Privacy Policy
How ARQERA collects, uses, shares, and protects your personal data. Last updated: 21 February 2026.
1. Introduction
This Privacy Policy explains how Arqera Limited (“ARQERA”, “we”, “us”, “our”) collects, uses, shares, and protects personal data relating to our customers, website visitors, and other individuals who interact with us. It applies to the ARQERA platform (arqera.io) and all associated services.
This policy is provided pursuant to Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which govern our processing of personal data. Where we also serve individuals in the European Economic Area, EU GDPR 2016/679 applies in parallel.
ARQERA operates as both a data controller (for data about our customers and website visitors that we process for our own purposes) and a data processor (for customer data processed on behalf of our business customers in connection with providing the platform). This policy covers our activities as a data controller. Our activities as a data processor are governed by our Data Processing Agreement (DPA), which applies between ARQERA and each business customer.
Please read this policy carefully. By using the ARQERA platform or website, you acknowledge that you have read and understood this policy.
2. Who We Are (Data Controller)
Company: Arqera Limited
Company Number: 16946092
Registered in: England and Wales
Registered address: 167-169 Great Portland Street, London, England, W1W 5PF
Data protection contact / DPO: [email protected]
Website: arqera.io
Our designated data protection contact handles all privacy enquiries, data subject requests, and regulatory correspondence. All communications relating to this policy should be addressed to [email protected].
3. Data We Collect
We collect personal data in the following categories. We collect only what is adequate, relevant, and limited to what is necessary for the purposes described in this policy (the principle of data minimisation).
3.1 Account Information
When you register for an account, we collect your full name, work email address, organisation name, and job title. We also collect the authentication method you choose (email and password, magic link, or SSO). If you register via SSO using SAML 2.0 or OIDC through WorkOS, we receive a profile payload from your identity provider containing name, email, and group membership, subject to your organisation's IdP configuration. If your organisation uses SCIM provisioning, we receive user provisioning and deprovisioning events automatically.
3.2 Usage Data
When you use the ARQERA platform, we collect information about your interactions, including pages and features accessed, actions performed, session duration, and in-app events. We also collect technical data including browser type and version, operating system, device type, and referring URL. IP addresses are collected for security purposes and session management; our analytics provider (PostHog) is configured with IP anonymisation enabled (ip: false) so anonymised IP data only is passed to analytics systems.
3.3 AI Interaction Data
When you use ARQERA's AI-powered features — including Ara (our ambient AI assistant), Ore (the AI governance brain), workflow automation, and governance evaluation — we process the prompts and inputs you submit, the completions and responses generated, governance evaluation results, evidence artifacts emitted by the platform, action logs, and approval and rejection decisions. This data constitutes the evidence audit trail that is core to the platform's compliance and governance proposition.
Where AI interaction data contains personal data about third parties (such as references to employees or customers within a workflow), the processing of that data is governed by our Data Processing Agreement with the relevant business customer, who acts as data controller for that data.
3.4 Billing and Payment Data
Payment card details, banking information, and PCI-in-scope payment credentials are collected and processed exclusively by Stripe, our PCI-DSS Level 1 compliant payment processor. ARQERA does not store, transmit, or process full card numbers or CVV codes. We retain billing contact details (name, email, billing address), invoice history, subscription tier and status, and usage-based metering data for billing reconciliation and audit purposes.
3.5 Communications Data
When you contact us by email, via the in-app support function, or through any other channel, we collect the content of your message and any attachments. We also retain records of our responses. If you subscribe to product communications or marketing updates, we record your consent and the date it was given.
3.6 Integration and OAuth Data
When you connect third-party services to ARQERA (for example, Slack, Microsoft Teams, GitHub, Google Workspace, Jira, or other platforms), you authorise ARQERA to access specific data scopes you grant during the OAuth flow. We process and store OAuth access tokens and refresh tokens via Nango, our integration fabric provider, and connection metadata (integration type, connection status, last synchronised). We access only the data scopes explicitly authorised by you; we do not request or store broader permissions.
3.7 Data Received from Third Parties
Where your employer or organisation has created an ARQERA account and invited you as a user, we receive your name and email from that organisation. Where SSO is configured, we receive profile data from your organisation's identity provider. We do not purchase personal data from data brokers or third-party marketing lists.
