Arcseer
Legal

Privacy Policy

Last updated: 18 March 2026

Arcseer Limited ("Arcseer", "we", "us", "our") is committed to safeguarding personal data in accordance with applicable data protection legislation. Our primary obligations arise under the UK General Data Protection Regulation ("UK GDPR"), as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 ("DPA 2018"), as amended by the Data (Use and Access) Act 2025 ("DUAA"). Where Arcseer processes personal data of individuals in the European Economic Area ("EEA"), the EU General Data Protection Regulation (Regulation (EU) 2016/679) may also apply.

1. Scope of this Policy

This Privacy Policy explains how we collect, use, and protect personal data:

  • when you use our website
  • when we provide cybersecurity services, including AI-enabled penetration testing and monitoring
  • when we interact with you as a customer, partner, or user

2. Our Role

Depending on the context, Arcseer acts as:

  • Data Processor – when delivering services to customers (e.g. penetration testing, monitoring)
  • Data Controller – for website analytics, marketing, and business operations

Where we act as a processor, we process data strictly in accordance with our customers' instructions.

3. Data We Process

3.1 Website and Business Data

  • contact details (name, email, company)
  • website usage data (via cookies and analytics)

3.2 Customer Service Data

In delivering cybersecurity services, we may process:

  • system and application data
  • logs and telemetry
  • configuration data
  • credentials (where required for testing and explicitly authorised)

3.3 Data Identified During Security Assessments

During testing, Arcseer may identify:

  • vulnerabilities
  • exposed data
  • misconfigurations
  • personal or sensitive data within customer systems

Such data is:

  • processed solely for the purpose of the assessment
  • minimised wherever possible
  • not retained unnecessarily

3.4 AI-Derived Data

We may generate:

  • model outputs
  • inferred risk assessments
  • prioritised findings

These outputs support cybersecurity specialists and do not replace human judgement.

4. How We Use Data

We process data for the following purposes:

  • delivering penetration testing and security monitoring services
  • identifying and reporting vulnerabilities
  • improving detection and analysis capabilities
  • maintaining and securing our platforms

5. Use of Data for AI Training

Arcseer does not use customer data for AI training by default.

Where customer-derived data is used to improve or train AI models:

  • this will only occur with explicit prior agreement
  • data will be manually anonymised before use
  • data will not be used in a way that identifies individuals or organisations

6. Legal Basis for Processing

We process data under:

  • Contractual necessity – to deliver agreed services
  • Legitimate interests – to operate and improve our services (and, where applicable, recognised legitimate interests as introduced by the DUAA)
  • Consent – where required (e.g. cookies, AI training use cases)

We comply with:

  • UK GDPR
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
  • EU GDPR (Regulation (EU) 2016/679) – where Arcseer processes personal data of EEA residents or otherwise falls within its territorial scope

7. Security of Data

Arcseer implements a defence-in-depth security approach, including:

  • encryption in transit and at rest
  • role-based access controls and least privilege principles
  • audit logging and monitoring
  • network segmentation
  • secure software development practices
  • vulnerability management processes

We are working towards alignment with ISO 27001.

8. Data Retention

  • Customer data is retained for the duration of an active engagement
  • Upon inactivity, data is retained for up to 3 months, then securely deleted
  • Sensitive data identified during testing is minimised and not retained unnecessarily

9. Data Sharing and Subprocessors

Arcseer uses trusted infrastructure providers, including:

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Microsoft Azure

We:

  • process data securely and in accordance with our policies
  • do not sell or share data for marketing purposes
  • provide a list of subprocessors on request

10. International Data Transfers

Where data is transferred outside the UK:

  • we implement appropriate safeguards, including International Data Transfer Agreements ("IDTAs") or the UK Addendum to EU Standard Contractual Clauses, as approved by the Secretary of State under Article 46 UK GDPR
  • we prioritise UK-based processing where possible

11. Data Subject Rights

Individuals have the right to:

  • access their data
  • request correction or deletion
  • restrict or object to processing
  • receive their personal data in a portable format (right to data portability, where applicable)
  • contest significant decisions made solely by automated means and seek human intervention, in accordance with Article 22C UK GDPR (as amended by the DUAA)
  • lodge a complaint with the Information Commissioner's Office ("ICO"), the UK's supervisory authority for data protection (ico.org.uk)

Where Arcseer acts as a processor, requests should be directed to the relevant customer (data controller). We will support customers in fulfilling such requests.

12. Incident Handling

Arcseer maintains processes to detect and respond to security incidents. In the event of a personal data breach, we will:

  • notify affected customers without undue delay; and notify the ICO within 72 hours of becoming aware of a notifiable breach, in accordance with Article 33 UK GDPR
  • take appropriate containment and remediation measures

13. US Privacy Considerations

To the extent that Arcseer processes personal data of residents of US states with applicable privacy legislation (including the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020 ("CCPA/CPRA")), Arcseer will comply with such legislation where it applies. In such cases, Arcseer implements:

  • reasonable security measures appropriate to the nature of personal information held
  • transparency in data use
  • limitations on data sharing

14. Cookies

Our use of cookies and similar technologies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), as amended by the DUAA. We use cookies and similar technologies, including:

  • Google Analytics (for website usage insights)
  • marketing cookies (where consent is provided)

Users can manage cookie preferences via our website.

15. Contact

For any privacy-related queries, or to exercise your rights under the UK GDPR or DPA 2018, please contact us at:

privacy@arcseer.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, at ico.org.uk or by calling 0303 123 1113.