Last Updated: 3 September, 2025
1. Introduction
At NAUAS Ark Ltd, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in a fair, lawful, and transparent manner in accordance with applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (together, the “Data Protection Laws”).
We may update this Privacy Policy from time to time to reflect changes in our services, practices, or legal obligations. We will indicate changes by updating the “Last Updated” date above, and we encourage you to review this page periodically.
2. Who We Are
We are NAUAS Ark Ltd (“N.A.U.A.S Ark”, “we”, “our”, or “us”), a company registered in England and Wales with company number 13387691, whose registered office is at 124 City Road, London, England, EC1V 2NX.
Our Services are designed for business use and support user access control, IT audits, and IT asset management.
3. Controller vs Processor
• When we collect and process your personal data directly (for example, when you use our website, contact us, or sign up to our services), N.A.U.A.S Ark is the Data Controller.
• When you use our Product through your employer or organisation, we process your personal data on their behalf. In this case, your employer or organisation is the Data Controller, and N.A.U.A.S Ark acts as a Data Processor under the Data Processing Addendum (“DPA”) agreed with that Customer.
4. When This Policy Applies
This Privacy Policy applies to:
• the use of the N.A.U.A.S Ark Product and related services provided by us; and
• personal data collected when you interact with our website (e.g. signing up for a newsletter, requesting information, registering for an event, or accessing our services).
Where a separate privacy policy is provided for a specific service, that policy will apply instead.
5. Privacy of Others
If you provide us with personal data relating to other individuals (for example, colleagues or employees), you confirm that you have obtained all necessary consents or have another lawful basis under Data Protection Laws to do so.
In these cases:
• you act as the Data Controller in respect of that personal data; and
• we act as your Data Processor, processing such data only on your instructions.
As the Data Controller, you are solely responsible for ensuring that the collection, disclosure, and processing of such personal data complies with all applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.
6. Links to Third Parties
Our Product and website may include links to, or integrations with, third-party websites, products, services, or APIs (for example, integrations provided by our partners).
Please note:
• This Privacy Policy does not apply to any third-party websites, services, or integrations that may be accessible through our Services.
• We do not control and are not responsible for how third parties collect, use, or process your personal data.
We strongly encourage you to review the privacy policies and terms of any such third-party providers before using their services or providing them with personal data.
7. The Data We Collect About You
a. Definition of Personal Data: “Personal Data” means any information relating to an identified or identifiable living individual (a “Data Subject”). An individual may be identified directly (e.g. by name) or indirectly (e.g. by an ID number, online identifier, or other unique factors). When we collect, use, store, or transfer Personal Data, we ensure it is relevant, accurate, and limited to what is necessary for the purposes for which it is processed.
b. Categories of Data We Collect: We may collect and process the following categories of Personal Data:
i. Identity Data – first name, last name, username or similar identifier, title, date of birth, and gender.
ii. Contact Data – billing address, delivery address, email address, and telephone numbers.
iii. Financial Data – bank account and payment details.
iv. Transaction Data – details about payments to and from you and other details of products and services you purchase from us.
v. Technical Data – IP address, login data, device type, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology used to access our website or Services.
vi. Profile Data – username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
vii. Usage Data – information about how you use our website, platform, and Services.
c. Aggregated Data: We may also collect, use, and share Aggregated Data, such as statistical or demographic information. Aggregated Data may be derived from Personal Data but is not considered Personal Data in law, as it does not directly or indirectly identify you. For example, we may aggregate Usage Data to calculate the percentage of users accessing a specific feature. However, if we combine Aggregated Data with Personal Data in a way that identifies you, we treat the combined data as Personal Data and process it in accordance with this Privacy Policy.d. Special Category Data: We do not intentionally collect any “special categories” of Personal Data (such as information about race, ethnicity, political opinions, religious beliefs, health, or sexual orientation). If you choose to provide such information, you do so at your own discretion, and we will process it only where strictly necessary and in compliance with Data Protection Laws.
8. What Data We Do Not Collect About You
We do not knowingly collect or require you to provide any Special Categories of Personal Data as defined under the UK GDPR. This includes information relating to:
• race or ethnic origin;
• religious or philosophical beliefs;
• sex life or sexual orientation;
• political opinions;
• trade union membership;
• health information;
• genetic or biometric data.
We also do not collect any information relating to criminal convictions or offences, unless required to do so by law.
If you choose to provide Special Category Data or criminal offence data when using our Services, you do so at your own discretion. In such cases, we will process that data only where strictly necessary for the purposes of providing the Services and in compliance with Applicable Data Protection Laws.
