Privacy Policy

Who We Are

Cyber Threat Intelligence Council Ltd. is a company registered in England and Wales (Company No. [XXXXXXXX]), with its registered office at [Address], [City], [Postcode], United Kingdom.

We are the Data Controller for personal data collected through our website, examination portal, and related services. If you have any questions about this policy or your personal data, contact us at privacy@ctic.org.

Data We Collect

We collect personal data in the following categories:

• Account & Registration Data: Name, email address, CTIC ID, and password (hashed) when you register for an account or examination.
• Professional Information: Job title, years of experience, and employer name (where voluntarily provided during exam registration).
• Examination Data: Exam responses, scores, proctoring session recordings, credential status, and certificate issuance records.
• Payment Data: Billing name, address, and payment confirmation. We do not store full card details — payments are processed by our third-party payment provider.
• Technical Data: IP address, browser type, device identifiers, pages visited, and session data collected automatically when you use our website.
• Communications: Any messages you send to us via email, support forms, or live chat.

How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your candidate account
• To register you for, administer, and deliver examinations
• To issue and maintain your digital certification credentials
• To verify your credentials via our public credential registry
• To process payments and issue receipts
• To send you transactional communications (exam confirmations, results, certificate renewals)
• To send you marketing emails about new certifications or resources — only with your explicit consent, which you may withdraw at any time
• To maintain the security and integrity of our examination platform
• To comply with legal obligations and resolve disputes

Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

• Contract (Article 6(1)(b)): Processing necessary to deliver the services you have registered for, including exam administration and certification issuance.
• Legitimate Interests (Article 6(1)(f)): Security monitoring, fraud prevention, and platform improvement — where these do not override your rights.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with UK law.
• Consent (Article 6(1)(a)): Marketing communications and non-essential cookies — where we rely on your opt-in consent.

Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

• Proctoring Partners: Your name, photo ID (for identity verification), and session recording are shared with our remote proctoring provider to ensure exam integrity.
• Payment Processors: Billing data is processed securely by our PCI-DSS compliant payment provider. We do not retain full card numbers.
• Credential Verification: Your name and certification status are displayed in our public credential registry so that employers can verify your CTIC credentials.
• Legal Requirements: We may disclose data if required to do so by law or in response to valid legal requests from public authorities.

All third-party processors are bound by Data Processing Agreements (DPAs) requiring them to protect your data in accordance with UK GDPR.

Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

• Candidate accounts: Retained for the duration of your active credential(s) plus 3 years after expiry
• Exam session recordings: Retained for 90 days post-examination, then securely deleted
• Payment records: Retained for 7 years in accordance with UK financial regulation
• Marketing consent records: Retained until consent is withdrawn

Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

To exercise any of these rights, please email privacy@ctic.org with the subject line "Data Subject Request." We will respond within 30 days.

Cookies

Our website uses cookies to ensure functionality and improve your experience. Cookies we use include:

• Essential cookies: Required for the website and exam portal to function. Cannot be disabled.
• Analytics cookies: Help us understand how visitors use our site (e.g. Google Analytics). Only set with your consent.
• Session cookies: Maintain your login state during an active exam session. Automatically deleted when the session ends.

You can manage cookie preferences at any time via the cookie settings banner on our website.

Children's Data

Our services are intended for professional cybersecurity practitioners and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered without parental consent, please contact us immediately at privacy@ctic.org.

International Data Transfers

CTIC is headquartered in the United Kingdom. If we transfer your data outside of the UK, we ensure appropriate safeguards are in place, such as the UK's International Data Transfer Agreements (IDTAs) or adequacy decisions, in accordance with UK GDPR Chapter V requirements.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The effective date at the top of this page will always reflect the most recent version. For significant changes, we will notify registered users by email.

Contact & Complaints

If you have any questions, concerns, or wish to exercise your rights, please contact our Data Protection point of contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent data protection authority: