Privacy Policy

Who We Are

UltimateBit is an independent Cybersecurity and GRC consulting practice based in Portugal, operating worldwide on a remote basis. This policy explains how we collect, use, and protect the personal data you provide when submitting our contact form.

For any data-related enquiries: use our contact form.

Data We Collect

When you submit our contact form, we collect the following personal data:

• Full Name — to identify and address you
• Company / Organisation — to understand your professional context
• Email Address — to respond to your enquiry
• Phone Number — optionally provided, for direct follow-up
• Message / Engagement Description — to understand your needs and scope

We do not collect any sensitive personal or financial information.

Legal Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR (EU Regulation 2016/679):

• Legitimate Interest (Art. 6(1)(f)) — responding to a business enquiry you have voluntarily initiated
• Pre-contractual measures (Art. 6(1)(b)) — evaluating and preparing for a potential engagement
• Consent (Art. 6(1)(a)) — where explicitly indicated at the point of data submission

How We Use Your Data

Your data is used exclusively to:

• Respond to your enquiry and discuss a potential engagement
• Prepare a proposal or scope of work if appropriate
• Maintain a record of our business correspondence

We do not use your data for marketing, profiling, automated decision-making, or any purpose unrelated to your enquiry.

Data Sharing & Third Parties

Your data is not sold, rented, or shared with third parties for commercial purposes. Data submitted via the contact form is processed by Microsoft Forms (Microsoft 365), subject to Microsoft's own privacy policy and data processing terms.

Where sub-contractors or partner consultants are involved in delivering an engagement, only the minimum necessary information will be shared, under confidentiality obligations.

Data Retention

Enquiry data is retained for a maximum of 12 months from the date of submission, unless an engagement is initiated — in which case it may be retained for the duration of the engagement plus 3 years to satisfy legal and contractual record-keeping obligations.

You may request deletion of your data at any time (see Your Rights below).

Data Security

As a cybersecurity practice, we apply appropriate technical and organisational measures to protect your personal data — including access controls, encrypted communications, and secure storage. Data submitted via Microsoft Forms is stored within Microsoft's EU-based data centres.

Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of Access — request a copy of the data we hold about you
• Right to Rectification — correct inaccurate or incomplete data
• Right to Erasure — request deletion of your data ("right to be forgotten")
• Right to Restriction — limit how we process your data
• Right to Portability — receive your data in a structured, machine-readable format
• Right to Object — object to processing based on legitimate interest

To exercise any of these rights, use our contact form. We will respond within 30 days.

Complaints

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with the Portuguese data protection authority:

• CNPD — Comissão Nacional de Proteção de Dados
• www.cnpd.pt

Changes to This Policy

This policy may be updated periodically to reflect changes in our practices or applicable law. The date at the top of this page reflects the most recent revision. Continued use of our contact form following any update constitutes acceptance of the revised policy.