Privacy Notice

Who We Are

Instinct Lab is operated by The Cyber Escape Room Co. Ltd (company number 13753868), registered with the UK Information Commissioner’s Office (registration ZC074478). Registered office: Queensgate House, 23 North Park Road, Harrogate, HG1 5PD. For privacy questions or to exercise your rights, email legal@cyberescaperoom.co.

What We Process

• Account details. Name, work email and role for partner, customer and participant users, so you can sign in and see the data that belongs to your organisation.
• Survey responses. Answers to the executive and staff perception and behaviour questionnaires that feed the methodology.
• Engagement records and scores. The measurement results (the SII perception view and SBI behaviour view) computed from survey responses. Scores are derived measures, tagged with the methodology version used.
• Billing and invoice information. Where applicable, invoice records held in file storage and served only through authenticated routes.
• Audit log. A record of sensitive actions (actor, timestamp and the entity affected) for security and accountability.
• Sign-in. Access is passwordless, by a one-time email link. Your session is held in an HTTP-only cookie.

Lawful Bases

We process the data above to deliver the measurement service under our contract with your organisation, and on the basis of our legitimate interests in securing the platform, keeping an audit trail and improving the service. Lawful bases per processing activity are set out in full in the parent TCERC Privacy Policy.

Sub-Processors

We rely on a short list of trusted suppliers to run Instinct Lab, with a data processing agreement in place for each. The live, authoritative list is published at cyberescaperoom.co/security. The suppliers used by Instinct Lab are:

We notify affected customers in advance of material changes to this list (a new sub-processor, or a change of region).

Where Data Sits

Instinct Lab is hosted in the UK and EU only, with no data in US regions. The primary database (Neon Postgres) sits in AWS eu-west-2 (London). Where a supplier processes data outside the UK (for example, AI inference that may transit the United States), the transfer is covered by UK Standard Contractual Clauses or the UK International Data Transfer Addendum, alongside the supplier’s own safeguards.

How Long We Keep It

Account and measurement data is kept for the life of the engagement and for a limited period afterwards so historical reports stay valid, then deleted or anonymised. Audit logs are kept for 24 months. Sign-in links expire within minutes and session cookies are time-limited. Specific windows can be set per engagement in your contract.

How We Protect It

• Encrypted in transit (TLS) and at rest (AES-256 on Neon and Vercel Blob).
• Passwordless sign-in; role-based access; every customer record scoped at the database query level so organisations only ever see their own data.
• Sensitive actions written to an audit log.
• Error monitoring via Sentry with personal data scrubbed before it leaves the application.
• Independent, encrypted off-site backups retained for 30 days.
• Security gates on every code change (static analysis, dependency and secret scanning) and browser security response headers on every route.

Your Rights

Under UK GDPR you can ask for a copy of your data, correct it, have it erased, restrict or object to processing, or receive it in a portable form. Email legal@cyberescaperoom.co and we will respond within one calendar month. If you are a participant, your organisation is the data controller for your results, so we may direct your request to them.

Changes

We update this notice when something material changes (a new sub-processor, a new data type, or a change in a retention window). The version and last-updated date sit at the top. For material changes affecting your account, your contact at TCERC will be in touch.