UK Cyber Team CIC
 Privacy Policy (Applicants & Participants)

Effective date: 25 February 2026

1. Introduction

This Privacy Policy explains how UK Cyber Team CIC (“UKCT”, “we”, “us”, “our”) collects, uses, discloses and protects personal data from individuals applying to or participating in UKCT programmes, competitions, training, events and related activities.

We are committed to protecting personal data and complying with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

This policy applies to personal data collected through our websites and application portals (including https://UkCyberteam.com), forms, emails, events, communications, and other interactions connected to UKCT selection and participation.

2. Data Controller and Contact Details

UK Cyber Team CIC is the “data controller” for the purposes of UK GDPR (meaning we determine how and why your personal data is processed).

Registered name: UK Cyber Team CIC

Registered address: [9 Cardiff Road, Reading, England, RG1 8ER]

Email (privacy enquiries): [info@ukcyberteam.com]

3. Personal Data We Collect

We may collect and process the following categories of personal data, depending on your interaction with UKCT:

(a) Identity and contact information

• Full name

• Email address

• Telephone number (if provided)

• Address (if required for eligibility or logistics)

• Date of birth (where relevant to eligibility checks)

(b) Application and eligibility information

• Application form responses and supporting statements

• Education and experience details (including CVs, where submitted)

• Eligibility confirmations (e.g., residency, age, availability)

• References (if requested and provided)

(c) Competition, training and performance information

• Scores, rankings, results and performance metrics

• Participation history, attendance, and team role information

• Training and coaching notes directly related to programme delivery

(d) Communications and support

• Emails, messages, and correspondence with UKCT staff, volunteers, mentors, and service providers

• Support requests and feedback

(e) Technical and usage information (portal/website)

• IP address and device/browser information

• Log data related to account access, security, and system administration

• Cookie data (where applicable – see Section 12)

We do not intend to collect “special category” personal data (such as health, biometric, racial or ethnic origin, religious beliefs) unless it is strictly necessary, in which case we will provide additional information and (where required) obtain explicit consent or rely on another valid lawful basis.

4. How We Collect Your Data

We collect personal data when you:

• Submit an application or register for a UKCT programme or event;

• Create and use an account on our application portal;

• Participate in competitions, training, coaching, or events;

• Communicate with us by email, online forms, or other channels; and/or

• Provide information to us through third parties you authorise (e.g., references).

5. Purposes of Processing and Lawful Bases

We process your personal data for the purposes set out below, and rely on one or more lawful bases under UK GDPR:

(a) To process and evaluate applications

Lawful bases: performance of a contract (or steps taken at your request prior to entering a contract), and/or legitimate interests (to run fair selection processes).

(b) To administer participation in competitions, training and events (including logistics)

Lawful bases: performance of a contract, and/or legitimate interests.

(c) To communicate with you about your application, programme participation, and operational updates

Lawful bases: performance of a contract and/or legitimate interests. Where communications are marketing in nature, lawful basis: consent.

(d) To safeguard the integrity and security of our systems, prevent misuse and detect fraud

Lawful bases: legitimate interests and/or legal obligation.

(e) To comply with legal and regulatory obligations, and to establish, exercise or defend legal claims

Lawful bases: legal obligation and/or legitimate interests.

Where we rely on legitimate interests, we balance our interests against your rights and freedoms and apply appropriate safeguards.

6. Who We Share Your Data With

We may share your personal data with the following categories of recipients, where necessary for the purposes described in this policy:

(a) Programme delivery partners and support personnel

• Coaches, mentors, assessors and volunteers involved in selection, training and competitions;

• Event organisers and platforms used to run challenges, training or competitions.

(b) Service providers (processors)

• Hosting providers, application portal providers, analytics and security providers;

• Communication providers (e.g., email and messaging platforms);

• Other suppliers who support UKCT operations.

(c) Authorities and other parties where required

• Regulatory bodies, law enforcement or other authorities where required by law;

• Professional advisers (e.g., legal, audit) where necessary;

• Parties involved in a corporate transaction (e.g., restructuring), in which case we will ensure appropriate safeguards.

We do not sell your personal data. We will not share your personal data for third-party marketing purposes without your explicit consent.

7. International Transfers

Some of our service providers may be located outside the UK. Where personal data is transferred internationally, we will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or other recognised mechanisms, together with supplementary measures where needed.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy, including to meet legal, accounting or reporting requirements.

Recommended retention periods (to be confirmed for your programme):

• Application records (unsuccessful applicants): [18 months] after the end of the relevant selection cycle and notification of the following cycle..

• Application records (successful applicants/team members): for the duration of participation plus [3 years] for program evaluation, safeguarding and record-keeping.

• Communications and support records: [24 months] from last interaction (unless required longer for legal reasons).

• Marketing consents: until consent is withdrawn or we determine it is no longer valid.

At the end of the retention period, we will securely delete, anonymise or archive the data in accordance with our retention procedures.

9. Security Measures

We implement appropriate technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures may include:

• Access controls and role-based permissions;

• Encryption in transit and, where appropriate, at rest;

• Secure authentication, logging and monitoring;

• Staff/volunteer confidentiality obligations and training;

• Incident response and breach management processes.

10. Your Data Protection Rights

Under UK GDPR, you may have the right to:

• Request access to your personal data;

• Request correction of inaccurate or incomplete data;

• Request erasure of your personal data (in certain circumstances);

• Request restriction of processing (in certain circumstances);

• Object to processing based on legitimate interests (in certain circumstances);

• Request data portability (in certain circumstances);

• Withdraw consent at any time where we rely on consent (this will not affect the lawfulness of processing before withdrawal).

To exercise any of these rights, please contact us using the details in Section 2. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your personal data appropriately.

11. Applicants Under 18

If the programme accepts applicants under 18, additional safeguarding and consent arrangements may apply. Where required, we will request parental/guardian consent and provide appropriate notices.

12. Cookies and Analytics

Our websites and portals may use cookies or similar technologies to operate correctly, improve performance and understand usage. Where required, we will provide a cookie notice and consent mechanism.

[Insert cookie notice link or short description of cookie categories used, and whether non-essential cookies are opt-in.]

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will publish the latest version on our website/portal and update the effective date. Where changes are material, we will take reasonable steps to notify you.

14. Reference to Partner Policies

Where UKCT programmes are delivered in collaboration with partners (for example, training or competition partners), additional privacy notices or partner policies may apply to those partner services. Where that is the case, we will direct you to the relevant notices at the point you provide your data to those services.