Privacy Policy
This policy explains how SecureITX Solutions collects, uses, stores, protects, and discloses personal data. It applies to all visitors, clients, and contacts worldwide.
Privacy Policy details
1. Who We Are
SecureITX Solutions (“SecureITX”, “we”, “us”, “our”) is a cybersecurity, artificial intelligence, and IT solutions company registered in the Hashemite Kingdom of Jordan. We provide penetration testing, compliance automation, identity and access security, security awareness training, enterprise collaboration, and AI-driven business intelligence services to organizations worldwide.
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to our website at secureitx-solutions.com and any related subdomains
- Prospective clients who submit inquiries or request proposals
- Existing clients and their authorized personnel during service delivery
- Subscribers to our newsletters, alerts, or publications
- Job applicants who submit CVs or applications
- Partners, vendors, and third parties we interact with commercially
This policy does not apply to data processed by SecureITX on behalf of our clients as a data processor. Client-specific data processing is governed by the applicable Data Processing Agreement (DPA) between SecureITX and each client.
3. Data We Collect
We collect the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | First name, last name, job title, organization name | Service delivery, account management, communications |
| Contact Data | Email address, phone number, mailing address | Communications, proposals, invoicing |
| Technical Data | IP address, browser type and version, operating system, device identifiers, time zone, pages visited, referring URL | Security, fraud prevention, website improvement |
| Usage Data | Pages viewed, links clicked, session duration, navigation paths | Analytics, UX improvement |
| Communication Data | Emails, messages, form submissions, meeting notes | Responding to inquiries, service delivery |
| Financial Data | Invoice details, payment status (no full card numbers stored) | Billing and financial administration |
| Professional Data | Employment history, skills, certifications (job applicants only) | Recruitment and hiring |
| Engagement Data | Email open rates, click-through rates, webinar attendance (with consent) | Marketing effectiveness measurement |
Special categories of data: We do not intentionally collect sensitive personal data (such as health data, biometric data, religious beliefs, or political opinions) unless required to do so during a specific engagement with your explicit written consent.
4. How We Collect Data
We collect personal data through the following means:
- Direct interactions: When you complete a contact form, request a proposal, subscribe to our newsletter, apply for a position, or communicate with us directly.
- Automated technologies: Our website uses cookies, server-side logs, and similar technologies to collect Technical Data and Usage Data automatically when you visit.
- Third-party sources: We may receive data about you from business partners, referral networks, or publicly available professional databases (e.g., LinkedIn) strictly for legitimate business outreach purposes.
- Service delivery: During the course of providing services, your organization’s authorized personnel may provide us with personal data of individuals within scope of an engagement.
5. Legal Bases for Processing
We process personal data only where we have a valid legal basis. Our primary legal bases are:
- Contract performance: Processing necessary to deliver services you have contracted, fulfill a proposal request, or manage a client relationship.
- Legitimate interests: Operating and securing our business, improving our services, fraud prevention, direct marketing to existing clients, and business development outreach to professionals where our interest does not override your fundamental rights.
- Legal obligation: Processing required to comply with applicable laws, regulations, court orders, or lawful government requests.
- Consent: Where you have provided explicit, informed, freely given consent – particularly for marketing communications to new contacts and for non-essential cookies.
You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
6. How We Use Your Data
We use the personal data we hold to:
- Deliver, manage, and improve our cybersecurity and IT services
- Respond to inquiries and provide proposals or quotations
- Process transactions and manage billing
- Authenticate users and maintain account security
- Communicate service updates, security advisories, and contractual matters
- Send marketing and promotional communications (where permitted)
- Conduct research, analytics, and product development
- Detect, investigate, and prevent fraud, unauthorized access, and other security incidents
- Meet legal, regulatory, and compliance obligations
- Defend legal claims and enforce our agreements
- Evaluate job applications and conduct recruitment
We will not use your personal data for purposes incompatible with those disclosed at the time of collection without your prior notice and, where required, consent.
7. Marketing and Communications
We send marketing communications only where permitted by applicable law:
- New contacts: We will ask for your consent before adding you to our mailing list.
- Existing clients: We may send relevant service updates and cybersecurity advisories based on our legitimate interest, subject to your right to opt out.
- Opting out: Every marketing email includes an unsubscribe link. You may also opt out by submitting a request through our Contact Form. We process opt-out requests within 10 business days.
- Transactional messages: Operational messages related to your active services (such as invoices, security alerts, and project updates) are not affected by marketing opt-out preferences.
We do not sell, rent, or trade your contact information to third-party marketers.
8. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies. A full description of each cookie type, its purpose, duration, and provider is available in our Cookie Policy.
In summary, we use:
- Essential cookies: Required for the website to function. No consent required.
- Analytics cookies: Used to understand how visitors interact with our site. Deployed only with your consent.
- Marketing cookies: Used to deliver relevant advertising. Deployed only with your consent.
You can manage your cookie preferences at any time via our cookie consent banner or by adjusting your browser settings. Note that disabling certain cookies may affect site functionality.
