LEGAL

Privacy Policy

Last Updated: 12 May 2026 · Version 6.0

1. Introduction

This Privacy Policy explains how Secure Agentics Ltd (“we”, “us”, “our”) collects, uses, discloses and protects personal data when you visit our website or use our products.

We deliver our products in three modes:

Open-source SDK (self-hosted) — you deploy and run it yourself; no data flows to us
Hosted backend — we run the backend; we retain anonymised events and verdicts may be used to improve our detection models (see Section 9). Self-service sign-up is open globally

This policy applies to our website and the hosted backend. The OSS SDK does not involve us processing your data.

We are committed to handling personal data lawfully, fairly and transparently in accordance with:

UK General Data Protection Regulation (UK GDPR)
EU General Data Protection Regulation (EU GDPR)
Data Protection Act 2018
Applicable US state privacy laws (including CPRA, CPA, VCDPA and similar)
Other applicable international data protection laws

2. Data Controller

Secure Agentics Ltd
Registered in England and Wales (Company No. 16586818)
Registered Office: 128 City Road, London, EC1V 2NX, UK
ICO registration number: ZC118237
Email: privacy@secureagentics.ai

As the hosted backend is offered globally on a self-service basis, EU residents may sign up. We have therefore appointed an Article 27 EU Representative to act as the contact point for EU data subjects and EU supervisory authorities. Our EU Representative is Prighter Group, with its local partners, as our privacy representative and your point of contact for the following regions:

European Union (EU)

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/secureagentics

EU Representative: Andreas Maetzler, CEO, c/o iuro Rechtsanwälte GmbH, Schellinggasse 3, 1010 Vienna, Austria, support@prighter.com

3. Categories of Personal Data We Collect

We collect personal data directly, automatically, via third-party services, and via our hosted backend.

3.1 Information You Provide (Website)

Name, business email address, telephone number, job title, company name
Any information submitted via forms
Communications with us

3.2 Information Collected Automatically (Website)

IP address, browser type and version, device type, operating system
Pages visited, time spent, referring URLs, interaction data

3.3 Company Identification Data (Website)

We use third-party identification services that may associate your IP address with a business organisation and provide company-level data. IP addresses may constitute personal data under UK/EU law.

Where we receive personal data from third parties (such as company identification or enrichment services), we do so based on legitimate interests.

Categories of source include: publicly available business information, IP-to-company resolution services, and B2B prospecting databases.

3.4 Cookies and Tracking Technologies

We use cookies via website hosting infrastructure, our consent management platform, analytics and marketing tools, and company identification scripts. See secureagentics.ai/cookie-policy.

3.5 Customer Account Data (Hosted Backend)

Account contact details (name, work email, job title, country)
Authentication data (we use SSO / federated identity; we do not store passwords in plain text)
Support correspondence and product usage metrics

3.6 Agent Telemetry (Hosted Backend)

7. Opt-Out

When a freemium customer embeds our SDK in their AI agent and connects it to our hosted backend, we receive telemetry from that agent. By design, this telemetry contains the minimum personal data required to make a security decision:

Structured event data: session identifier, tool category, action category, risk score, decision outcome, policy rule triggered, model/policy version, timestamp
Agent reasoning traces (chain of thought)
Any personal data is scrubbed at the SDK layer in the customer’s environment before transmission

4. Lawful Basis for Processing (UK/EU)

We rely on the following lawful bases:

Lawful Basis Table

Purpose	Lawful Basis
Website operation, security, analytics	Consent and/or legitimate interests (Article 6(1)(a) / (f))
Marketing communications	Consent (Article 6(1)(a))
Responding to enquiries	Legitimate interests / performance of contract (Article 6(1)(f) / (b))
B2B company identification	Legitimate interests (Article 6(1)(f))
Providing the freemium hosted backend (Processor on customer's behalf)	Performance of contract (Article 6(1)(b)) on the freemium customer's instructions
Freemium tier — retaining scrubbed metadata for model improvement (Controller role)	Performance of contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)), supported by an LIA and DPIA
Security monitoring and incident response	Legitimate interests + legal obligation (Article 6(1)(f) / (c))
Legal compliance	Legal obligation (Article 6(1)(c))

‍

5. How We Use Personal Data

We use personal data to:

Operate and secure our website
Identify potential corporate customers and respond to enquiries
Send marketing communications (where consented)
Operate the hosted backend on behalf of customers who sign-up to this option
Improve our monitoring model (see Section 9)
Comply with legal obligations

We do not sell personal data. We do not share personal data with third parties for advertising purposes.

6. Cookies and Consent Management

We use a consent management platform (CMP) to manage how you interact with our website and to record your consent. Visitors can accept, reject or customise cookie preferences; withdraw consent at any time; and access a detailed cookie declaration.

https://secureagentics.ai/trust

Consent records are retained for the period required by applicable law (currently up to 24 months). Update preferences at any time at secureagentics.ai/cookie-policy.

We use various systems to understand which companies visit our website. These systems may process IP addresses and associate them with publicly available business data.

Any users who sign-up for our hosted backend service may also elect to opt out of product improvements.

If you are located in the UK or EU, we rely on legitimate interests for this processing, and you have the right to object at any time. If you are located in certain US states, you may have the right to opt out of “sale” or “sharing” of personal data as defined by state law.

To opt out, use our consent management tool at https://secureagentics.ai/cookie-policy or email privacy@secureagentics.ai.

8. Processing via Our Product

Our product is delivered in three modes. Our role under UK/EU GDPR depends on the mode:

8.1 Open-source SDK (self-hosted)

You deploy and run the SDK yourself, optionally with your own backend. No data flows to Secure Agentics. We are neither Controller nor Processor for any data processed in this mode.

8.2 Hosted backend (offered globally, including in the EU)

When a hosted backend customer embeds our SDK in their AI agent, our product processes personal data that the agent handles. The customer (the business operating the agent) is the primary Controller; Secure Agentics acts as Processor in respect of that data, and as a separate Controller only for the limited model-improvement purpose described in Section 9.

We receive only structured event data from the customer’s agent. Direct personal data is scrubbed at the SDK layer before transmission
Agent reasoning traces (chain of thought)
Structured event data is retained for up to 30 days for security audit and customer dispute resolution, then deleted automatically
Customer data is deleted within 30 days of contract termination

8.3 Audit Mode

Our monitoring model makes permit/deny decisions about agent actions. These decisions can have significant effects on end users. Customers (in any mode) are contractually required to maintain meaningful human oversight and to inform their end users about the presence and purpose of the monitoring. Our SDK supports a “recommend-only” mode for human-in-the-loop deployments. End users may exercise their rights under Article 22 UK/EU GDPR via the customer or, for the freemium tier, via privacy@secureagentics.ai.

9. Detection Model Improvement

We retain a scrubbed copy of agent metadata (chain-of-thought tokens with PII scrubbed and structured events) to fine-tune our monitoring model. The terms differ by deployment mode:

Open-source SDK (self-hosted): no data flows to Secure Agentics; nothing is retained
Hosted backend: training contribution is part of the service. By using the hosted backend tier, the customer agrees that scrubbed metadata may be retained (as per legal restrictions below) and used for model improvement. This contribution is the consideration for the free service

Other terms (apply to the hosted backend tier only):

Lawful basis: Article 6(1)(b) (performance of contract) and Article 6(1)(f) (legitimate interests). Both supported by a Legitimate Interests Assessment and a Data Protection Impact Assessment, both published at
Retention: raw scrubbed metadata 30 days; aggregated training corpus up to 24 months. Derived model weights contain no re-identifiable personal data
Withdrawal: a hosted backend customer can stop the contribution by terminating their hosted backend account. Raw metadata is then deleted within 30 days. Any aggregated/anonymised data already incorporated into existing training corpora cannot be reversed but is excluded from future training corpora
Opt Out: Hosted backend customers have the option to opt out of product improvements
Data subject rights: end users may exercise their rights via the customer (their primary Controller) or by contacting privacy@secureagentics.ai

10. Sub-processors

We engage Sub-processors under Article 28 contracts to deliver the freemium hosted backend and our corporate services. The current list is published at secureagentics.ai/sub-processors and updated when changes occur. Freemium customers are notified at least 30 days before a new Sub-processor is added.

