Your Data Rights
Under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and equivalent data-protection laws in other jurisdictions, you have a defined set of rights over your personal data. This page sets out those rights and how to exercise them — including the mechanisms for removing your data from each of our systems.
1. Your rights at a glance
- Right of access (Article 15) — see what personal data we hold about you
- Right to rectification (Article 16) — correct inaccurate or incomplete data
- Right to erasure (Article 17) — have your personal data deleted
- Right to restriction (Article 18) — limit our processing of your data
- Right to data portability (Article 20) — receive your data in a machine-readable format
- Right to object (Article 21) — object to specific processing activities
- Right to withdraw consent — withdraw consent for processing based on consent
2. Remove your data from our systems
Each system that holds your personal data has its own removal mechanism. Below are the steps for each one. If you want comprehensive deletion across every system, see section 2.4.
2.1 Email database (Brevo)
QSECDEF uses Brevo (Sendinblue SAS, France) to send newsletters and member communications. Two removal options are available.
Option A — Unsubscribe from emails
Every email we send contains an unsubscribe link in the footer. Clicking that link stops further emails. Your contact record is retained marked as opted-out (this is required so we do not accidentally re-import you in the future).
Option B — Full removal from our email database
To remove your contact record entirely from Brevo:
Send an email to info@qsecdef.com with the subject line "REMOVE FROM BREVO" from the email address you wish to remove. We action the deletion within one working day and reply to confirm. Your record is purged from the Brevo database and is not retained or re-imported.
A self-service removal form is being deployed. Until it is live, the email mechanism above is the working channel and is actioned within one working day.
2.2 Membership account (Mighty Networks)
The QSECDEF community is hosted on Mighty Networks. To cancel your membership and delete your member account:
- Log in at qsecdef.com
- Click your profile image in the top right, then Account Settings
- Click Membership, then Cancel Membership
- Follow the on-screen confirmation prompts
Cancelling your membership stops your subscription. To also delete your personal data from Mighty Networks:
- From Account Settings, click Privacy, then Delete Account, OR
- Email info@qsecdef.com with the subject "DELETE MIGHTY NETWORKS ACCOUNT" and we will action the deletion within one working day
If you are cancelling within the refund window, you can also request a refund — see our Refund Policy for the seven-day commercial guarantee and the fourteen-day EU and UK statutory cancellation rights.
2.3 All other systems
For deletion across every other system where we hold your data — including Stripe transaction metadata, Cloudflare authentication logs, our hosted directories, and contact form enquiries — send an email to info@qsecdef.com with the subject line "ERASURE REQUEST".
Please include:
- The email address used
- Any other identifiers you used (member ID, contact form submission date, organisation name)
We acknowledge within two working days and complete the erasure within one calendar month per UK GDPR Article 12(3), or notify you of any extension required for complex requests.
2.4 Full erasure across all systems
If you want to be removed everywhere in one request, send a single email to info@qsecdef.com with the subject line "FULL ERASURE REQUEST". We coordinate the deletion across all systems and confirm completion in one reply.
3. Where your data lives
Each system below holds a different category of personal data. Removing from one system does not automatically remove from another — that is by design, because Stripe transaction records are required to be retained under financial regulation while your Mighty Networks profile is not.
| System | What we hold | Removal mechanism |
|---|---|---|
| Mighty Networks | Name, email, organisation, member profile, posts, messages | Self-service via account settings (section 2.2); or email for full account deletion |
| Brevo | Email address, subscription date, campaign engagement | Self-service unsubscribe link in every email; full removal via email (section 2.1) |
| Stripe (downstream via Mighty Networks) | Transaction metadata only — card details are held by Stripe under PCI DSS | Stripe retains transaction records under financial regulation (see section 4) |
| PostHog (EU instance) | Page views, session ID, device, referrer (only after consent) | Withdraw cookie consent; admin purge by session ID via email request |
| Cloudflare D1 databases | Authentication sessions, OTP codes, audit log | Email request |
| Cloudflare R2 bucket | Expert photos, company logos (uploaded by you) | Email request |
Full sub-processor list with transfer mechanisms: /trust/sub-processors/.
4. What we cannot delete
4.1 Financial transaction records
Stripe (our downstream payment processor) is legally required to retain transaction records for up to ten years for tax, anti-money-laundering, and chargeback dispute purposes. This is a statutory override of the Article 17 right to erasure. The retained record contains transaction metadata only — it does not include card details, which are held by Stripe under PCI DSS.
4.2 Anonymised aggregate statistics
Aggregate statistics derived from tool usage on this site (for example: distribution of Mosca calculator inputs, common Q-day estimate ranges, frequency of cryptographic algorithm look-ups) are retained indefinitely as a public-interest benchmark dataset. These statistics cannot be linked back to any individual and fall outside UK GDPR scope under Article 4(5).
Tool results that are tied to a member account or email address — for example a saved Mosca calculation in your member dashboard — are personal data and can be erased on request.
4.3 Backup snapshots
Sub-processor backup systems may retain copies of your data for up to ninety days past production erasure. Backups are not accessible for ad-hoc deletion. We instruct rotation-out on the standard schedule. This is disclosed openly because some organisations would rather know than be surprised.
5. Response time
Per UK GDPR Article 12(3):
- Acknowledgement: within two working days of receipt
- Completion: within one calendar month, extendable by a further two months for complex requests, with notification to you of the extension and the reason