Privacy
Last updated: May 27, 2026
1. Introduction
Ransom-ISAC ("we", "our", or "us") is committed to protecting the privacy and personal data of our members, website visitors, newsletter subscribers, and anyone who interacts with our services. This policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and other applicable data protection legislation.
This policy applies to all personal data processed through our website (ransom-isac.org), membership platform, communication channels, newsletter services, and any related services we operate.
2. Data Controller
The data controller responsible for your personal data is:
Ransom-ISAC
3. What Data We Collect
Website Visitors. When you visit our website, we may collect technical data such as your IP address, browser type and version, operating system, referring URL, pages visited, time and date of access, and approximate geographic location derived from your IP address.
Newsletter Subscribers. When you subscribe to our newsletter, we collect your email address, name (if provided), organisation (if provided), and the date and time of subscription. We also record your consent to receive communications and may track whether emails are opened or links are clicked for the purpose of improving our communications.
Members. When you apply for or maintain membership, we may collect your full name, professional email address, organisation name and role, professional background information, contact details, and any correspondence exchanged during the membership process.
Event Attendees. If you register for events, webinars, or conferences, we collect your name, email address, organisation, and any dietary or accessibility requirements you provide.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Website operation and security | Technical/server log data | Legitimate interest (Art. 6(1)(f)) |
| Sending newsletters and updates | Email, name, organisation | Consent (Art. 6(1)(a)) |
| Membership administration | Contact details, professional info | Contract performance (Art. 6(1)(b)) |
| Event registration and delivery | Name, email, dietary/access needs | Contract performance (Art. 6(1)(b)) |
| Website analytics (where consent given) | Cookies, usage data | Consent (Art. 6(1)(a)) |
| Responding to enquiries | Contact details, message content | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and fraud prevention | As required by law | Legal obligation (Art. 6(1)(c)) |
5. Cookies and Similar Technologies
Our website uses cookies. Strictly necessary cookies are required for the website to function and cannot be switched off. Analytics cookies help us understand how visitors interact with our website and are only placed with your consent.
You can manage your cookie preferences through your browser settings or our cookie consent banner. Refusing non-essential cookies will not affect the core functionality of our website.
6. Newsletter and Email Communications
We send newsletters and updates only to individuals who have provided explicit consent (opt-in). Each email includes an unsubscribe link. You may withdraw your consent at any time by clicking the unsubscribe link in any email.
We use a third-party email service provider to deliver our communications. Your data is shared with this provider solely for that purpose, under a contract that complies with GDPR Article 28.
We may track email open rates and link clicks in aggregate to improve the relevance of our communications. This does not involve profiling or automated decision-making.
7. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:
Service providers: Trusted third-party providers for email delivery, website hosting, analytics, and platform services, processing data only on our behalf under GDPR-compliant contracts.
Legal obligations: Where required by law, regulation, or legal process.
With your consent: Where you have given specific, informed consent.
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including adequacy decisions, Standard Contractual Clauses (SCCs), or other safeguards permitted under applicable data protection law.
Details of specific transfer mechanisms are available on request.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Notes |
|---|---|---|
| Website server logs | 90 days | Automatically deleted |
| Newsletter subscriber data | Until consent is withdrawn | Deleted within 30 days of unsubscribe |
| Member data | Duration of membership + 12 months | For continuity purposes |
| Event registration data | 12 months after the event | For follow-up and feedback |
| Enquiry/contact data | 12 months after last interaction | Unless ongoing relationship exists |
| Cookie data | Max 12 months | Configurable via cookie preferences |
When personal data is no longer required, it is securely deleted or anonymised.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit, access controls, and regular review of security practices.
11. Your Rights
Under the GDPR, individuals have rights regarding their personal data, including access, rectification, erasure, restriction of processing, data portability, and the right to object. Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of prior processing.
Requests may be directed to us via our website and will be handled in accordance with applicable legal requirements.
You also have the right to lodge a complaint with a supervisory authority.
12. Children's Privacy
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via our website and, where appropriate, by email at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.