Turning technical pentesters into trusted consultants
Free scorecard

Conversec Ltd

Privacy Notice

This notice explains how we use personal information when you visit the website, contact us, receive business communications, or use the Pentest Team Maturity Scorecard.

Last updated: 20 May 2026

Who We Are

Conversec Ltd is the controller responsible for the personal information described in this notice.

Company number: 15503707
Registered office: Crows Nest Business Park, Ashton Road, Billinge, Wigan, England, WN5 7XX
Email: hello@conversec.com

What We Collect

We may collect and use the following personal information:

  • Contact details and messages, such as your email address and anything you send through the website contact form or by direct communication.
  • Business contact information from direct communications, professional networks, or publicly available business sources.
  • Scorecard details, including name, work email, company, role, team size, primary challenge, scorecard answers, calculated scores, maturity profile, and whether you opted in to marketing. If you add an optional context note, we process it transiently for the scorecard result and store derived safety status and themes rather than the free text.
  • Technical and security data for the scorecard, including session token hashes, IP address hashes, user-agent hashes, timestamps, and rate-limit events.
  • Email delivery and consent records, including queued scorecard result emails, send status, marketing opt-in events, unsubscribe records, and suppression records.
  • Website usage and campaign measurement data collected through Google Analytics and the LinkedIn Insight Tag.

Why We Use It

We use personal information to:

  • respond to enquiries and manage business communications;
  • send scorecard results requested through the website;
  • generate scorecard scores, maturity profiles, and practical guidance;
  • record and honour marketing preferences, opt-ins, unsubscribes, and suppressions;
  • send relevant B2B marketing where permitted and appropriate;
  • protect the scorecard from misuse, spam, and excessive automated submissions;
  • understand website performance and campaign effectiveness; and
  • maintain records needed to operate, secure, and improve our services.

Lawful Basis

We rely on legitimate interests where we process personal information to:

  • respond to business enquiries and service-related communications;
  • provide the requested scorecard result and related operational messages;
  • understand and improve our website, scorecard, and B2B services;
  • protect the website and scorecard from misuse; and
  • market relevant B2B services to existing and prospective business contacts.

Where we ask you to opt in to marketing, we use that consent for the relevant marketing communications. You can withdraw consent or object to direct marketing at any time.

Scorecard Data

The Pentest Team Maturity Scorecard stores the details needed to calculate your result, email it to you, prevent abuse, and understand how the scorecard is being used. Your answers and calculated results are stored with your submitted contact details so we can support the result email and any appropriate follow-up.

The optional context note is there to help tailor the result. We process it to derive safe themes and do not store the free-text note in the scorecard submission. Please do not include client names, credentials, personal data, or confidential details in that field.

AI-Assisted Scorecard Interpretation

The emailed scorecard result may include AI-assisted interpretation. The AI request is built from scorecard context, such as score bands, dimension scores, role category, team size band, primary challenge category, deterministic guidance, derived themes from the optional note, and filtered optional note text if you provide it and it passes our safety checks.

We do not send name, email address, company name, IP address, or user-agent data to the AI provider. Before using the optional note, we remove obvious email addresses, links, phone numbers, and credential-like strings, and we drop notes that appear to contain high-risk confidential content or prompt-injection instructions. The score, maturity band, core actions, and service route remain deterministic; AI is used only to add a short explanatory readout.

We currently use OpenAI API services for this feature. OpenAI states that API data is not used to train or improve its models by default, unless the customer explicitly opts in. Standard provider logging and retention may still apply.

Analytics And Campaign Measurement

We use Google Analytics to understand general website usage and performance. We use the LinkedIn Insight Tag to measure campaign effectiveness and understand professional audience engagement. LinkedIn may use cookies or similar technologies to associate visits with LinkedIn accounts. We do not receive personally identifiable profile information from these tools.

Who We Share Information With

We may share personal information with:

  • Formspree, which processes website contact form submissions;
  • email and SMTP providers used to send and manage communications;
  • website, database, and hosting providers;
  • analytics and campaign measurement providers, including Google and LinkedIn;
  • OpenAI, for AI-assisted scorecard interpretation as described above; and
  • professional advisers or authorities where required by law or to protect our rights.

We do not sell personal information.

International Transfers

Some providers may process personal information outside the UK. Where this happens, we rely on appropriate safeguards such as adequacy regulations, standard contractual clauses, supplier contractual protections, or another lawful transfer mechanism.

How Long We Keep Information

We keep contact and enquiry information for up to 12 months unless there is an ongoing business relationship or another lawful reason to keep it for longer.

Identifiable scorecard submissions and scorecard result email records are kept for up to 12 months unless there is an ongoing business relationship or another lawful reason to keep them for longer. Scorecard session rows are short-lived, and rate-limit events are kept briefly for security and abuse prevention.

Marketing consent, unsubscribe, and suppression records are kept for as long as needed to evidence consent and honour marketing preferences.

Your Rights

You have rights under data protection law, including the right to ask for access, rectification, erasure, restriction, objection, and data portability. Where processing is based on consent, you can withdraw that consent at any time.

To exercise your rights, email hello@conversec.com. We may need to verify your identity before responding.

How To Complain

If you have concerns about how we use your personal information, please contact us first at hello@conversec.com.

You also have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint/ .