Privacy Policy

1) Scope

This policy explains how we process personal data when you use our website, contact us, or work with us. In client engagements we may act as independent controller (for our methods/outputs) or processor (on the client's documented instructions). The applicable role is defined in the contract / DPA.

2) Categories of data

• Website & comms: identifiers (name, email, role), device & log data (IP, headers, timestamps), cookie IDs, preferences, messages.
• Marketing/prospecting (B2B): work email, name, company, role, interaction history.
• Recruitment: CV/resume, contact, experience, eligibility, references.
• Client operations (B2B): names, roles, contact details, and case-relevant personal data provided by clients or sourced from lawful/public sources to fulfil the engagement.

3) Sources

Directly from you; your employer; public sources; service providers (hosting, analytics, comms, security); and other lawful third parties.

4) Purposes & legal bases (GDPR Art. 6)

• Provide the website & respond to inquiries: legitimate interests; contract where applicable.
• Security, abuse prevention, diagnostics: legitimate interests; legal obligations where applicable.
• B2B marketing & updates: legitimate interests; consent where required. You can object/opt out anytime.
• Recruitment: steps prior to contract; legitimate interests; legal obligations (eligibility).
• Client services: contract; legitimate interests; legal obligations (e.g., sanctions screening, accounting).

Where we rely on consent, you may withdraw it at any time; prior processing remains lawful.

5) Role allocation in client work

• Independent controller: our analytic methods, tooling, models, and outputs.
• Processor: where a Statement of Work/DPA says so; we process only on the client's instructions and subject to contractual safeguards.

6) Sharing & recipients

We share personal data with:

• Service providers / subprocessors (hosting, security, communications, analytics, recruiting) under confidentiality and security terms;
• Professional advisers (legal, audit);
• Authorities where legally required;
• Transaction counterparties if we enter a merger/acquisition (with protections).

A list of material subprocessors is available on request: privacy@thedeviantgroup.com.

7) International transfers

Where data leaves the EEA/UK, we use approved safeguards (e.g., EU Standard Contractual Clauses and supplementary measures) and conduct transfer risk assessments where required.

8) Retention

We keep data only as long as needed for the purposes above and legal/accounting requirements. Typical ranges:

• Web logs & security events: up to 12 months.
• Inquiries & correspondence: up to 24 months after last activity.
• B2B marketing records: until opt-out or up to 24 months of inactivity.
• Recruitment: 12 months (or longer with explicit consent where lawful).
• Client engagement data: as set by contract/SoW and applicable law.

Specific retention details available on request.

9) Security

Technical and organizational measures include: encryption in transit/at rest, role-based access, least-privilege, logging/monitoring, vulnerability management, and incident response. We maintain SOC 2-aligned practices; not SOC 2 certified at this time.

10) Your rights (EEA/UK)

You can request access, rectification, erasure, restriction, portability, and object to processing (including B2B marketing). Where we rely on consent, you can withdraw consent.

To exercise rights, email privacy@thedeviantgroup.com. We may request reasonable verification and will respond within statutory timelines.

11) Complaints

You can lodge a complaint with your local authority or with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP). We encourage contacting us first.

12) Children

Our services are not directed to children under 16. We do not knowingly process their data.

13) Cookies & analytics

See Cookie Policy for details and choices. Non-essential cookies/analytics run only with consent where required. Preferences can be updated via the consent banner.

14) Automated decisions

We do not make automated decisions producing legal or similarly significant effects on individuals via the public website. Any risk scoring within client engagements is governed by contract and includes human oversight.

15) Changes

We will update this notice as needed and revise the "Last updated" date. For material changes we may post a notice on the Site or contact you by email where appropriate.