We take data privacy seriously
Vorago Security Limited
Vorago Security Ltd ("Vorago Security", "we", "us", "our") provides cyber security consultancy and managed security services to clients across the UK and, on occasion, internationally. Vorago Security Ltd is registered in England and Wales under company number 10969227, with its registered office at 1 Watervole Way, Doncaster, DN4 5JP.
Vorago Security Ltd is the data controller for the personal information described in this statement. This privacy statement explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights you have under UK data protection law, including the UK GDPR and the Data Protection Act 2018.
Information we collect
Through this website we collect only your name and email address, which you provide when you contact us or submit an enquiry. We also collect limited technical data through cookies and similar technologies (see "Website Cookies and Tracking" below).
How and why we use your information
We use the name and email address you provide to respond to your enquiry and to communicate with you about the services you have asked about. Lawful basis: legitimate interests, or steps taken at your request prior to entering a contract.Where you become a client, the personal data we process to deliver our services, and our responsibilities for it, is governed by the contract and data processing terms agreed with you. In delivering those services we generally act as a data processor on your behalf.
We send a newsletter containing updates, insights and information about our services. You may receive it because you signed up directly, or because you are an existing client. Lawful basis: consent where you have signed up to receive it, and legitimate interests where you are an existing client receiving information about services similar to those we already provide to you. We use Mailchimp to manage and deliver these communications. You can unsubscribe, or withdraw your consent, at any time using the link in any email we send, or by contacting us.
Who we share your information with.
We use trusted third-party providers to operate our business and deliver our services. Those that may process the personal data covered by this statement include:
- Email, productivity and file storage providers (Microsoft 365 and Google)
- Our customer relationship management and enquiry system (Pipedrive)
- Our email marketing platform (Mailchimp, part of Intuit)
- Workflow and integration tools (Zapier)
- Our website host (Webflow)
- Analytics and advertising providers (Google, Meta and LinkedIn), which set cookies and similar technologies on our website. These providers may process the data for their own purposes under their own privacy policies, and we only use them where you have given consent (see "Website Cookies and Tracking").
All of these providers process personal data on our behalf, under contracts that require them to keep it secure and use it only on our instructions. Where we act as a data processor delivering services to clients, a fuller list of subprocessors is provided in the relevant client contract.
We may also share personal data with our professional advisers, such as accountants and legal advisers, and with regulators, law enforcement or other authorities where we are required to do so by law, including HM Revenue and Customs, the courts, and the Information Commissioner's Office.
We do not sell your personal data to anyone.
International transfers
Some of our providers are based outside the UK, including in the United States. Where we transfer personal data outside the UK, we ensure it is protected by an appropriate safeguard recognised under UK data protection law:
- For Mailchimp, transfers are covered by its Data Processing Addendum, which incorporates the Standard Contractual Clauses together with the UK Addendum to those clauses.
- For Zapier, transfers are covered by Zapier's certification under the UK Extension to the EU-US Data Privacy Framework, as listed on the Data Privacy Framework Program website.
- For Google (Analytics and advertising), transfers are covered by Google's Data Processing Terms, which incorporate the Standard Contractual Clauses together with the UK Addendum to those clauses.
How long we keep your information
We keep personal data only for as long as we need it for the purposes set out in this statement, and then delete it or securely anonymise it.
- Enquiry data: where you contact us but do not go on to become a client, we keep your name and email for up to 24 months, after which we delete it.
- Newsletter data: we keep your details for as long as you remain subscribed. If you unsubscribe, we remove you from the active list and keep only the minimum record needed to respect your choice not to be contacted.
- Client data: where you become a client, retention is governed by your contract with us and by our legal obligations, including the need to keep financial records for at least six years to meet HM Revenue and Customs requirements.
- Website analytics: data collected through analytics cookies is kept in line with the retention settings of the tools we use.
Your Rights
Under UK data protection law you have a number of rights over your personal information. You have the right:
- to be informed about how we use your data
- to access the personal data we hold about you
- to have inaccurate data corrected (rectification)
- to have your data erased in certain circumstances
- to restrict how we process your data in certain circumstances
- to data portability
- to object to processing, including processing for direct marketing
- to withdraw your consent at any time, where we rely on consent
- to rights relating to automated decision-making and profiling
We do not currently use automated decision-making that has legal or similarly significant effects on you. If we introduce such processing in the future, we will provide clear information about the logic involved, its significance, and how you can request human intervention or challenge the outcome.
To exercise any of these rights, please contact us using the details below. When responding to a Subject Access Request, we carry out searches that are reasonable and proportionate to the request. Where we genuinely need to verify your identity or clarify the scope of your request before we can proceed, we may pause the response timeframe until you provide the information we need.
You can opt out of marketing at any time using the unsubscribe link in any email we send, or by contacting us.
How to contact us and complaints
If you have any questions about this statement, or wish to exercise your rights, please contact our Data Protection team at dp@voragosecurity.com.
If you believe we have handled your personal information incorrectly, please raise it with us in the first instance. We will acknowledge your complaint within 5 working days, investigate it, and let you know the outcome and any action we take. We respond to Subject Access Requests and other rights requests within one month, as required by law.
If you remain dissatisfied, you have the right to complain to the Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Website Cookies and Tracking
Our website uses cookies and similar technologies. Some are strictly necessary to make the site work, and these do not require your consent. Others, including analytics and advertising cookies, are only used where you have given your consent.
The non-essential technologies we use include:
- Google Analytics, to understand how visitors use our website
- The Meta (Facebook) pixel and the LinkedIn Insight Tag, which support our advertising and let us measure how well it performs
These set cookies that may transfer data to Google, Meta and LinkedIn, who process it for their own purposes under their own privacy policies. They do not run until you consent.
We manage cookie consent through ConsentPro. When you first visit our site you can choose which categories of cookies to accept or reject. You can change or withdraw your preferences at any time using the cookie settings link on our website.
Changes to this statement
We may update this statement from time to time to reflect changes to our services, systems, legal requirements or best practice. Any changes will be published on this page.
Last updated: June 2026