Privacy Policy

Last updated: 20 April 2026

1. Who We Are

Quantum Security Defence ("QSECDEF", "we", "us") is an independent membership organisation for quantum security professionals. We are the data controller for personal data collected through this website (quantumsecuritydefence.com) and our membership and event services.

  • Legal entity name: Quantum Security Defence
  • Registered address: [To be confirmed: registered address]
  • Company number: [To be confirmed: UK company number]
  • Jurisdiction: United Kingdom
  • Supervisory authority: Information Commissioner's Office (ICO), United Kingdom. ico.org.uk

To contact us about this policy or to exercise your data rights, email: info@qsecdef.com

2. Data We Collect

2a. Data You Provide Directly

  • Email subscription data: first name, last name (optional), email address, company (optional), country (optional). Collected via five subscription surfaces: scroll banner, exit modal, footer form, contact page form, and tool results forms (PQC Readiness Checklist and similar tools).
  • Workshop registration data: full name, email address, organisation, role, nationality, passport or ID reference, telephone number, and reason for attending. Collected when you register for a QSECDEF workshop.
  • Contact form data: name, email address, and message content when you submit a contact enquiry.
  • Membership data: name, email address, organisation, job title, country, and payment details when you apply for or purchase a membership.
  • Speaker request data: name, contact details, and proposal information submitted via the speaker request form.

2b. Data We Collect Automatically via PostHog Analytics

We use PostHog (PostHog Inc.) hosted on EU infrastructure (eu.i.posthog.com, project 141686) to collect analytics data. PostHog operates under an EU Standard Contractual Clauses data processing agreement. The following data is collected when you visit our site, subject to your cookie consent choice:

Pre-consent analytics (before you make a consent choice)

Before you make a consent choice on our cookie banner, PostHog is loaded in memory-only mode. This mode sets no cookie, writes no localStorage, sessionStorage, or IndexedDB entry, and stores no identifier on your device. A random session ID is held in JavaScript heap memory only and does not survive the page close. We do not call posthog.identify(), and no email or persistent identifier is linked to the session.

The IP address received by PostHog's EU infrastructure in transit is stripped before the event is written to persistent storage. The full IP address is not retained in processed event data. QSECDEF does not receive or retain your IP address.

This pre-consent data collection has two legal bases. Under Art. 5(3) of the ePrivacy Directive, no consent is required because no information is stored on, or accessed from, your terminal equipment. Under Art. 6(1)(f) of UK GDPR and EU GDPR, we rely on legitimate interests for measuring site usage, feature-flag exposure, and click events for the purpose of improving the website and the services we provide to members and visitors. A written Legitimate Interests Assessment covering this processing is held on file and is available for regulator review on request.

On Accept: PostHog is upgraded to cookie-based tracking, the ph_phc_[token]_posthog cookie is set, and a persistent distinct_id is assigned. See the Cookie Policy for the full list of cookies set after consent.

On Reject: PostHog capture is fully stopped. No further analytics events are sent, no cookie is set, and your choice is recorded in a strictly-necessary preference cookie (qsecdef_cookie_consent) that does not require consent.

Properties collected automatically by PostHog (autocapture):

  • IP address: captured at the point of request, then anonymised within PostHog EU infrastructure. The full IP address is not retained in processed event data.
  • User agent string: browser name, version, and operating system.
  • Device type: desktop, mobile, or tablet.
  • Referrer URL: the URL of the page you arrived from, if any.
  • Current page URL and pathname: recorded on every page event.
  • Viewport dimensions: screen width and height at time of visit.
  • Autocaptured click events: element tag, text content, CSS classes, and position for elements you click. PostHog autocapture is enabled.
  • Feature flag exposure: which variant you are shown when A/B tests are active (current tests: homepage-variant with variants A/B/C; email-cta-copy with 4 arms). This is recorded under the PostHog event $feature_flag_called.
  • Web vitals: Core Web Vitals metrics (Largest Contentful Paint, First Input Delay, Cumulative Layout Shift) recorded under the event $web_vitals.
  • Session identification: PostHog assigns a pseudonymous distinct_id stored in a first-party cookie (ph_phc_[token]_posthog) to link events within and across sessions.