9. How We Collect Your Personal Data
We collect Personal Data about you in the following ways:
a. Direct Interactions: You may provide us with Identity Data, Contact Data, Financial Data, and other Personal Data when you:
i. apply for our products or services;
ii. create an account on our website or platform;
iii. subscribe to our services, products, or publications;
iv. request marketing communications;
v. provide feedback, respond to a survey, or participate in events; or
vi. correspond with us by post, phone, email, or other means.
b. Automated Technologies or Interactions: When you interact with our website or platform, we may automatically collect Technical Data about your device, browsing behaviour, and usage patterns. This data is collected using technologies such as cookies, log files, web beacons, and similar tools. We may also receive Technical Data about you if you visit other websites that use our cookies. For more details, please see our [Cookie Policy].c. Third-Party and Publicly Available Sources: We may also collect Personal Data about you from:
i. publicly available registers (such as Companies House or the Information Commissioner’s Office (ICO));
ii. government or regulatory bodies; and
iii. third-party service providers, integrations, or partners, where you have interacted with them in connection with our Services.
Any data received from third parties will only be processed in accordance with this Privacy Policy and Applicable Data Protection Laws.10. How We Use Your Personal Data
We may use your Personal Data for the following purposes:
a. To provide and deliver our Services
• Creating and managing user accounts.
• Authenticating logins and enabling secure access.
• Processing transactions and payments.
b. To manage our relationship with you
• Responding to enquiries, support requests, or complaints.
• Sending important updates, such as service changes or terms updates.
• Managing billing, renewals, and account administration.
c. To operate, maintain, and improve our Services
• Monitoring system performance and troubleshooting issues.
• Enhancing user experience through analytics and feedback.
• Developing new features, integrations, and improvements.
d. To ensure security and prevent misuse
• Detecting, preventing, and investigating fraud, unauthorised access, or abuse of our Services.
• Monitoring usage for security threats and policy compliance.
• Maintaining audit logs for accountability and IT governance.
e. For legal and regulatory compliance
• Complying with tax, accounting, and reporting obligations.
• Cooperating with regulators, law enforcement, or courts where legally required.
• Maintaining records of processing in accordance with Data Protection Laws.
f. For marketing and communications (where permitted)
• Sending you information about our products, services, and events.
• Delivering relevant content, promotions, and updates.
• Managing preferences and unsubscribes.
g. To protect our legitimate business interests
• Enforcing our Terms & Conditions and other agreements.
• Exercising or defending legal claims.
• Understanding usage trends to make strategic business decisions.
We will only use your Personal Data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis for doing so.
11. Basis for Lawful Processing
We rely on the following lawful bases under Applicable Data Protection Laws, including the UK GDPR, to process your Personal Data:
• Consent – where you have given us clear and specific permission to process your Personal Data for a particular purpose. For example, responding to your requests for information or sending you marketing communications about products and services we believe may interest you. You may withdraw your consent at any time by contacting us or using the unsubscribe option in our communications.
• Legitimate Interests – where the processing is necessary for the legitimate interests of our business (or those of a third party), provided that your interests, rights, and freedoms do not override those interests. Examples include: improving and developing our Services, ensuring network and information security, preventing fraud, and operating our business effectively. Before relying on this basis, we carefully assess and balance our interests against any potential impact on you.
• Performance of a Contract – where processing is necessary to perform a contract we have entered into with you, or to take steps at your request before entering into such a contract. This includes providing the Services, managing billing, and delivering customer support.
• Legal or Regulatory Obligation – where processing is necessary to comply with a legal or regulatory obligation to which we are subject, such as obligations under tax, accounting, or anti-money laundering laws, or responding to lawful requests from regulators or law enforcement.
Special Categories of Data: We do not intentionally collect Special Categories of Personal Data. If such data is provided by you (e.g. through free-text fields), we will only process it where a valid legal basis under Article 9 UK GDPR applies (such as your explicit consent or compliance with legal obligations).
12. Marketing
We respect your privacy and provide you with clear choices about how we use your Personal Data for marketing purposes.
Our Marketing
We may use your Identity, Contact, Technical, Usage, and Profile Data to assess which of our products, services, or events may be relevant to you. You will receive marketing communications from us if you have:
• requested information about our products or services;
• subscribed to our Services or registered for an event; and
• not opted out of receiving marketing communications.
We rely on either your consent (where required by law, such as email marketing to new contacts) or our legitimate interests (for existing customers, where we balance our interests with your rights) as the lawful basis for sending marketing communications.
Third-Party Marketing
We will never sell your Personal Data. We will obtain your explicit consent (opt-in) before sharing your Personal Data with any third party outside NAUAS Ark Ltd for their own marketing purposes.
Opting Out
You can opt out of receiving marketing communications from us at any time by:
• clicking the “unsubscribe” link in the footer of our marketing emails; or
• contacting us directly at support@nauasark.com.
Opting out of marketing communications does not affect:
• Service-related communications, such as subscription confirmations, billing updates, security alerts, or essential product/service notices; or
• Transactional communications, such as information relating to purchases, account administration, or customer support.
