This privacy policy explains how Arsenale Limited ("Arsenale", "we", "us") collects, uses, retains, and protects personal data. We are the data controller for the personal data described below, registered in England and Wales, Company No. 17126962, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
For any privacy-related question or to exercise the rights described in section 9 of this policy, please contact contact@arsenale.ai.
We only collect personal data that you provide to us deliberately, or that is created as an automatic by-product of you interacting with our services. Specifically:
Our hosting provider (Cloudflare) and email provider (Google Workspace) collect technical data necessary to deliver the service, including server logs, performance metrics, and authentication records. This data is processed in accordance with each provider's privacy notice — see section 6 below.
Our website does not use third-party analytics, advertising, marketing, or session-replay tracking. We do not set cookies for tracking purposes. Cookies that may be set are limited to those strictly necessary for the website to function (e.g. bot-protection cookies set by Cloudflare).
We rely on the following lawful bases under UK GDPR Article 6:
| Purpose | Lawful basis | Notes |
|---|---|---|
| Responding to an enquiry | Legitimate interest (Article 6(1)(f)) | Our interest in engaging with prospective counterparties; balanced against your reasonable expectations when contacting a business via its public enquiry form. |
| Processing an appliance reservation | Pre-contractual necessity (Article 6(1)(b)) | Necessary to take steps at your request prior to entering into a contract for sale. |
| Issuing an invoice, fulfilling an order | Contract performance (Article 6(1)(b)) | Necessary to perform the sale contract. |
| Responding to a security report | Legitimate interest (Article 6(1)(f)) | Our interest in product security and the security researcher's interest in coordinated disclosure. |
| Statutory record-keeping | Legal obligation (Article 6(1)(c)) | Accounting records, tax records, and corporate records as required by UK law. |
| Sending operational emails about an order or NDA | Contract performance / pre-contractual necessity (Article 6(1)(b)) | Confirmations, NDA delivery, fulfilment notifications — directly associated with steps you have requested. |
We do not process personal data for marketing or advertising purposes and do not sell personal data to any third party.
| Category | Retention period |
|---|---|
| Enquiry submissions | 24 months from submission, then deleted from operator inbox and server logs |
| Reservation records (unfulfilled) | 12 months from submission if no further action, then deleted |
| Reservation records (fulfilled, contracted) | 6 years from end of the related accounting period, in line with HMRC record-retention requirements |
| NDA correspondence and signed NDAs | 6 years from termination or expiry of the NDA |
| Security disclosure correspondence | 3 years from closure of the report |
| Server access logs | 90 days, then rotated and deleted |
We share personal data only with the service providers necessary to deliver our website, communications, and operations. A current list of subprocessors and what each can see is published at arsenale.ai/trust. As of this policy's effective date:
We do not sell, rent, or trade personal data. We will disclose personal data to a third party only where required by law, in connection with a regulatory request, in defence of a legal claim, or with your explicit consent.
Some of our subprocessors operate globally and may process personal data outside the United Kingdom or the European Economic Area. We rely on the following safeguards where applicable:
Customer operational data on the Arsenale Appliance does not leave the customer's premises and is therefore not subject to any international transfer initiated by Arsenale.
Our website does not use cookies for tracking, analytics, or marketing. Cookies that may be set are limited to those strictly necessary to operate the site:
Under the Privacy and Electronic Communications Regulations 2003 (PECR), strictly necessary cookies do not require consent. We do not use any cookies that would require consent.
We maintain a documented Information Security Posture aligned with the ISO 27001 control objectives and NCSC guidance for sovereign and on-premise systems. Personal data we hold is:
A redacted version of our Information Security Posture document is available on request under NDA.
Under UK GDPR you have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | You can request a copy of the personal data we hold about you and information about how it is processed. |
| Rectification | You can ask us to correct personal data that is inaccurate or incomplete. |
| Erasure ("right to be forgotten") | You can ask us to delete personal data, subject to our legal record-retention obligations. |
| Restriction of processing | You can ask us to limit how we use your personal data in specific circumstances. |
| Data portability | You can ask us to provide your personal data in a structured, commonly used, machine-readable format. |
| Objection | You can object to processing based on legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your interests. |
| Withdrawal of consent | Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. |
| Complaint to the supervisory authority | You can complain to the UK Information Commissioner's Office (ICO) — ico.org.uk — though we ask that you contact us first so we have an opportunity to resolve the matter. |
To exercise any of the rights above, please email contact@arsenale.ai with a clear description of your request. We will respond within one calendar month of receipt. We may need to verify your identity before fulfilling a request.
We may amend this policy from time to time to reflect changes in our practices, in subprocessors we engage, or in legal or regulatory requirements. The "Effective" date at the top of this policy will be updated when material changes are made. Material changes will be communicated to recipients of any active service we provide via the email address on record.
Arsenale Limited
Company No. 17126962, registered in England and Wales
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: contact@arsenale.ai
Security disclosure: security@arsenale.ai · Press: press@arsenale.ai
We are not currently required to appoint a Data Protection Officer under UK GDPR Article 37. Privacy queries are handled directly by the Director.