Custom events we fire:

  • $pageview: fired on every page load. Properties include page URL, pathname, referrer, and title.
  • $pageleave: fired when you leave a page. Properties include time on page and scroll depth.
  • $autocapture: fired on user interactions (clicks, form submissions). Properties include element details and page context.
  • email_subscribed: fired when you submit an email subscription form. Properties include form location (scroll_banner, exit_modal, footer, contact, tool_results), page URL, and A/B variant assignment. Purpose: measure email capture conversion rate by source and variant.
  • membership_cta_clicked: fired when you click a membership call-to-action button. Purpose: measure membership funnel entry rate.
  • Popup Impression (legacy): recorded when the exit modal or scroll banner is displayed. May appear in historical data.
  • Popup Conversion (legacy): recorded when a subscription form within a popup is submitted. May appear in historical data.
  • $feature_flag_called: fired when PostHog evaluates a feature flag for your session. Properties include flag key, variant assigned, and whether the flag matched.
  • $web_vitals: performance metrics. No personal data beyond session context.

Identification:

When you submit any of our email subscription forms (scroll banner, exit modal, footer, contact page, or tool results), we call posthog.identify() with your email address as the distinct identifier. This links your prior anonymous browsing session to your email address in PostHog. From that point, events from your session are associated with your email address in our PostHog analytics account.

This identification only occurs after you voluntarily submit your email. It does not occur for anonymous visitors who do not submit a form.

2c. Data Collected by Third-Party Services

See Section 7 (Third-Party Services) for details of data collected by Brevo, Cloudflare, and Stripe.

3. Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases under UK GDPR and EU GDPR Article 6:

3a. Consent (Art. 6(1)(a))

  • PostHog analytics cookies and the associated analytics data collection (pageviews, autocapture, feature flag exposure, session tracking). For visitors from the United Kingdom, EU/EEA, Switzerland, and Brazil, these are only set after you accept via our cookie consent banner. Visitors from other jurisdictions are served analytics under the legitimate interests basis (see 3c below).
  • Newsletter subscription emails sent to Brevo list #43. You give consent when you submit a subscription form.
  • Marketing communications beyond transactional messages.

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. See Section 6 for how to withdraw.

3b. Contract Performance (Art. 6(1)(b))

  • Processing membership application data, payment facilitation, and delivering member benefits (access to lectures, events, the member directory) for paid members across Individual ($149 lifetime), Company ($499/yr), and Expert ($4,950/yr) tiers.
  • Processing workshop registration data to administer attendance, payment, and delegate communications.
  • Delivering transactional emails confirming subscription, registration, or account status.

3c. Legitimate Interests (Art. 6(1)(f))

  • Server-side security logging and fraud detection (Cloudflare logs, request-level data). Our legitimate interest is protecting the integrity and availability of the website.
  • Analytics data collected from visitors outside the United Kingdom, EU/EEA, Switzerland, and Brazil, where consent-gating is not required. Our legitimate interest is understanding how the website is used and improving its performance.
  • Internal aggregated analytics used to improve website performance, identify broken pages, and understand traffic patterns, where processing does not rely on consent-based analytics cookies.
  • Responding to contact form enquiries and speaker requests, where the data subject initiates contact.

You have the right to object to processing based on legitimate interests under Art. 21. See Section 6.

3d. Legal Obligation (Art. 6(1)(c))

  • Retaining minimum necessary records of data subject requests and deletion completions under Art. 30 (Records of Processing Activities). We retain an audit log of: "deletion requested on DATE, completed on DATE". The personal data itself is not retained in this log.

