Legal & Compliance
Privacy Policy
📅 Effective: 3 June 2026
📋 Version: 1.0
⚖️ Jurisdiction: EU / EEA · GDPR Compliant
Plain English Summary — What This Policy Covers
📧We collect your name, email, company, and job title when you use our security audit tools or ROI calculator.
🎯We use this data only to deliver your audit results, send follow-up analysis, and invite you to a consultation.
🤖Your answers are processed by an AI system (Anthropic Claude) to generate your personalised security report. No answers are stored permanently by Anthropic.
🌍Some data is processed in the United States by tools covered under the EU-US Data Privacy Framework.
🗑️We delete lead data after 12 months if no engagement results. Client data is kept for 3 years after engagement.
✋You can request access, correction, or deletion of your data at any time by emailing privacy@a-zglobal.com
Article 1
Who We Are — Data Controller
A-Z Global Security Consulting ("A-Z Global", "we", "us", "our") is the data controller responsible for personal data collected through our security audit platform, ROI calculator, and related digital tools.
Article 2
What Personal Data We Collect
We collect only the data necessary to deliver the services you have requested. We do not collect sensitive personal data (as defined under GDPR Article 9), financial account details, or any data from individuals under the age of 18.
| Data Category |
Specific Data Points |
Source |
Required? |
| Identity data |
First name, last name |
Audit / calculator form |
Yes |
| Contact data |
Business email address |
Audit / calculator form |
Yes |
| Professional data |
Organisation name, job title |
Audit / calculator form |
Yes |
| Business data |
Annual revenue (approximate), number of employees or locations |
Audit / calculator form |
Yes |
| Audit response data |
Your answers to the 18 security audit questions, selected country, organisation type, domain risk scores |
Audit interaction |
Automatically collected on form submit |
| Technical data |
Browser type, approximate location (country level), device type — if Google Analytics is enabled |
Analytics tools |
Only with cookie consent |
| Communication data |
Records of emails sent and received in connection with your audit results or consultation |
Email correspondence |
Generated through engagement |
We do not collect: national identification numbers, passport numbers, bank or payment details, health data, biometric data, criminal record data, or any data relating to children. We do not purchase third-party marketing lists or use your data for profiling unrelated to security consultancy services.
Article 3
Legal Basis for Processing — GDPR Article 6
We process your personal data only where we have a valid legal basis under GDPR Article 6. Different processing activities rely on different bases as set out below.
Art. 6(1)(a) — Consent
Marketing communications
Sending you the audit results email, follow-up analysis emails, and consultation invitation. You provide consent via the checkbox on the audit submission form. You may withdraw consent at any time by clicking unsubscribe or emailing privacy@a-zglobal.com.
Art. 6(1)(b) — Contract
Delivering audit results
Processing your audit answers and generating your personalised risk report constitutes performance of the service you have requested. This processing is necessary to deliver what you asked for when completing the audit.
Art. 6(1)(f) — Legitimate Interests
Internal analysis and service improvement
Analysing aggregate (anonymised) audit response patterns to improve question quality and benchmark accuracy. Our legitimate interest is improving the quality of our security advisory tools. This processing never uses your personal data in identifiable form.
Art. 6(1)(c) — Legal Obligation
Record keeping
Retaining records of client engagements for the duration required by applicable commercial and tax law in Germany (typically 6–10 years for business records). This applies only to confirmed client relationships, not leads.
Article 4
How We Use Your Personal Data
| Purpose |
Data Used |
Legal Basis |
| Generate and deliver your personalised security risk report |
All audit response data, name, organisation, country |
Art. 6(1)(b) — Contract |
| Send your audit results by email |
Name, email, audit results summary |
Art. 6(1)(a) — Consent |
| Send follow-up analysis and consultation invitation (nurture emails) |
Name, email, audit type, risk rating |
Art. 6(1)(a) — Consent |
| Prepare an internal pre-consultation dossier for Zakaria Ayyad |
All audit data processed via Anthropic Claude API |
Art. 6(1)(b) — Contract |
| Store lead information in our CRM (Airtable) |
Name, email, company, title, audit type, scores |
Art. 6(1)(a) — Consent |
| Improve our audit tools using anonymised aggregate data |
Anonymised response patterns only — no personal data |
Art. 6(1)(f) — Legitimate Interests |
| Comply with legal and tax record-keeping requirements (clients only) |
Engagement records, invoices, correspondence |
Art. 6(1)(c) — Legal Obligation |
Article 5
Third-Party Processors & Data Transfers
We use the following third-party services to operate our tools. Each acts as a data processor on our behalf under GDPR Article 28. We have selected processors that provide appropriate safeguards for personal data.
Purpose: Processing your audit answers to generate a personalised security risk analysis and internal consultation dossier. Your answers are sent to Anthropic's API and the response is returned. Anthropic does not use API inputs to train its models and does not store personal data beyond the immediate processing session.
Data location: United States · Transfer mechanism: EU-US Data Privacy Framework · Privacy: anthropic.com/privacy
Purpose: Storing lead and client records including name, email, company, job title, audit type, risk scores, and audit completion date. Airtable acts as our CRM and data store for follow-up and consultation scheduling.
Data location: United States · Transfer mechanism: EU-US Data Privacy Framework · Privacy: airtable.com/privacy
Purpose: Automating the workflow between our audit platform, Airtable, and email delivery. When you submit an audit form, n8n receives the data, routes it to Airtable and Anthropic, and triggers confirmation emails. n8n cloud is hosted in Germany.
