> cat /policy/privacy.txt_
We practise what we preach. Minimal data collection, no tracking, no profiling, no surprises.
Hedgehog Security Ltd ("we", "us", "our") is the data controller for personal data collected through the website hedgehogsecurity.co.uk (the "Site"). We are a cyber security company registered in England and Wales.
This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
As a cyber security firm, we hold ourselves to the highest standard. We collect only what is necessary, we do not sell or share data with advertisers, we do not profile visitors, and we do not use analytics or tracking technologies. Every piece of data we process has a clear, documented purpose.
We collect the minimum data necessary to operate the Site and respond to enquiries. The table below is an exhaustive list — we do not collect anything beyond this.
| Data | Source | Collected When |
|---|---|---|
| Name | Contact form | You submit an enquiry |
| Email address | Contact form | You submit an enquiry |
| Company name (optional) | Contact form | You choose to provide it |
| Service interest | Contact form dropdown | You submit an enquiry |
| Message content | Contact form | You submit an enquiry |
| IP address | Server (automatic) | Every request to the Site |
| User agent string | Browser (automatic) | Every request to the Site |
| Requested URL and timestamp | Server (automatic) | Every request to the Site |
Data we explicitly do not collect:
| Not Collected | Notes |
|---|---|
| Browsing behaviour or page view analytics | No Google Analytics, Hotjar, Mixpanel, or similar |
| Device fingerprints | No canvas, WebGL, or audio fingerprinting |
| Advertising identifiers or tracking pixels | No Facebook Pixel, LinkedIn Insight Tag, or similar |
| Location data (beyond IP geolocation) | We do not request GPS or fine-grained location |
| Special category data | We do not collect data about health, ethnicity, religion, political opinions, or biometrics |
Under the UK GDPR, we must have a lawful basis for each processing activity. The table below documents the purpose, the data involved, and the legal basis for each.
| Purpose | Data Used | Lawful Basis (Article 6) |
|---|---|---|
| Responding to enquiries Processing and replying to messages submitted via the contact form |
Name, email, company, service interest, message | 6(1)(b) — Necessary for the performance of a contract or to take steps prior to entering into a contract at your request |
| CSRF protection Validating that contact form submissions originate from a genuine session on our Site |
Session identifier (PHPSESSID cookie), CSRF token | 6(1)(f) — Legitimate interest in preventing cross-site request forgery attacks |
| Rate limiting Preventing abuse of the contact form by throttling excessive submissions |
IP address (hashed), submission timestamps | 6(1)(f) — Legitimate interest in protecting the Site from abuse and ensuring service availability |
| Security monitoring Detecting, logging, and responding to malicious requests (e.g. SQL injection, XSS, path traversal attempts) |
IP address, user agent, request URL, attack payload (truncated) | 6(1)(f) — Legitimate interest in protecting the Site, our infrastructure, and our users from cyber attacks |
| Server operation Standard web server access and error logging required for the Site to function |
IP address, user agent, requested URL, timestamp, HTTP status code | 6(1)(f) — Legitimate interest in maintaining, troubleshooting, and securing the web server |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that the processing is necessary, proportionate, and does not override your fundamental rights and freedoms. The data processed is limited to technical identifiers (IP addresses, user agent strings) and is used solely for security and operational purposes.
Our Site includes a web application firewall that actively inspects incoming requests for common attack patterns. This is not behavioural profiling — it is pattern matching against known malicious signatures, similar to an intrusion detection system.
When a malicious request is detected, we log:
These logs are stored server-side, are not shared with third parties, and are used exclusively for security analysis, incident response, and potential referral to law enforcement in the case of serious or persistent attacks.
Legitimate visitors browsing the Site normally will never trigger this system. It activates only when a request contains signatures consistent with known attack techniques.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected. The retention periods for each category are set out below.
| Data | Storage Location | Retention Period |
|---|---|---|
| Contact form submissions | Email inbox (info@hedgehogsecurity.co.uk) | Retained in our email system for the duration of any resulting business relationship. Enquiries that do not proceed are deleted within 12 months. |
| CSRF session data | Server-side PHP sessions | Expires when you close your browser (session lifetime). Server-side session files are garbage-collected automatically. |
| Rate limit records | Redis (primary) or server file system (fallback) | Automatically expires after 1 hour. Contains only a hashed IP address and submission count — no other personal data. |
| Security (attack) logs | Server file system | Rotated and archived. Retained for up to 12 months to support incident investigation and potential law enforcement referral, then permanently deleted. |
| Web server access logs | Server file system (Apache) | Rotated by the operating system's log rotation utility. Retained for up to 90 days. |
All data is stored on servers located in the United Kingdom. We do not transfer personal data outside the UK unless explicitly stated and appropriate safeguards are in place.