4. Data Retention

  • PostHog analytics data: retained for 1 year (free tier). Individual person profiles can be deleted on request (see Section 6).
  • Brevo contact records (newsletter list #43): retained while you remain on the list. If you unsubscribe or request deletion, records are removed from the active list. Brevo's system-level retention after deletion is governed by Brevo's own data retention policy (Sendinblue SAS, France). We will initiate deletion of your contact record from Brevo within 7 days of a verified deletion request.
  • Brevo paid member list (#50) and broadcast list (#40): retained while your membership is active. Upon membership cancellation or deletion request, records are removed from relevant lists within 7 days.
  • Workshop registration data: retained for 36 months after the workshop date for administrative and compliance purposes (delegate lists may be required for security-cleared events). For defence-adjacent workshops, regulatory obligations may extend this period.
  • Contact form submissions: retained for 24 months.
  • Cloudflare access logs: Cloudflare retains logs per its own data retention schedule. Standard Cloudflare log retention is 7 days for free/pro plans and up to 30 days for enterprise. Cloudflare does not retain identifiable personal data beyond these windows as part of its standard CDN operation.
  • Stripe financial records: payment transaction records are retained by Stripe for up to 7 years to meet financial regulation requirements. This retention is a legal obligation on Stripe as an independent data controller.
  • Deletion audit logs: minimum record of "request received DATE, deletion completed DATE" retained for 36 months for regulatory defensibility (GDPR Art. 30).
  • Membership account data: retained while membership is active, plus 12 months after cancellation for accounting and dispute resolution purposes.

5. Cookies and Consent Management

For visitors from the United Kingdom, the European Union/EEA, Switzerland, and Brazil, a cookie consent banner is displayed on first visit. Analytics cookies (PostHog) are not set until you accept. If you decline analytics cookies, the site remains fully functional. See our Cookie Policy for a full list of cookies, their names, durations, and purposes.

Visitors from other jurisdictions have PostHog analytics loaded automatically under a legitimate interests basis.

You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site. The consent banner will reappear on your next visit if you are in a consent-gated jurisdiction.

6. Your Rights

6a. Rights Under UK GDPR and EU GDPR

Under UK GDPR (UK Data Protection Act 2018) and EU GDPR Regulation (EU) 2016/679, you have the following rights:

  • Right of access (Art. 15): to request a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification (Art. 16): to request correction of inaccurate personal data we hold about you.
  • Right to erasure / right to be forgotten (Art. 17): to request deletion of your personal data where (a) the data is no longer necessary for the purpose it was collected, (b) you withdraw consent and there is no other legal basis, (c) you object to processing under Art. 21 and we have no overriding legitimate grounds, or (d) the data has been unlawfully processed. Erasure requests trigger our RTBF process detailed in Section 9.
  • Right to restriction of processing (Art. 18): to request that we restrict processing of your data in certain circumstances (for example, while accuracy is contested).
  • Right to data portability (Art. 20): where processing is based on consent or contract and carried out by automated means, to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): to object to processing based on legitimate interests or for direct marketing purposes. On receipt of an objection to marketing, we will stop processing immediately. On receipt of an objection to legitimate interest processing, we will assess whether we have compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3)): where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing. To withdraw consent for analytics cookies, clear your cookies and decline on the consent banner at your next visit. To withdraw consent for newsletter emails, use the unsubscribe link in any newsletter email.
  • Right to lodge a complaint with a supervisory authority:
    • UK residents: Information Commissioner's Office (ICO). ico.org.uk/make-a-complaint
    • French residents: Commission Nationale de l'Informatique et des Libertés (CNIL). cnil.fr/en/complaints
    • Other EU/EEA residents: your national data protection authority. A list is maintained by the European Data Protection Board at edpb.europa.eu

6b. Rights Under US State Privacy Laws

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) (California Civil Code § 1798.100 et seq.) provides you with the following rights:

  • Right to know (§ 1798.110): to know what personal information we have collected about you, the sources, our business purpose for collection, and the categories of third parties with whom we share it.
  • Right to delete (§ 1798.105): to request deletion of your personal information, subject to certain exceptions.
  • Right to correct (§ 1798.106): to request correction of inaccurate personal information.
  • Right to opt out of sale or sharing (§ 1798.120): we do not sell or share personal information for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm.
  • Right to limit use of sensitive personal information (§ 1798.121): we do not use sensitive personal information beyond what is necessary for the service.
  • Right to non-discrimination (§ 1798.125): we will not discriminate against you for exercising any of your CCPA rights.