4. How We Use Your Data
We process personal data only where we have a lawful basis to do so under UK GDPR Article 6 (and, where special category data is involved, Article 9). The table below sets out each purpose, the data used, and the lawful basis relied upon.
| Purpose | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — Contract performance |
| Delivering and operating the ARQERA platform | Art. 6(1)(b) — Contract performance |
| Processing payments and managing subscriptions | Art. 6(1)(b) — Contract performance |
| Sending transactional communications (receipts, alerts, account notices) | Art. 6(1)(b) — Contract performance |
| Providing customer support and responding to enquiries | Art. 6(1)(b) — Contract performance |
| Security monitoring, fraud detection, and abuse prevention | Art. 6(1)(f) — Legitimate interests (protecting the platform and users) |
| Maintaining and improving platform reliability and performance | Art. 6(1)(f) — Legitimate interests (service quality) |
| Product analytics to understand feature usage and improve the platform | Art. 6(1)(f) — Legitimate interests / Art. 6(1)(a) — Consent (where analytics cookies are used) |
| AI model improvement using anonymised, aggregated interaction patterns | Art. 6(1)(a) — Consent (opt-in for Free/Team; opt-out for Business/Enterprise) |
| Marketing and product communications (newsletters, feature announcements) | Art. 6(1)(a) — Consent |
| Compliance with legal obligations (tax, accounting, regulatory) | Art. 6(1)(c) — Legal obligation |
| Enforcing our Terms of Service and protecting our legal rights | Art. 6(1)(f) — Legitimate interests |
4.1 Legitimate Interests Balancing
Where we rely on legitimate interests as our lawful basis, we have considered those interests against your rights and concluded that our interests do not override your fundamental rights and freedoms. Our legitimate interests processing is limited to security monitoring, service improvement, and enforcement of our terms — activities that reasonable users expect from an enterprise SaaS platform and that carry minimal privacy impact given our technical safeguards. You may object to legitimate interests processing at any time (see Section 9 — Your Rights).
5. AI Model Improvement
ARQERA trains and fine-tunes proprietary AI models to improve the quality of the platform. We treat AI training consent with a high degree of care and differentiate our approach by subscription tier:
| Tier | Default | How to Change |
|---|---|---|
| Free | Opted in (consent required at signup) | Opt out via Settings > Privacy at any time |
| Team | Opted in (consent required at signup) | Opt out via Settings > Privacy at any time |
| Business | Opted out by default | Opt in via Settings > Privacy or contact us |
| Enterprise | Opted out by default | Opt in negotiated in Enterprise agreement |
What we use: Where you have consented, we use anonymised and aggregated interaction patterns — such as the types of governance evaluations requested, the categories of workflows built, and general quality signals from AI completions. We never use raw prompt text, raw completion text, identifiable customer data, or any data that could be linked back to you or your organisation in model training.
What we never do: We never train on the specific content of your governance policies, proprietary documents, evidence artifacts, or any data your organisation has input into the platform. We never sell, license, or share customer data with third parties for their AI training purposes.
Withdrawing consent does not affect the lawfulness of processing carried out while consent was active, and does not affect your access to or use of the platform in any way.
6. Data Sharing & Sub-processors
We do not sell, rent, or broker personal data. We share data only as described below, and only to the extent necessary.
6.1 Sub-processors
We engage the following sub-processors who process personal data on our behalf. Each is bound by a data processing agreement containing obligations equivalent to or stricter than those imposed on us by UK GDPR. Where sub-processors are located outside the UK or EEA, appropriate transfer mechanisms are in place (see Section 10).
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure, database hosting, compute | UK (europe-west2, London) — primary |
| Cloudflare | CDN, WAF, DDoS protection, DNS, edge routing | Global edge network |
| Stripe | Payment processing (PCI-DSS Level 1) | USA / EU |
| PostHog | Product analytics and feature flags (consent-gated; IP anonymised) | EU (PostHog Cloud EU region) |
| Sentry | Error monitoring and performance tracing (no PII by default) | USA |
| SendGrid (Twilio) | Transactional email delivery | USA |
| WorkOS | SSO, SAML, SCIM, directory sync, auth anomaly detection | USA |
| Nango | OAuth integration management and credential storage | EU |
| Modal.com | AI model inference (proprietary model serving) | USA |
| Lambda Labs | Cloud GPU infrastructure for model training | USA |
| Alibaba Cloud (DashScope) | AI model inference (Qwen model family; EU region) | EU (Frankfurt, eu-central-1) |
We maintain a complete sub-processor list at arqera.io/sub-processors, which is kept current and includes effective dates for any additions or changes. Business and Enterprise customers who have executed a DPA with us will be notified of material sub-processor changes with sufficient notice to raise objections per the terms of their DPA.
