Cyber Risk International Ltd
Privacy Policy
How Cyber Risk International collects, uses and protects personal data, in compliance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
1. Introduction
Cyber Risk International Ltd (“CRI”, “we”, “us”) is committed to protecting personal data and respecting privacy rights. This Privacy Policy explains how we collect, use, disclose and safeguard personal data across our website, the CyberPrism platform, our newsletter and our advisory services. It also sets out the rights available to individuals under the GDPR.
This policy applies to www.cri.ie, www.cyberriskinternational.com and related CRI services. Where the CyberPrism platform processes personal data on behalf of a client, that processing is also governed by the data-processing terms in the relevant client agreement.
2. Who we are — data controller
For personal data we collect directly — website enquiries, newsletter subscriptions, academy accounts and advisory engagements — Cyber Risk International Ltd is the data controller. The responsible contact for data-protection matters is Paul C Dwyer, Chief Executive Officer.
Where CRI processes personal data within the CyberPrism platform on the instructions of, and on behalf of, a client organisation, CRI generally acts as a data processor and the client is the controller. The roles, responsibilities and safeguards for that processing are set out in the data-processing terms agreed with each client.
Our contact details are in Section 12.
3. Personal data we collect
Depending on how you interact with us, we may collect:
- Contact and enquiry data — name, email address, phone number, organisation, and the content of your message when you use our contact form or correspond with us.
- Newsletter data — name and email address where you subscribe to our mailing list.
- Account data — registration and profile details for CyberPrism, including credentials, course enrolment and progress.
- Engagement data — information exchanged in the course of advisory, assessment and education services.
- Technical data — IP address, browser type, device information and usage data collected through cookies and similar technologies (see Section 8).
4. How and why we use personal data — lawful bases
We process personal data only where we have a lawful basis under Article 6 of the GDPR. Those bases are:
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries and providing requested information | Legitimate interests / steps prior to entering a contract |
| Providing CyberPrism, academy and advisory services | Performance of a contract |
| Sending our newsletter and marketing communications | Consent (withdrawable at any time) |
| Improving our website, services and security | Legitimate interests |
| Meeting legal, regulatory and accounting obligations | Legal obligation |
Where we rely on consent, you may withdraw it at any time — for example, by using the unsubscribe link in any newsletter or by contacting us. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. AI processing within CyberPrism
The CyberPrism platform uses Retrieval-Augmented Generation, which integrates a third-party AI model via a secure API to generate guidance grounded in authoritative regulatory sources. Where personal data forms part of an input to that processing, it is handled under this policy and under the data-processing terms agreed with the relevant client.
Our governance of AI within CyberPrism — including our role under the EU AI Act, transparency measures and human oversight — is set out in our CyberPrism AI Policy.
6. Sharing and recipients of personal data
We do not sell personal data. We disclose it only where necessary, and only to the following categories of recipient, each engaged under appropriate contractual safeguards including data-processing agreements where required:
- Service providers acting on our behalf — including providers of hosting and infrastructure, email and communications, customer and learning management, and the AI model that underpins CyberPrism. These providers process personal data only on our instructions and for the purposes we specify.
- Professional advisers — such as legal, accounting and compliance advisers, where necessary.
- Authorities and regulators — where we are required to disclose personal data by law or to protect our legal rights.
We describe recipients by category to protect the confidentiality and security of our operating environment. Specific information about a processor relevant to your personal data can be requested using the contact details below.
7. International transfers
Some of our service providers process personal data outside the European Economic Area (EEA). Where that occurs, we ensure an appropriate transfer mechanism is in place — such as an adequacy decision of the European Commission or the European Commission’s Standard Contractual Clauses, together with any additional safeguards required — so that your personal data continues to receive a level of protection consistent with the GDPR.
8. Cookies
Our website uses cookies and similar technologies, including third-party cookies from video providers, to enable core functionality, remember preferences and understand how the site is used. Non-essential cookies are set only with your consent, which you can manage or withdraw at any time through our cookie-consent tool or your browser settings.
9. Data security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Data is stored on secure infrastructure and access is restricted to authorised personnel. As a cybersecurity firm, security is central to how we operate; however, no method of transmission or storage is entirely secure, and we cannot guarantee absolute security.
10. Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting or reporting requirements, to resolve disputes and to enforce our agreements. When data is no longer required, it is securely deleted or anonymised.
11. Your rights under the GDPR
Subject to the conditions set out in the GDPR, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure of your data;
- restrict or object to our processing of your data;
- data portability;
- withdraw consent where processing is based on consent.
To exercise any of these rights, please contact us using the details below. We will respond within one month, as required by the GDPR. You also have the right to lodge a complaint with the Irish supervisory authority, the Data Protection Commission (www.dataprotection.ie), or with the supervisory authority in your country of residence.
12. Contact us
For any questions about this Privacy Policy or to exercise your rights:
Cyber Risk International Ltd
ICTTF House – Unit 15, N17 Business Park, Tuam, Co. Galway, H54 H1K2, Ireland
Web: www.cri.ie
Email: via our contact page
Phone: +353-(0)1-905 3260
Registered Company: 550801 | VAT: IE 3292853TH | DUNS: 985605977
13. Changes to this policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page, and where changes are significant we will provide a more prominent notice. We encourage you to review this page periodically.
Last updated: June 2026.