9. How We Share Your Data
We do not sell your personal data. We share data only in the following circumstances:
- Service providers: We engage trusted third-party vendors (hosting, email delivery, CRM, analytics, payment processing) who process data on our behalf under binding data processing agreements with appropriate security obligations.
- Professional advisors: Lawyers, accountants, auditors, and insurers, subject to professional confidentiality obligations.
- Regulatory and law enforcement authorities: Where required by applicable law, court order, or lawful government request. We will notify you where legally permitted to do so.
- Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected individuals in advance where feasible.
- With your consent: For any other sharing not described above, we will seek your explicit consent first.
When sharing data internationally, we apply the transfer safeguards described in Section 10.
10. International Data Transfers
SecureITX is based in Jordan. When we transfer personal data to countries outside the Hashemite Kingdom of Jordan or outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, which may include:
- Standard Contractual Clauses (SCCs): European Commission-approved model clauses incorporated into our agreements with data recipients.
- Adequacy decisions: Transfers to countries that the relevant authority (Jordanian Data Protection Authority, European Commission, or UK ICO) has determined provide an adequate level of data protection.
- Binding Corporate Rules: Where applicable for intra-group transfers.
- Derogations for specific situations: Your explicit consent, necessity for contract performance, or protection of vital interests, applied only where SCCs are not available.
You may request a copy of the specific transfer mechanisms we apply to your data by submitting a request through our Contact Form.
11. Data Retention
We retain personal data only for as long as necessary for the purposes collected and to meet legal, accounting, and contractual obligations. Our standard retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Client account and contract data | Duration of contract + 7 years | Legal obligation (accounting, tax, dispute resolution) |
| Security assessment deliverables and findings | 3 years after engagement close | Legitimate interest (quality assurance, legal defense) |
| Marketing contact data | Until opt-out + 30 days processing | Consent / legitimate interest |
| Website technical and usage logs | 12 months | Legitimate interest (security, debugging) |
| Job applicant data (unsuccessful) | 12 months after decision | Legitimate interest (future opportunities, legal defense) |
| Job applicant data (employed) | Becomes part of employment record | Contract performance / legal obligation |
| Financial records and invoices | 7 years | Legal obligation (tax law) |
When data is no longer required, we securely delete or anonymize it using industry-standard methods. Where full deletion is temporarily impractical (e.g., backup media), data is isolated from further processing until deletion is complete.
12. Security Measures
As a cybersecurity company, we apply rigorous technical and organizational controls to protect personal data against unauthorized access, disclosure, alteration, and destruction. Our measures include:
Technical Controls
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Multi-factor authentication for all system access
- Role-based access control (RBAC) on least-privilege principle
- Continuous vulnerability scanning and patch management
- Web application firewall and intrusion detection
- Segregated network zones and firewall controls
- Automated security logging and SIEM alerting
Organizational Controls
- Information security policies aligned to ISO/IEC 27001
- Mandatory security awareness training for all staff
- Background checks for personnel with data access
- Non-disclosure agreements with all employees and contractors
- Vendor risk assessments before engaging third parties
- Regular internal security audits and penetration testing
- Incident response plan with defined escalation procedures
- Privacy-by-design approach in all product and service development
No security measure is infallible. If you have concerns about the security of your data, please contact us immediately via our Contact Form.
13. Data Breach Notification
In the event of a personal data breach, we follow a structured response process:
- Detection and containment: Our security team identifies and contains the breach as rapidly as possible.
- Assessment: We assess the scope, nature, categories of data affected, and likely impact on affected individuals.
- Regulatory notification: Where required by applicable law (including Jordan PDPL Article 19 and GDPR Article 33), we notify the relevant supervisory authority within 72 hours of becoming aware of the breach, or as soon as reasonably practicable.
- Individual notification: Where a breach is likely to result in a high risk to your rights and freedoms, we notify affected individuals without undue delay (as required under GDPR Article 34 and Jordan PDPL). Notification includes the nature of the breach, contact details for further information, likely consequences, and measures taken or proposed.
- Remediation: We implement measures to prevent recurrence and document the breach in our internal incident register.
If you suspect that your personal data held by us has been compromised, please contact us immediately via our Contact Form.
14. Automated Decision-Making and Profiling
SecureITX does not make decisions about individuals that produce legal or similarly significant effects based solely on automated processing, including profiling.
Where automated processing is used (for example, to detect fraudulent access attempts or to route inquiry forms), human review is applied before any consequential decision is made. You have the right to request human review of any automated assessment that has affected you by contacting us via our Contact Form.
15. Do Not Track
Some web browsers transmit “Do Not Track” (DNT) signals to websites. Currently, no universally accepted standard exists for how websites should respond to DNT signals. Our website does not currently alter its data collection and use practices in response to DNT signals. We will revisit this position if an industry standard is established.
You can manage your tracking preferences through our cookie consent controls, which remain available regardless of your browser’s DNT setting.