Virginia residents have similar rights under the Virginia Consumer Data Protection Act (VCDPA) (Va. Code § 59.1-575 et seq.). Colorado residents have similar rights under the Colorado Privacy Act (CPA) (C.R.S. § 6-1-1301 et seq.).

To exercise any US state privacy right, contact us using the process in Section 8 below. We will respond within 45 days (CCPA/CPRA) or 60 days (VCDPA, CPA) of a verified request.

7. Third-Party Services and Data Processors

PostHog (Analytics)

  • Provider: PostHog Inc., 965 Mission St, Suite 200, San Francisco, CA 94103, USA.
  • Data processed: session data, pageviews, click events, device and browser data, feature flag assignments, email address (after identification). See Section 2b for full event list.
  • EU hosting: this project uses PostHog's EU cloud region (eu.i.posthog.com). Data is stored and processed in the EU.
  • Transfer mechanism: PostHog Inc. is a US entity. Despite EU hosting, as a US-incorporated entity it falls under US law. Transfer to PostHog is covered by Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller to Processor). [VERIFIED: PostHog DPA documentation, 2026-04. ASSUMED: SCC module confirmation; owner: Steven; resolve by: legal review]
  • PostHog's privacy policy: posthog.com/privacy

Brevo (Email Service)

  • Provider: Sendinblue SAS (trading as Brevo), 7 rue de Madrid, 75008 Paris, France.
  • Data processed: email address, first name, last name, company, country, subscription source, A/B variant, signup date. Stored across lists #43 (newsletter), #50 (paid members), and #40 (broadcast).
  • Transfer mechanism: Brevo is an EU-headquartered company (France). Processing primarily occurs within the EU. Brevo may use sub-processors in non-EU countries; their sub-processor list and SCCs are available via Brevo's DPA. [VERIFIED: Brevo is a French company, 2026-04. ASSUMED: sub-processor locations; resolve at legal review]
  • Brevo's privacy policy: brevo.com/legal/privacypolicy

Cloudflare (Hosting and CDN)

  • Provider: Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA.
  • Services used: DNS, Cloudflare Pages (hosting), DDoS protection, global CDN, Cloudflare Workers (serverless functions).
  • Data processed: IP addresses, request metadata, HTTP headers, server-side logs. Cloudflare processes this data as part of delivering the website and protecting against abuse.
  • Transfer mechanism: Cloudflare is a US entity with global points of presence. Cloudflare operates under Standard Contractual Clauses for EU/UK data. Cloudflare has published a Data Processing Addendum covering GDPR obligations. [VERIFIED: Cloudflare GDPR documentation, 2026-04]
  • Cloudflare's privacy policy: cloudflare.com/privacypolicy

Stripe (Payment Processing)

  • Provider: Stripe Payments Europe Ltd (for EU/UK transactions), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland; and Stripe Inc. (global), 354 Oyster Point Blvd, South San Francisco, CA 94080, USA.
  • Data processed: payment card data, billing name, email address, transaction amounts. Stripe is an independent data controller for payment data; QSECDEF does not receive or store raw card data.
  • Retention: Stripe retains financial transaction records for up to 7 years to meet financial regulation requirements.
  • Transfer mechanism: Stripe Payments Europe Ltd is an EU-incorporated entity (Ireland). Cross-border transfers to Stripe Inc. in the US are covered by Standard Contractual Clauses. [VERIFIED: Stripe has a European legal entity, 2026-04. ASSUMED: specific SCC configuration; resolve at legal review]
  • Stripe's privacy policy: stripe.com/privacy

8. How to Exercise Your Rights (Data Subject Requests)

How to submit a request

Email info@qsecdef.com with the subject line: "Data Subject Request: [type of request]" (for example: "Data Subject Request: Access" or "Data Subject Request: Erasure").