We do not sell, rent, or trade your personal data. We share data only in the limited circumstances described below.
| Recipient | Data Shared | Purpose & Basis |
|---|---|---|
| Hosting provider | Server logs (IP, user agent, URL) | Necessary to operate the web server. The hosting provider acts as a data processor under a Data Processing Agreement (DPA). |
| Law enforcement | Security logs, IP addresses | Only where required by law, court order, or to report serious criminal activity (e.g. sustained cyber attacks). Legal basis: Article 6(1)(c) — legal obligation. |
We do not use any third-party data processors for analytics, marketing, customer relationship management, or advertising. Contact form submissions are delivered to our inbox via the server's local mail transfer agent and are not routed through third-party email marketing platforms.
The Site loads resources from third-party content delivery networks (CDNs). When your browser requests these resources, your IP address and user agent string are transmitted to the CDN provider. We have no control over this — it is an inherent part of how the web works.
| Resource | CDN Provider | Privacy Impact |
|---|---|---|
| Bootstrap 5 (CSS & JS framework) | jsDelivr | No cookies set. jsDelivr privacy policy. |
| Font Awesome 6 (icon library) | Cloudflare | No cookies set. Cloudflare privacy policy. |
| Google Fonts (Orbitron, Rajdhani, Share Tech Mono) | No cookies set. Google logs CSS/font requests including IP address. Google states this data is not combined with other services. Google Fonts privacy FAQ. |
We periodically review these dependencies and will consider self-hosting should any CDN provider change its data practices in a manner that materially affects your privacy.
For full details, please see our dedicated Cookie Policy. In summary:
PHPSESSID — session cookie for CSRF protection. HttpOnly, Secure, SameSite=Strict. Deleted when you close your browser.
hh-theme — your chosen visual theme. Stored entirely in your browser. Never sent to our server.
Under the UK Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require consent. As our single cookie exists solely for security (CSRF protection), no cookie consent banner is displayed.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include but are not limited to:
| Measure | Detail |
|---|---|
| Encryption in transit | All traffic to and from the Site is encrypted via TLS (HTTPS). HSTS headers enforce encrypted connections. |
| Input validation & sanitisation | All user input is validated, sanitised, and length-limited before processing. Output is HTML-escaped to prevent cross-site scripting. |
| CSRF protection | Contact form submissions are protected by a per-session, time-limited, cryptographically random CSRF token. |
| Rate limiting | The contact form is rate-limited by IP address to prevent abuse. Rate limit data uses hashed IPs and auto-expires. |
| Web application firewall | Incoming requests are inspected for SQL injection, XSS, path traversal, command injection, and other OWASP Top 10 attack patterns. |
| Security headers | Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers are enforced. |
| Hardened cookie attributes | Session cookies are HttpOnly, Secure, and SameSite=Strict — preventing JavaScript access, plaintext transmission, and cross-site abuse. |
| Access control | Server access is restricted. Internal directories (includes, config, logs) are blocked from public access via .htaccess rules. |
No system is 100% secure. Whilst we take every reasonable precaution, we cannot guarantee absolute security. If you discover a vulnerability, please report it via our Responsible Disclosure Policy.
Under the UK GDPR, you have the following rights in relation to your personal data. You may exercise any of these rights by contacting us at info@hedgehogsecurity.co.uk.
| Right | What It Means |
|---|---|
| Access (Article 15) | You can request a copy of the personal data we hold about you. We will respond within one calendar month. |
| Rectification (Article 16) | You can ask us to correct any inaccurate or incomplete personal data. |
| Erasure (Article 17) | You can ask us to delete your personal data where there is no compelling reason for continued processing. Also known as the "right to be forgotten". |
| Restriction (Article 18) | You can ask us to restrict (i.e. pause) processing of your personal data in certain circumstances. |
| Data portability (Article 20) | You can request your data in a structured, commonly used, machine-readable format. |
| Objection (Article 21) | You can object to processing based on legitimate interest. We must then stop unless we can demonstrate compelling legitimate grounds. |
| Complaint (Article 77) | You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. |
We will respond to all legitimate requests within one calendar month. In exceptional circumstances (complex or numerous requests), we may extend this by a further two months, but we will notify you within the first month if this is the case.
The Site and our services are directed at businesses and professionals. We do not knowingly collect personal data from children under the age of 13. If you believe a child has submitted personal data to us via the contact form, please contact us immediately and we will delete it.
Your personal data is processed and stored on servers located in the United Kingdom. We do not intentionally transfer personal data outside the UK.
However, when your browser loads resources from third-party CDNs (see Section 7), your IP address may be received by servers outside the UK. These transfers occur automatically as part of standard web browsing and are outside our direct control. We have selected CDN providers that maintain appropriate security standards and privacy policies.
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised date. For material changes, we will make reasonable efforts to provide prominent notice.
Initial privacy policy published. Documenting: contact form data processing, CSRF session cookie, rate limiting, security monitoring (WAF logging), server access logs, third-party CDN resources, and localStorage theme preference. No analytics, no advertising, no profiling.
If you have questions about this policy or wish to exercise any of your data protection rights, get in touch.