16. Your Privacy Rights (All Individuals)
Regardless of your location, you may exercise the following rights in relation to your personal data:
- Access: Request confirmation of whether we hold personal data about you and obtain a copy.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your data where we no longer have a lawful basis to retain it.
- Objection: Object to processing based on legitimate interests, including direct marketing.
- Restriction: Request that we restrict processing in certain circumstances (e.g., while accuracy is disputed).
- Portability: Where technically feasible, receive your data in a structured, machine-readable format.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any right, submit a request through our Contact Form. We will respond within 30 days. We may need to verify your identity before processing your request. Exercising your rights is free of charge unless requests are manifestly unfounded or excessive.
Jordan PDPL – Law No. 24 of 2023
17. Jordan Personal Data Protection Law (PDPL)
SecureITX Solutions is subject to the Jordanian Personal Data Protection Law No. 24 of 2023 (the “PDPL”) and its implementing regulations. As a data controller established in Jordan, we are registered with and accountable to the National Center for Security and Crises Management (NCSCM), which serves as the data protection supervisory authority in Jordan.
Under the PDPL, you have the following rights as a data subject:
- Right of Access (Article 10): Obtain a copy of your personal data and information about how it is processed.
- Right of Correction (Article 11): Request correction of inaccurate or outdated personal data.
- Right of Deletion (Article 12): Request deletion of your personal data where it is no longer necessary for the purpose collected, consent is withdrawn, or processing is unlawful.
- Right to Object (Article 13): Object to processing of your personal data in certain circumstances.
- Right to Restrict Processing (Article 14): Request restriction of processing in specific circumstances.
If you are not satisfied with our response, you have the right to lodge a complaint with the NCSCM at the contact information published on their official website.
GDPR / UK GDPR
18. GDPR Rights (EU, EEA, and UK Individuals)
If you are located in the European Union, European Economic Area, or the United Kingdom, the EU General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data.
In addition to the rights in Section 16, you have the right to:
- Lodge a complaint with your national data protection authority (e.g., the Information Commissioner’s Office (ICO) in the UK, CNIL in France, BfDI in Germany, or the supervisory authority in your EU member state).
- Data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, where technically feasible, where processing is based on consent or contract.
- Not be subject to solely automated decisions (Article 22): As stated in Section 14, we do not make such decisions.
EU/EEA Representative: Where required under GDPR Article 27, SecureITX will designate an EU representative. Details will be published on this page when applicable. EU and EEA data subjects may contact us via the Contact Form in the interim.
Legal bases summary for EU/EEA/UK processing:
- Contract performance (Article 6(1)(b)): Service delivery
- Legitimate interests (Article 6(1)(f)): Security, fraud prevention, marketing to clients, business development
- Legal obligation (Article 6(1)(c)): Regulatory compliance
- Consent (Article 6(1)(a)): Marketing to new contacts, non-essential cookies
California Consumer Privacy Act
19. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may apply to our processing of your personal information.
Categories of personal information collected (past 12 months):
- Identifiers (name, email, IP address)
- Commercial information (services purchased, transaction history)
- Internet or electronic network activity (website usage, browsing interactions)
- Professional or employment-related information (for job applicants)
- Inferences drawn from the above (engagement scoring for marketing)
Your CCPA/CPRA rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising purposes. You do not need to submit an opt-out request for this.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.
To exercise any California privacy right, submit a request via our Contact Form. We will respond within 45 days. We do not accept opt-out requests submitted through authorized agents without proof of authorization.
20. Children’s Privacy
Our website and services are directed exclusively to business professionals and organizations. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data from a minor has been collected without appropriate parental consent, we will delete that information promptly. If you believe we may have inadvertently collected such data, please contact us via our Contact Form.
21. Third-Party Links
Our website may contain links to third-party websites, publications, or services. We do not control and are not responsible for the privacy practices of those sites. Accessing third-party sites is at your own risk. We recommend reviewing the privacy policies of any third-party site you visit.
22. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Increment the version number
- Where required by law or where changes materially affect your rights, notify you by email or a prominent notice on our website
We encourage you to review this policy periodically. Continued use of our website or services after the effective date of changes constitutes acknowledgment of the updated policy, except where applicable law requires fresh consent.
Version 1.1 – 17 May 2025: Added CCPA/CPRA section, expanded security measures, added breach notification procedures, added automated decision-making statement, added Do Not Track statement.
Version 1.0 – 1 January 2025: Initial publication.
23. Contact and Complaints
For all privacy-related inquiries, requests to exercise your rights, or complaints, please use our dedicated Privacy Request Form. We will acknowledge your request within 2 business days and provide a substantive response within 30 days (or within the timeframe required by applicable law).
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- Jordan: National Center for Security and Crises Management (NCSCM)
- European Union / EEA: Your national data protection authority (find yours at the European Data Protection Board website)
- United Kingdom: Information Commissioner’s Office (ICO)
- California: California Privacy Protection Agency (CPPA)
We are committed to resolving privacy concerns directly and encourage you to contact us first before escalating to a supervisory authority.