6.2 Within Your Organisation
If you use ARQERA as part of an organisational account, your administrators and colleagues within that account may have access to data you generate or store on the platform, subject to the role-based access controls configured by your organisation. Your organisation's use of data it controls about you is governed by your employer's own privacy policy.
6.3 Legal Requirements
We may disclose personal data if required by applicable law, regulation, court order, or other enforceable governmental request. We review all such requests carefully and disclose only the minimum data required. Where legally permitted, we will notify the affected individual or customer before disclosing.
6.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users in advance and provide choices where required by law.
8. Data Retention
We retain personal data for no longer than is necessary for the purpose for which it was collected, or as required by law. Our retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Account data (name, email, profile) | Duration of active account, then deleted within 30 days of account deletion request |
| Platform usage logs | 90 days rolling |
| AI interaction logs and governance evidence artifacts | Configurable per tenant (default: 7 years to meet regulatory requirements). Enterprise customers may configure custom retention periods to meet their specific compliance frameworks. |
| Billing records and invoices | 7 years (UK tax and accounting law) |
| Support communications | 3 years from last contact |
| Marketing consent records | Duration of consent + 3 years (for accountability) |
| Security logs (authentication events, access logs) | 12 months |
| Integration OAuth tokens | Duration of active connection, then deleted within 30 days of disconnection |
When data reaches the end of its retention period, it is securely and irreversibly deleted or anonymised. Anonymised data (from which no individual can be identified) is not subject to retention limits and may be retained indefinitely for statistical and product improvement purposes.
Where you submit a deletion request under your right to erasure (see Section 9), we will process that request within 30 days, subject to any overriding legal retention obligations that prevent deletion of specific data categories.
9. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights apply to data for which ARQERA acts as data controller. For data processed on behalf of your employer, please contact your employer as the data controller.
Right of Access (Article 15)
You may request a copy of the personal data we hold about you, together with information about how and why we process it. We provide this as a Subject Access Request (SAR) response within one month.
Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data we hold about you. You can update most account information directly via Settings > Profile.
Right to Erasure (Article 17)
You may request deletion of your personal data. This right applies in specific circumstances, including where the data is no longer necessary for the original purpose, where you withdraw consent (and no other basis applies), or where you object to legitimate interests processing. It does not override legal retention obligations such as financial record-keeping requirements.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format (JSON or CSV). You can initiate a data export directly via Settings > Privacy > Export My Data.
Right to Restrict Processing (Article 18)
You may request that we limit our processing of your data in certain circumstances, such as while a dispute about accuracy is being resolved, or where you have objected to processing and we are assessing whether our legitimate interests override yours.
Right to Object (Article 21)
You may object at any time to processing based on legitimate interests (Article 6(1)(f)), including profiling based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You may also object to processing for direct marketing purposes at any time — we will stop immediately without need to justify the objection.
Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you may withdraw that consent at any time via Settings > Privacy, or by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
9.1 How to Exercise Your Rights
You can exercise most rights directly within the platform:
- Profile updates: Settings > Profile
- Privacy preferences (analytics, AI training opt-out): Settings > Privacy
- Data export: Settings > Privacy > Export My Data
- Account deletion: Settings > Account > Delete Account
- Marketing preferences: unsubscribe link in any marketing email
For requests that cannot be completed self-service (Subject Access Requests, erasure requests, restriction requests, or objections), contact us at [email protected]. We respond to all requests within one calendar month. Where a request is complex or numerous, we may extend this by a further two months and will notify you of the extension within the initial one-month period.
We may need to verify your identity before processing a request. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.
9.2 Right to Lodge a Complaint
If you believe we have processed your personal data unlawfully, or that your rights have not been respected, you have the right to lodge a complaint with the supervisory authority. Our lead supervisory authority is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
If you are located in the EEA, you may also lodge a complaint with the data protection authority in your country of residence. We encourage you to contact us first so we can attempt to resolve the issue directly.