Data location: Germany (EU) · Transfer mechanism: Not required · Privacy: n8n.io/privacy
Purpose: Anonymous website traffic analytics — page views, session duration, traffic sources. IP addresses are anonymised before processing. Google Analytics will only be activated after cookie consent is obtained from each visitor via our consent banner.
Data location: United States · Transfer mechanism: EU-US Data Privacy Framework · Status: Not yet active — pending cookie consent implementation
We do not sell, rent, or share your personal data with any third party for their own marketing purposes. We do not use your data for automated decision-making that produces legal or similarly significant effects (GDPR Article 22). The AI-generated audit report is advisory only — all final recommendations are reviewed by Zakaria Ayyad personally.
Article 6
Data Retention — How Long We Keep Your Data
We keep personal data only for as long as necessary for the purpose it was collected, and no longer than required by applicable law.
| Data Category |
Retention Period |
Reason |
| Audit leads — no engagement |
12 months from audit completion |
Sufficient time for consultation follow-up. Deleted or anonymised after 12 months if no engagement results. |
| Audit leads — consultation booked |
24 months from last contact |
Extended retention for active prospects in the sales cycle. |
| Client engagement data |
Duration of engagement + 3 years |
Legitimate interest for dispute resolution and reference. Minimum required by German commercial law (HGB §257). |
| Invoice and financial records |
10 years |
Required by German tax law (AO §147). |
| Email correspondence |
3 years from last contact |
Legitimate interest for business continuity and dispute reference. |
| Anonymised audit analytics |
Indefinite |
No personal data — aggregate patterns only used for tool improvement. |
When data reaches its retention limit, it is permanently deleted from all systems including Airtable, email archives, and any local backups. We conduct a data review every 6 months (June and December) to action deletions.
Article 7
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. You can exercise any of these rights by contacting us at privacy@a-zglobal.com. We will respond within 30 days.
✅ Right of Access Art. 15
You have the right to request a copy of all personal data we hold about you, including your audit responses, lead record, and any correspondence.
✏️ Right to Rectification Art. 16
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
🗑️ Right to Erasure Art. 17
You have the right to request deletion of your personal data. We will delete all records within 30 days except where retention is required by law.
⏸️ Right to Restrict Processing Art. 18
You have the right to request that we restrict processing of your data while a dispute about accuracy or legitimate basis is resolved.
📦 Right to Data Portability Art. 20
Where processing is based on consent or contract, you have the right to receive your data in a structured, machine-readable format (CSV or JSON).
🚫 Right to Object Art. 21
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
↩️ Right to Withdraw Consent Art. 7(3)
Where processing is based on consent, you may withdraw consent at any time by clicking unsubscribe in any email or contacting privacy@a-zglobal.com. Withdrawal does not affect the lawfulness of prior processing.
⚖️ Right to Lodge a Complaint Art. 77
You have the right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragter für den Datenschutz (BfDI) — bfdi.bund.de. In your EU member state of residence if different.
Article 8
Consent & Marketing Communications
When you complete a security audit or use our ROI calculator and submit the lead form, you are asked to provide explicit consent (via a checkbox) to receive:
1. Your audit results — a personalised summary of your risk rating, domain scores, and top priority actions, delivered by email within minutes of submission.
2. Follow-up analysis — up to three follow-up emails over seven days, each containing additional insight derived from your specific audit answers, designed to help you understand your risk exposure more deeply.
3. A consultation invitation — a personal invitation from Zakaria Ayyad to a free 45-minute security review, based on your audit results.
We will never send unsolicited marketing emails. Every email we send is directly related to the audit you completed and the results you requested. You can unsubscribe from all communications at any time by clicking the unsubscribe link in any email or emailing
privacy@a-zglobal.com. Unsubscribe requests are actioned within 5 business days.
Article 9
Cookies & Tracking Technologies
Current status: Our audit platform and ROI calculator do not currently use cookies or tracking technologies. No data is stored in your browser. No tracking pixels are active.
Future analytics: When we activate Google Analytics (planned), we will implement a cookie consent banner that appears before any tracking is initialised. You will be able to accept or decline analytics cookies. Declining will not affect your ability to use any of our tools.
When activated, Google Analytics will be configured with IP anonymisation enabled and data retention set to 14 months. We will not use Google Analytics advertising features, remarketing, or audience sharing.
Article 10
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32.
These measures include: encrypted transmission via HTTPS/TLS for all data in transit; access controls limiting data access to Zakaria Ayyad personally; use of third-party processors with their own security certifications (Anthropic, Airtable, n8n); no storage of audit data in plain text on public systems.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.
Article 11
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or third-party services. The version number and "Last updated" date at the top of this document will always reflect the current version.
For material changes that affect how we process your data, we will notify active contacts by email at least 14 days before the change takes effect. Continued use of our tools after that date constitutes acceptance of the updated policy.
Previous versions of this Privacy Policy are available on request by emailing privacy@a-zglobal.com.
Article 12
How to Contact Us
For any questions, requests, or complaints relating to this Privacy Policy or the processing of your personal data, please contact us through any of the following channels. We aim to respond to all privacy-related enquiries within 5 business days and to fulfil all data subject requests within 30 days.
