site, enter a competition, promotion or survey, and when you report a problem with our site. The information you give us may include your name, address, email address and phone number, financial and credit card information, personal description and photograph.

Information we collect about you 

With regard to each of your visits to our site we may automatically collect the following information:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products or services you viewed or searched for;
  • Page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources

We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data, and that it may be shared internally and combined with data collected on this site. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.


Uses made of the information

We use information held about you in the following ways:

Information you give to us

We will use this information:

  • To carry out obligations arising from any contracts entered into between you and us, and to provide you with the information, products and services that you request from us;
  • To provide you with information about other goods and services we offer that are similar to those about which  you have already purchased or enquired;
  • To provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this. If you do not want us to use your data in this way or to pass your details on to third parties for marketing purposes, please tick the relevant box situated on the form on which we collect your data (the order form or registration form);
  • To notify you about changes to our service;
  • To ensure that content from our site is presented in the most effective manner for you and for your computer.
Information we collect about you 

We will use this information:

  • To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical, and survey purposes;
  • To improve our site to ensure that content is presented in the most effective manner for you and for your computer;
  • To allow you to participate in interactive features of our service, when you choose to do so;
  • As part of our efforts to keep our site safe and secure;
  • To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
  • To make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
Information we receive from other sources

We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).


The lawful basis for processing your information

The collection, retention, management and processing of your information, based on the uses above is carried out under either 1) fulfilment of a contract or 2) a legitimate interest of MWR. For more information on our legitimate interest assessments please contact The use of legitimate interest as a lawful basis for processing does not affect your rights as an individual and you are able to opt out if you so wish.

Where processing is required for an activity (e.g. responding to a website enquiry or a contractual agreement), we may not be able to complete the activity without the specific processing.

Where legitimate interest is not a suitable or applicable to a type of data processing we will seek your consent. You may withdraw consent at any time.


Disclosure of your information and data processors

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may also share your information with selected third parties (data processors) including:

  • Business partners, suppliers, and sub-contractors, for the performance of any contract we enter into with them or you;
  • Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others;
  • Data processors required in order to fulfil the purpose of data processing. For example, Eloqua is used to fulfil the purpose of email marketing. Where data processors are involved, we ensure they are compliant with respect to GDPR and Privacy Shield.

We may disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • If MWR InfoSecurity Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of MWR InfoSecurity Limited, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.



Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy.


Where we store your personal data

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details, and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.


Your rights and how to exercise them

Right to be informed

Your right to be informed requires us to pro-actively inform you when we intend to or have processed your information. This primarily takes the form of this privacy notice, point of contact notices, and outbound communications (where email is the most practical and least intrusive method).


Right of access

You have the right to know what personal data we process and to access/receive copies of your personal data. You may also access other supplementary information about the processing.

To request access to your data and supplemental information about the processing, please contact

We will provide the information free of charge unless your request is manifestly unfounded, excessive or repetitive, in which case we are entitled to charge a reasonable fee. We will provide the information you request as soon as possible and in any event within one month of receiving your request. If your request is complex, we may notify you that we require an extension of up to two months.


Right of rectification

If you believe that we are processing inaccurate information, you may ask us to correct that information. We will correct any errors within one month, unless we require an extension. We will notify you if an extension is required.


Right of erasure

In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:

  • When we have collected your personal data on the grounds of consent and you withdraw that consent;
  • When we have a legitimate interest in processing your data. We believe that your right to privacy can override the use of legitimate interest as a lawful basis;
  • Where the personal data has to be deleted to comply with a legal obligation.

There are situations that require us to refuse to comply with a request. We will notify you if any of these apply.


Right to restrict processing

In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data, but we don’t have to delete it. This right is available to you:

  • If you believe the personal data we hold isn’t accurate – we’ll cease processing it until we can verify its accuracy;
  • If you have objected to us processing the data (see below) – we’ll cease processing it until we have determined whether our legitimate interests override your objection;
  • If the processing is unlawful, or;
  • If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.


Right to data portability

You have a right to access and or receive your data across different services, transfer your data securely between IT environments, and maintain its usability. MWR will endeavour to meet your  request for a specific format; however, as standard your data will be supplied in a format best suited to meeting the right to portability.


Right to object

You have the right to object to us processing your information:

  • If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority;
  • For direct marketing purposes (including profiling), and/or;
  • For the purposes of scientific or historical research and statistics.

To object, you must outline your grounds for doing so. We will comply with your objection unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights, and freedoms or the processing is for the establishment, exercise or defence of legal claims.


Rights on automation

Some activities make use of your information and the use of automated decision making – for example, being selectively included in marketing activities. While automation is used, it is not used in isolation without human input.

To exercise any of your rights or for more information on this topic area, please email


Changes to our privacy policy

We aim to develop a best practice privacy posture that goes beyond legislative compliance. Doing so will require incremental changes to our policy and this privacy notice. Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.



Questions, comments and requests regarding this privacy policy are welcomed. Please email

Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.