Privacy Policy

Last updated: 14 May 2026

This policy explains what personal data Arx Certa Ltd collects, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If anything here isn't clear, email [email protected] and we'll explain.

On this page

Who we are

Arx Certa Ltd is a UK company registered in England and Wales. We're a cloud, infrastructure, security and AI consultancy serving UK businesses. We are the "data controller" for any personal information you give us through this website or by email.

Postal contact details are available on request to [email protected].

What personal data we collect

We only collect the personal data we need. The categories are:

  • Contact form & AI Readiness Scorecard submissions: your name, work email, company name, role, sector, company size, project timeline, and the message or scorecard answers you choose to share.
  • Email correspondence: whatever you choose to put in emails to us, plus the technical metadata your email provider attaches.
  • Cookies and analytics (only if you accept them — see the Cookies section).
  • Server logs: IP address, browser type, requested URL, and timestamp. We use these for security and to keep the site running. They are not used for marketing or profiling.

We don't ask for and don't want sensitive personal data (health, religion, political opinions, biometrics, etc.). If you accidentally include any in your message, let us know and we'll remove it.

Why we collect it (lawful basis)

Under UK GDPR Article 6, we rely on these lawful bases:

  • Consent (Article 6(1)(a)) — for the AI Readiness Scorecard report and any follow-up about AI readiness. You opt in via the consent checkbox and can withdraw at any time.
  • Legitimate interests (Article 6(1)(f)) — for general enquiries through the contact form, where you are reaching out because you want a response from us. We've balanced this against your interests and consider it fair.
  • Contract (Article 6(1)(b)) — if you become a client, to deliver the services you've engaged us for.
  • Legal obligation (Article 6(1)(c)) — where we're required to keep records (e.g. tax, accounting, regulatory).

How we use your data

We use the personal data you give us to:

  • Reply to your enquiry or send the report you've requested.
  • Follow up about AI readiness work if you've opted into that.
  • Improve the website and the diagnostic content.
  • Comply with our legal and accounting obligations.

We do not sell your data, share it with advertisers, or use it to train any AI model.

Who we share it with

We share personal data only with the small set of trusted suppliers we need to run our business. Each is bound by a data processing agreement.

  • Email infrastructure (Microsoft 365 and Resend) — to send and receive email.
  • Web hosting (Hetzner Online GmbH, EU) — the server that serves this site.
  • Content delivery and DDoS protection (Cloudflare) — in front of the site.
  • Analytics (Google Analytics 4) — only if you accept analytics cookies.
  • Accounting / professional advisors — on the standard confidentiality terms.

We will also disclose personal data where required by law (e.g. court order, regulator request).

How long we keep it

  • Contact enquiries: up to 24 months from last contact, then deleted unless a project relationship has formed.
  • Scorecard submissions: up to 24 months from submission. You can ask for earlier deletion at any time.
  • Client records: for the duration of the engagement plus 6 years (for tax and audit purposes), unless a longer period is legally required.
  • Server and security logs: 30 days.

Cookies and analytics

This site uses two types of cookies:

  • Strictly necessary cookies — for the site to work (e.g. remembering your cookie choice). These don't need consent.
  • Analytics cookies (Google Analytics 4) — help us understand how visitors use the site. These are set only after you accept them via the cookie banner. We don't share analytics data with advertising networks.

You can change your cookie choice any time. Most browsers also let you block or delete cookies; see your browser's help pages for how.

Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct any inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") where we no longer have a lawful reason to keep it.
  • Restrict how we use your data while you challenge its accuracy or lawfulness.
  • Object to processing based on legitimate interests, and to direct marketing — we'll stop straight away.
  • Withdraw consent at any time (for processing based on consent).
  • Portability — receive your data in a structured machine-readable format.
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd appreciate the chance to put things right first, but it's your right to complain to them directly.

To exercise any of these rights, email [email protected]. We respond within one calendar month.

Security

We take security seriously — it's what we do for clients. We use encrypted transport (HTTPS) for the website, multi-factor authentication on our internal accounts, role-based access to client data, and least-privilege access to production systems. We log unusual activity and review access regularly. No system is bulletproof, but we apply current best practice and improve on it continuously.

International transfers

Some of the suppliers we use (notably Google Analytics and Cloudflare) may transfer data outside the UK. Where this happens, we rely on the UK government's adequacy decisions, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, depending on the supplier and the country.

How to contact us

For privacy-related questions, exercising your rights, or any other matter under this policy, email [email protected]. We aim to reply within five working days for general enquiries and within one calendar month for formal rights requests.

Changes to this policy

We update this policy from time to time. The "last updated" date at the top reflects the most recent revision. Material changes will be notified on the site for at least 30 days before they take effect.