10. International Data Transfers
ARQERA's primary infrastructure is hosted on Google Cloud Platform in europe-west2 (London, UK), meaning the majority of your personal data is stored and processed in the UK. However, some of our sub-processors are based in, or transfer data to, the United States or other countries outside the UK and EEA.
Where we transfer personal data to countries that do not have an adequacy decision from the UK Secretary of State (or the European Commission, for EEA transfers), we rely on the following transfer mechanisms:
- International Data Transfer Agreements (IDTAs) — the UK mechanism for international transfers under UK GDPR, approved by the ICO.
- EU Standard Contractual Clauses (SCCs) (2021 version, as approved by the European Commission), supplemented by the UK International Data Transfer Addendum where transfers also involve UK personal data.
- Adequacy decisions — where the destination country has received an adequacy decision from the UK Secretary of State or European Commission.
We conduct Transfer Impact Assessments (TIAs) for transfers to high-risk jurisdictions to ensure that, in practice, the transferred data receives an equivalent level of protection to that afforded in the UK. Where TIAs indicate insufficient protection, we implement additional technical and contractual safeguards.
Enterprise customers can request data residency configuration to restrict processing to UK or EU-based infrastructure where technically available. Contact [email protected] to discuss data residency requirements.
You can obtain a copy of our transfer safeguards documentation by contacting [email protected].
11. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction, taking into account the nature of the data, the risks to individuals, and the state of the art. Our security measures include:
- Encryption in transit: All data transmitted between your browser and our platform uses TLS 1.2 or TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) with a 12-month max-age and preloading.
- Encryption at rest: Database and storage encryption using AES-256, managed by Google Cloud Platform.
- Access controls: Role-based access control with least-privilege enforcement. All internal access to production systems requires multi-factor authentication.
- Tenant isolation: Complete data isolation between customer organisations at the database and application layer.
- Edge protection: Cloudflare WAF with managed rulesets, rate limiting, and DDoS mitigation in front of all services.
- Audit logging: Tamper-resistant audit logs for all data access and administrative actions, with evidence artifacts emitted to the immutable evidence chain.
- Vulnerability management: Regular security assessments, dependency scanning, and periodic penetration testing.
- Binary authorisation: Container images deployed to our Kubernetes infrastructure are subject to binary authorisation controls.
For detailed technical security information, see our Security page. For enterprise security questions or to report a vulnerability, contact [email protected].
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and within 72 hours of becoming aware, as required by UK GDPR Article 33.
Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly as soon as reasonably practicable, in accordance with UK GDPR Article 34.
Business customers who have executed a DPA with us will receive breach notifications within the timeframes specified in their DPA, to enable them to meet their own notification obligations as data controllers.
13. Children's Privacy
ARQERA is an enterprise B2B platform designed for and directed at business professionals. It is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that personal data has been collected from a child under 16 without verifiable parental consent, we will take immediate steps to delete that data.
If you have reason to believe that a child under 16 has provided us with personal data, please contact us immediately at [email protected].
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. The “Last updated” date at the top of this page indicates when the policy was most recently revised.
Where we make material changes — changes that significantly affect your rights, the data we collect, or how we use it — we will notify registered users by email and by displaying a prominent notice within the platform at least 30 days before the changes take effect. For non-material changes (such as clarifications or corrections), we may update the policy without advance notice.
Continued use of the platform after changes take effect constitutes acceptance of the updated policy, unless the changes require fresh consent under GDPR (in which case we will obtain that consent explicitly before the changes apply to your data).
15. Contact & Data Protection Officer
For any privacy-related questions, data subject requests, or complaints, please contact our designated data protection contact:
Data Protection Contact
Email: [email protected]
Subject line: “Privacy Request — [nature of request]”
Registered Address
Arqera Limited
167-169 Great Portland Street
London, England, W1W 5PF
United Kingdom
Supervisory Authority
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We aim to respond to all privacy enquiries within 5 business days. Formal data subject rights requests (SARs, erasure, etc.) will be acknowledged within 5 business days and fully responded to within one calendar month.
Arqera Limited (Company No. 16946092). Registered in England and Wales. 167-169 Great Portland Street, London, England, W1W 5PF.
Governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where ARQERA serves individuals in the EEA, EU GDPR 2016/679 applies in parallel.
Last updated: 21 February 2026.
Questions about your privacy?
Contact our privacy team for any data protection enquiries, to exercise your rights, or to request a copy of our Data Processing Agreement.