Privacy
Policy

01. Who We Are

The Cyber Escape Room Co. Ltd ("TCERC", "we", "us", "our") is a company registered in England and Wales. We deliver immersive cybersecurity training through physical escape room activities, digital platforms, large-scale installations, and augmented reality experiences.

02. What This Policy Covers

This Privacy Policy explains how we collect, use, store, and share personal data when you interact with us. It covers:

• Visitors and prospects who contact us through our website or attend our webinars
• Business customers and their employees who use our training platforms and services
• Individuals who participate in any TCERC training experience, whether in person or digitally
• People who complete our public self-assessment tools

03. Data We Collect

3.1 Website and Marketing Enquiries

When you contact us through our website contact form or register for a webinar, we collect:

• Name and job title
• Business email address and telephone number
• Company name
• The content of your message or enquiry

This data is collected to respond to your enquiry and, where relevant, to follow up about our services. We process this data on the basis of legitimate interests. A privacy notice is displayed at the point of collection. You may opt out of marketing communications at any time.

3.2 Instinct Lab Platform (Behavioural Measurement)

Instinct Lab is our proprietary behavioural measurement platform used across our training products. When participants use Instinct Lab, we collect:

• Name, email address, job title, and profile photograph (optional)
• Organisation name, industry sector, country, and approximate organisation size
• Responses to behavioural assessment surveys (up to 53 questions per survey, covering scenario-based, scale, and concrete question types)
• Executive survey responses, including leadership perception data and alignment gap scores
• Composite behavioural scores: Security Instinct Index (SII), Security Behaviour Index (SBI), pillar scores, behaviour cell scores, and maturity and risk bandings
• Longitudinal refit data: repeated measurement responses over time to track behavioural change
• AI-generated behavioural analysis reports derived from your survey responses (see section 5)
• Support chat messages sent through the platform
• Onboarding confirmation data (industry, country, organisation size)

3.3 Escape Room and Physical Training Experiences (ESC and SPACE_)

When participants take part in physical escape room or large-scale installation experiences, we collect:

• Name and email address (provided by the organising customer)
• Team name and session assignment
• Run data: start time, completion time, elapsed time, number of hints used, phase split timings, and whether the escape was successful
• Completion code verification status
• NPS rating (0 to 10) and open-text feedback provided after the event
• Certificate of completion data (name, scenario, team, date, outcome)

3.4 CMD (Crisis Simulation Platform)

CMD is our cybersecurity crisis simulation platform for facilitated breach response exercises. We collect:

• Name, email address, and role (selected from a curated role catalogue)
• Mobile telephone number — collected directly from participants via a secure in-session form for the purpose of receiving AI-generated voice calls during the exercise. Phone numbers are encrypted at rest using AES-256-GCM and are automatically and irreversibly deleted when the session moves to debrief or archived status, and daily for any abandoned sessions. Phone numbers are never accessible to facilitators or administrators.
• In-session inbox messages, poll responses, and decision submissions
• Real-time session metrics and pressure score data associated with participant decisions
• Call transcripts from AI-generated voice interactions during the exercise
• Post-session feedback survey responses

3.5 CTRL+Vish (Voice Phishing Simulation)

CTRL+Vish is our vishing (voice phishing) simulation and training product. We collect:

• Name and email address
• Call transcripts from AI-powered practice and assessment calls
• Behavioural scorecard data: accuracy, response quality, and engagement scores derived from call transcript analysis
• Session completion and outcome data

3.6 SHIFT (Digital Training Platform)

SHIFT is our digital escape room and security awareness platform. We collect:

• Name and email address for platform accounts
• Account credentials (passwords are stored in hashed form only and are never accessible in plain text)
• Training session data: time taken to complete challenges, number of attempts, scenario progress, and similar activity metrics
• AI-generated session scores and scoring breakdowns

3.7 Augmented Reality Experiences (ALT and Simstac-Powered)

For augmented reality escape room experiences delivered through our ALT product and in partnership with Simstac, participants interact directly with Simstac's platform. We collect:

• Name and email address (provided by the organising customer)
• Session completion data and outcomes shared back to Instinct Lab

Simstac is an independent data controller for data processed within their platform. Please refer to Simstac's privacy policy for information about their data practices.

3.8 Call and Video Recording

Where you speak with us by telephone or video call, calls may be recorded or transcribed using AI-assisted tools (Motion) for internal note-taking and project management purposes. You will be informed at the start of any such call and may request that recording is stopped at any time. Call recordings and transcripts are retained for 90 days and then deleted.

3.9 Public Self-Assessment Tools

Our public Behaviour Cycle quiz captures name, email address, and company name via an email gate to deliver your quiz results. This data is also used to follow up with information about our services, on the basis of legitimate interests. You may opt out at any time via the unsubscribe link in any email we send.

3.10 Data We Do Not Collect

We do not intentionally collect special category personal data (such as health data, ethnicity, religion, or political opinions). We do not collect payment card details directly — payments are handled by Stripe's PCI-compliant systems. We do not collect data about children.

04. How We Use Your Data

05. AI Processing

We use artificial intelligence to generate reports, scores, and analysis from participant data across several of our products. This section explains how AI is used and what safeguards are in place.