Include: your full name, the email address associated with your QSECDEF account or subscription, and a description of your request.

Identity verification

We are required to verify your identity before acting on a request to prevent unauthorised disclosure or deletion. We will send a confirmation link to the email address you provide. You must click the link to confirm the request originates from the email address on file. For high-sensitivity requests (erasure, portability), we may request additional verification.

Response times

  • UK GDPR / EU GDPR: we will respond within one calendar month of receiving a verified request (Art. 12(3)). We may extend by a further two months for complex or numerous requests, in which case we will notify you of the extension and the reason within the first month.
  • CCPA/CPRA: we will respond within 45 days of receiving a verifiable consumer request. We may extend by a further 45 days where reasonably necessary, with prior notice.
  • VCDPA / CPA: we will respond within 45 days, with a possible 45-day extension on notice.

9. Right to Erasure: Technical Process

When we receive a verified erasure request (GDPR Art. 17, or equivalent under CCPA § 1798.105), we will complete the following within 7 working days of verification:

  1. PostHog: delete the person profile associated with your email address and distinct_id via the PostHog person deletion API. This removes all event data linked to your identity.
  2. Brevo: delete your contact record from all QSECDEF lists (#43, #50, #40) via the Brevo contacts API. This removes your email address, attributes, and list memberships.
  3. Cloudflare / server logs: Cloudflare access logs cycle automatically per Cloudflare's retention schedule (7 days for standard plans). No manual deletion action is required or possible for standard CDN logs.
  4. QSECDEF membership database: if you have a membership record in any local or Cloudflare D1 database, your record will be deleted.
  5. Stripe: if you have made a payment, Stripe holds transaction records as an independent controller. Payment records are subject to Stripe's own data retention obligations (including financial regulation requirements that may require Stripe to retain transaction records for up to 7 years). We will instruct Stripe to delete any non-legally-required personal data. You may also contact Stripe directly at stripe.com/privacy.

After completion, we will send you a confirmation email stating that the deletion is complete. We retain only a minimum audit log: "Deletion requested: [DATE]. Deletion completed: [DATE]." This log contains only the dates, not your personal data, and is retained for 36 months for regulatory defensibility under GDPR Art. 30.

10. International Data Transfers

We are a United Kingdom company and operate under UK GDPR (for UK data subjects) and EU GDPR (for EU/EEA data subjects). Where we transfer personal data outside the UK or EEA, we rely on the following safeguards under GDPR Chapter V (Arts. 44-49):

  • PostHog Inc. (US): Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914), Controller to Processor, Module 2.
  • Cloudflare Inc. (US): Standard Contractual Clauses. Cloudflare has published a GDPR-compliant Data Processing Addendum incorporating SCCs.
  • Stripe Inc. (US): Standard Contractual Clauses. Stripe Payments Europe Ltd (Ireland) is the primary contracting entity for EU/UK transactions.
  • Brevo / Sendinblue SAS (France): no transfer outside the EEA for the primary processing. Sub-processors may be located in third countries; Brevo's DPA and sub-processor list govern those transfers.

For UK data subjects, we apply the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs where required by the UK GDPR framework, in place of or in addition to the EU SCCs above.

11. Children's Data

Our services are directed at professionals and organisations. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us at info@qsecdef.com and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy when our data processing activities change, when new third-party services are introduced, or when regulatory requirements change. Changes will be posted on this page with an updated "last updated" date. For material changes, we will notify active subscribers by email. We will not reduce your rights under this policy without your explicit consent.