Privacy policy


Tradecraft exists to help organisations to be more secure. As part of that work, we routinely advise clients to minimise the amount of personal data that they collect and hold. The more data organisations keep, the more risk they must accept.

We take the same approach ourselves with the data that we hold: minimising what we collect, and keeping only what we need.

Data we collect

Information about our clients and their teams

In order to be able to meet the obligations that we take on when we enter into a contract with our clients, we keep information about our clients and their teams to allow us to contact them and maintain effective continuity of service.

Website analytics

We use a third-party service, Google Analytics, to record information about visits to this website. We use this information to understand how to improve the site and make it more useful. We do not use this data to attempt to identify particular website visitors.

Google Analytics uses cookies to track website visitors. Google may use this data to personalise its services. Google provides the ability to opt out of this process if you wish to.

By accessing our website, you consent to these uses of this data.

Marketing and communications

If you contact us, we will retain your contact information indefinitely. We believe that it is in our legitimate interest to be able to keep track of queries, offers and other communications that we receive, and to be able to retrieve this information as needed.

If you choose to subscribe to a marketing newsletter, we will send you occasional emails containing marketing content. You may unsubscribe from these emails at any time.

We operate a mailing list for clients to which we add details of client staff provided to us when their employer enters into a contract with Tradecraft. This list is used to send clients occasional updates about changes to our services, our availability and other important developments. You may unsubscribe from these emails at any time, but if you do so, you may not receive important information pertinent to the services we provide you.

We use a third-party service, Hubspot, to store and manage information about our clients, sales enquiries and orders. You can read more about Hubspot's privacy policy in its role as a data processor.

Visiting our premises

If you visit our offices, you will be asked to enter some basic information about yourself in our visitor log. We use these records to maintain the security of our of premises and staff, and to manage our office capacity.

We us a third-party service, Proxyclick, to collect information about visitors to our office. Read more about Proxyclick's privacy arrangements.

Our offices provide a Wi-Fi network for the use of guests. This Wi-Fi network does not record any information about users or their internet activity.

Data obtained during our work

Data obtained from our clients

During our work, we may access personal data held by our clients. In general:

  • Our processing of any such data is limited to whatever is necessary to achieve the goals of our work; and
  • On the conclusion of the work, we destroy copies of any data that we have made.

The personal data that we may retain after the conclusion of work are:

  • Small excerpts taken from large datasets to illustrate security problems which may be included in our reports or notes of work. We use these excerpts to help our clients better understand how to mitigate security risks.
  • User credentials that we have been able to compromise during simulations. We keep this data in order to be able to verify, during subsequent engagements, that compromised credentials are no longer functional.

Data obtained by Tradecraft

We operate private services that gather and collect items of open source intelligence. These items may include personal data. We collect this intelligence based on a set of rules designed to match confidential information which has entered the public domain. Most items collected are retained indefinitely, because we do not know at the time of collection what information may be relevant to client engagements carried out in the future.

We collect and use this information because confidential information which has entered the public domain is often used by malicious hackers as part of attacks. We use the information to provide as realistic and genuine an assessment of our clients' security as we can. The results of our work are then used to improve the organisational and technical measure our clients take to protect the data they hold. As such, we believe the collection and retention of this information is in our legitimate interests, and those of our clients.

Access to your data

GDPR gives you the right to access the data that we hold about you, and request that it be amended. If you would like to exercise this right, please send an email to with "GDPR data accesss request" in the subject.

Changes to this policy

This policy is reviewed regularly, and may be changed without notice.