5.1 Where AI Is Used

• Instinct Lab: Claude (Anthropic) generates structured behavioural analysis reports from participant survey responses and scores. Reports are auto-generated when a baseline survey is frozen and can be manually re-run.
• CTRL+Vish: Claude (Anthropic) scores call transcripts against a three-layer behavioural rubric (outcome, behaviour, and session integrity) to produce participant scorecards.
• CMD: Claude (Anthropic) generates debrief summaries from session data including decisions, poll responses, metric trajectories, and call transcripts.
• SHIFT: Claude (Anthropic) scores training sessions using an AI judge against scenario context.

5.2 What Data Is Sent to Anthropic

Survey responses, behavioural scores, call transcripts, session metadata, and role information are transmitted to the Anthropic API to generate reports and scores. This data is processed by Anthropic as a sub-processor on our behalf under a data processing agreement with UK Standard Contractual Clauses in place.

Anthropic does not use data submitted via the API to train its AI models. Your participant data is used solely to generate the requested output and is not retained by Anthropic beyond the processing of each individual request.

5.3 Human Oversight

All AI-generated reports and scores are reviewed by trained facilitators or account managers before being used in client-facing contexts. AI output is clearly labelled as AI-generated within our platforms. We do not use AI to make automated decisions that have legal or significant effects on individuals without human review.

06. Marketing

We send marketing communications to prospects and customers on the basis of legitimate interests. We have assessed that our interest in communicating about relevant cybersecurity training services is proportionate and not overridden by individual rights, given the professional and business-to-business nature of our communications.

You may opt out of marketing communications at any time by clicking the unsubscribe link in any email, or by contacting us at legal@cyberescaperoom.co. We will action opt-out requests within five working days.

07. Who We Share Data With

7.1 Sub-Processors

We use a limited number of third-party service providers (sub-processors) who process personal data on our behalf. Our full and current list of sub-processors is published at www.cyberescaperoom.co/security and is updated whenever we add, change, or remove a processor.

We enter into data processing agreements with all sub-processors and ensure that appropriate safeguards are in place for any international data transfers.

7.2 International Transfers

Some of our sub-processors are based outside the UK or European Economic Area. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved under UK data protection law or reliance on the UK's adequacy decisions. Details are published in our sub-processor register.

Data hosted on Vercel, Neon, Vercel Blob, and CMD's database is stored in the UK. Data processed by US-based sub-processors including Anthropic, Mailchimp, Resend, Stripe, ElevenLabs, Twilio, Motion, and Microsoft is subject to UK Standard Contractual Clauses.

7.3 Other Disclosures

We may share personal data with third parties in the following circumstances:

• Where required by law, court order, or regulatory authority
• With professional advisers (lawyers, accountants) under strict confidentiality obligations
• In the event of a merger, acquisition, or sale of our business, subject to appropriate notice

We do not sell personal data to third parties.

08. Data Anonymisation and Research Use

We are developing anonymisation processes across our platforms. Once personal data is genuinely anonymised — that is, irreversibly stripped of any information that could identify an individual directly or indirectly, including by reference to organisation, role, or any combination of attributes — it falls outside the scope of UK GDPR and may be retained indefinitely.

We intend to use anonymised, aggregated data for the following purposes:

• Developing and improving our behavioural methodology and question banks
• Building sector and industry benchmarks for cybersecurity behaviour maturity
• Research and methodology development in partnership with academic or industry bodies
• Improving the accuracy and relevance of our AI-generated reports

Anonymisation processes are being built into Instinct Lab, CMD, CTRL+Vish, SHIFT, and ESC. Until those processes are in place, we retain only identified data for the periods set out in section 9 below.

09. How Long We Keep Your Data

10. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access: to request a copy of the data we hold about you
• Right to rectification: to ask us to correct inaccurate data
• Right to erasure: to ask us to delete your data in certain circumstances
• Right to restriction: to ask us to restrict how we process your data
• Right to data portability: to receive your data in a structured, machine-readable format
• Right to object: to object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time

To exercise any of these rights, contact us at legal@cyberescaperoom.co. We will respond within one calendar month. You also have the right to complain to the Information Commissioner's Office (ICO) at www.ico.org.uk if you believe we have not handled your data lawfully.

11. Security

We maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

• Encryption of personal data in transit (TLS) and at rest
• AES-256-GCM encryption for particularly sensitive data (such as mobile phone numbers in CMD)
• Role-based access controls limiting data access to authorised personnel on a need-to-know basis
• Multi-tenant database architecture with row-level security ensuring customer data is isolated
• Automatic deletion processes for time-limited data categories
• Audit logging of sensitive data access and changes

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO without undue delay and in any event within 72 hours of becoming aware.

12. Cookies and Website Analytics

Our website uses cookies. Strictly necessary cookies are placed automatically to ensure the website functions correctly. We will ask for your consent before placing analytical or marketing cookies. You can manage your cookie preferences at any time via the cookie banner on our website.

We use standard web analytics to understand how visitors use our website. This data is collected in aggregate and anonymised form and is not used to identify individual visitors.

13. Changes to This Policy

We review and update this Privacy Policy periodically to reflect changes in our services, data practices, or legal requirements. We will notify customers of any material changes by email or by a notice on our website. The date at the top of this policy shows when it was last updated.

14. Contact Us

For any questions about this Privacy Policy or how we handle your personal data: