Privacy Policy

Last updated: May 23, 2026

Armologic Ltd. ("Company", "we", "us", or "our") operates the ArmoScan platform ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service, visit our website at armoscan.com, or interact with us in any way.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

1. Data Controller

The data controller responsible for your personal data is:

• Company: Armologic Ltd.
• Location: United Kingdom
• Email: privacy@armologic.com

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

• Full name and display name
• Email address
• Organization name and slug
• Password (stored as a one-way Argon2id hash — we never store plaintext passwords)
• IP address at registration
• Role and permissions within your organization

2.2 Scan Data

When you use the Service to scan your applications, we process:

• Target URLs and domain information
• Scan configuration (profiles, plugins, schedules)
• Authentication credentials you provide for authenticated scanning (stored encrypted with AES-256-GCM)
• Scan results, findings, and vulnerability reports
• HTTP request/response data captured during scans
• Domain verification records

2.3 Usage Data

We automatically collect:

• Browser type and version
• Pages visited and features used
• Date and time of access
• IP address
• Device type and operating system
• Referring URLs

2.4 Payment Data

Payment processing is handled entirely by Paddle.com Market Ltd. ("Paddle"), our merchant of record. We do not collect, store, or have access to your credit card numbers, bank account details, or other payment credentials. Paddle processes payments in accordance with PCI-DSS requirements. Please review Paddle's Privacy Policy for details on their data practices.

2.5 Communication Data

When you contact us through the contact form, email, or support channels, we collect your name, email address, company name, and the content of your communications.

3. How We Use Your Data

We use your data for the following purposes:

Purpose	Legal Basis (GDPR Art. 6)
Providing and operating the Service	Performance of contract
Account creation and authentication	Performance of contract
Processing scan jobs and generating reports	Performance of contract
Sending scan completion notifications and alerts	Performance of contract
Domain ownership verification	Performance of contract / Legitimate interest (security)
Maintaining audit logs for compliance	Legitimate interest (security and accountability)
Responding to support requests and inquiries	Performance of contract / Legitimate interest
Analytics and service improvement	Legitimate interest
Preventing fraud and unauthorized use	Legitimate interest (security)
Complying with legal obligations	Legal obligation

4. Data Storage and Security

4.1 Infrastructure

Your data is stored on servers located within the European Economic Area (EEA). We use industry-standard security measures to protect your data, including:

• Encryption at rest: All sensitive data is encrypted using AES-256-GCM
• Encryption in transit: All connections use TLS 1.2+
• Password hashing: Argon2id with per-user salts
• Tenant isolation: PostgreSQL Row-Level Security (RLS) ensures complete data isolation between organizations
• Audit logging: Tamper-proof audit trail with SHA-256 hash chain and Ed25519 digital signatures
• API authentication: JWT (RS256) with short-lived tokens and refresh rotation
• Rate limiting: Redis-based sliding window rate limiting to prevent abuse

4.2 Data Retention

• Active accounts: Data is retained for the duration of your subscription
• Trial accounts (expired, not subscribed): Data is retained for 30 days after trial expiration
• Cancelled subscriptions: Data is retained for 30 days after the subscription period ends
• Audit logs: Retained for 2 years for compliance purposes
• Account deletion requests: Processed within 30 days; backups purged within 90 days

4.3 Data Deletion

When data is deleted, it is permanently removed from our production systems. Backup copies are purged according to our retention schedule (maximum 90 days for backup rotation).

5. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

5.1 Service Providers

• Paddle.com Market Ltd: Payment processing, subscription management, invoicing
• Google Analytics: Website usage analytics (anonymized IP)
• Email service provider: Transactional emails (scan notifications, account alerts)

All service providers are contractually bound to process data only on our instructions and in compliance with applicable data protection laws.

5.2 Legal Requirements

We may disclose data when required by law, court order, or government request, or when necessary to protect our rights, safety, or property, or that of our users.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such transfer and your options regarding your data.

6. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@armologic.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority.

7. Cookies and Tracking

7.1 Essential Cookies

We use essential cookies that are necessary for the Service to function:

• Authentication cookies: Maintain your login session
• CSRF tokens: Protect against cross-site request forgery attacks
• Theme preference: Remember your light/dark mode selection

7.2 Analytics

We use Google Analytics to understand how visitors interact with our marketing website. Google Analytics uses cookies to collect anonymized usage data. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

7.3 No Third-Party Tracking

We do not use advertising cookies, social media tracking pixels, or any third-party tracking technologies beyond Google Analytics on our marketing pages.

8. International Data Transfers

Your data is primarily stored and processed within the EEA. If data is transferred outside the EEA (e.g., through service providers), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

10. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies before providing any personal data.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Articles 33 and 34.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related questions, data access requests, or concerns, please contact us:

• Email: privacy@armologic.com
• General: info@armologic.com
• Company: Armologic Ltd., United Kingdom
• Website: armoscan.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).