Categories of recipients (freemium tier and corporate operations):

Cloud hosting (AWS, UK and/or EU regions by default)
Observability (logs, metrics, traces)
CRM, email, support and analytics tools
Payment processor (Stripe)
Slack and Discord (alert delivery for users who configure these integrations)
Professional advisers (legal, accounting) under confidentiality

11. International Data Transfers

Personal data may be transferred outside the UK or EEA. Where we do, we apply appropriate safeguards:

UK International Data Transfer Agreement (IDTA) and UK Addendum to EU SCCs
EU Standard Contractual Clauses (SCCs)
Transfers to countries with UK or EU adequacy decisions
A Transfer Risk Assessment for each Restricted Transfer, available on request

12. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, plus any statutory period required:

Server security logs: 90 days
Website analytics: 13 months
Prospect / CRM records: up to 3 years from last meaningful interaction
Opt-out / suppression list: indefinite (required to respect your opt-out)
Customer account data (hosted backend): duration of account; deleted within 30 days of termination
Agent chain-of-thought (hosted backend): scrubbed; 30 days raw, then aggregated up to 24 months
Structured event data (hosted backend): 30 days
Consent records: up to 24 months

13. Data Security

We implement technical and organisational measures appropriate to the risk:

Encryption in transit (TLS 1.3) and at rest (AES-256), with KMS-managed keys
Role-based access control, multi-factor authentication, privileged access management
SDK-side PII scrubbing before transmission; secondary server-side scrubber on ingest
Tenant isolation; production and development environments fully separated
Telemetry field allowlist enforced at SDK and backend; non-allowlisted fields rejected
Continuous monitoring, vulnerability scanning, vulnerability patching SLA
Annual independent penetration test; secure software development lifecycle
Cyber liability insurance in place covering investigation, breach notification and third-party liability
Bring-your-own-key (BYOK) encryption available to enterprise customers

14. Your Rights (UK/EU)

If you are in the UK or EEA, you have the right to:

Access your personal data
Rectify inaccurate data
Erase data (“right to be forgotten”)
Restrict processing
Data portability
Object to processing
Withdraw consent
Object to or restrict automated decision-making (Article 22)
Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the EEA, you may also lodge a complaint with your local supervisory authority or contact our EU Representative (see Section 2).

To exercise any of these rights, email privacy@secureagentics.ai. We respond within one month.

15. US Privacy Rights

Depending on your state of residence, you may have the right to know what personal data we collect, request deletion, correct inaccurate information, opt out of “sale” or “sharing”, and limit use of sensitive personal data. To exercise these rights, contact privacy@secureagentics.ai.

16. Third-Party Links

Our website may contain links to third-party sites. We are not responsible for their privacy practices.

17. Children’s Data

Our website and services are not directed to children under 16. We do not knowingly collect children’s personal data. Customers must not embed our SDK in agents that process children’s data without prior consultation with us. If you become aware that a child has provided us with personal data, please contact privacy@secureagentics.ai and we will take steps to delete it.

18. Changes to This Policy

We may update this policy from time to time. The updated version will be posted with a revised “Last Updated” date. Material changes will be highlighted on our website.

19. Contact Us

For privacy enquiries or to exercise your rights:

Email: privacy@secureagentics.ai
Address: Secure Agentics Ltd, 128 City Road, London, EC1V 2NX, UK

‍