13. Disclosures of Your Personal Data
We may share your Personal Data with carefully selected third parties where necessary to deliver our Services, comply with legal obligations, or protect our legitimate interests. All disclosures are limited to what is strictly necessary and are subject to appropriate confidentiality, contractual, and security obligations.
Service Providers (Sub-Processors)
We engage trusted third-party providers who act as our Sub-processors and process Personal Data only on our instructions, in compliance with applicable data protection laws. These include:
• Cloud Hosting Providers – such as Amazon Web Services, Microsoft Azure, or similar, used to securely host and store our platform data
• Payment Processors – engaged to process payments and manage billing in accordance with PCI DSS and data protection laws. We do not store full payment card details ourselves.
• Analytics and Monitoring Tools – used to understand how users interact with our Services and to improve performance. Where feasible, this data is pseudonymised or aggregated so that it does not directly identify you.
Organisational Access and Identity Providers
If your organisation uses Single Sign-On (SSO) or other enterprise identity services, your Organisational Unit Administrator (“OU Admin”) may control your access, provision accounts, or integrate external tools. In these cases, your organisation is the Data Controller and their privacy policy will apply to how they handle your Personal Data.
Integration Partners
If you choose to connect our Services with third-party platforms (e.g. HR, IT management, or security tools), we may process limited Personal Data to enable the integration. Your use of such integrations is governed by the privacy policies of the respective third-party providers.
Legal and Regulatory Disclosures
We may disclose Personal Data to regulators, courts, law enforcement, or other authorities if required by law or where such disclosure is necessary to:
• comply with a legal or regulatory obligation;
• protect the rights, property, or safety of N.A.U.A.S Ark, our users, or others; or
• prevent, detect, or respond to fraud, security issues, or abuse of our Services.
Restrictions on Use by Third Parties
We require all third parties with whom we share Personal Data to:
• process it only for the specified purpose;
• respect its confidentiality and apply appropriate security safeguards; and
• comply with Applicable Data Protection Laws.
We do not allow our third-party service providers to use your Personal Data for their own purposes, and we do not sell or rent your Personal Data to any third parties.
14. International Transfers
We primarily store and process your Personal Data within the United Kingdom (UK) and the European Economic Area (EEA). We will not transfer your Personal Data outside the UK or EEA unless such transfer is carried out in compliance with Applicable Data Protection Laws.
If it becomes necessary to transfer Personal Data to a country outside the UK or EEA (for example, to a trusted service provider), we will ensure that one of the following safeguards applies:
• the destination country has been deemed by the UK Government or the European Commission to provide an adequate level of protection for Personal Data; or
• appropriate safeguards are implemented, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the SCCs, together with any supplementary measures required; or
• you have given your explicit consent to the transfer after being informed of the potential risks.
You may request further details about the specific safeguards we use for international transfers by contacting us at compliance@nauasark.com.
15. Data Security
We take the security of your Personal Data seriously and have implemented appropriate technical and organisational measures to protect it from accidental loss, misuse, unauthorised access, alteration, or disclosure. These measures include (where appropriate):
• encryption of data in transit and at rest;
• role-based access controls and authentication mechanisms;
• secure data centres and cloud hosting providers with recognised certifications;
• regular backups, disaster recovery, and business continuity procedures; and
• regular testing, monitoring, and review of our security practices.
Access to Personal Data is strictly limited to employees, contractors, and authorised third parties who require it for business purposes. All such persons are bound by confidentiality obligations and will only process Personal Data on our instructions.
We maintain procedures to detect, investigate, and respond to suspected Personal Data Breaches. Where legally required, we will notify you and the relevant supervisory authority (such as the ICO) of a breach without undue delay.
16. Data Retention
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes for which it was collected, including to comply with legal, accounting, or reporting obligations. Once data is no longer required, we will securely delete or anonymise it.
Standard retention periods include:
• Account information – retained for up to six (6) years after account closure, to allow us to respond to any legal claims.
• Payment and transaction records – retained for six (6) years in accordance with tax and accounting requirements.
• Analytics and usage logs – retained for up to two (2) years to support service improvements and security monitoring.
Where Personal Data has been anonymised (so that it no longer identifies you), we may retain it for longer periods for research, statistical, or analytical purposes.
In some cases, we may retain your Personal Data for longer where required by law, to resolve disputes, or to enforce our agreements.
17. Your Legal Rights
Under applicable data protection laws, including the UK GDPR and the Data Protection Act 2018, you have rights in relation to your Personal Data. These rights are designed to give you more control over how your data is used.
Your rights include:
• Right of Access – to request access to the Personal Data we hold about you (a “Subject Access Request”) and information about how it is processed.
• Right to Rectification – to request correction of any incomplete or inaccurate data we hold about you.
• Right to Erasure – to request deletion of your Personal Data where there is no legal or contractual reason for us to retain it.
• Right to Restrict Processing – to request that we suspend processing of your Personal Data in certain circumstances, such as where you contest accuracy or object to use.
• Right to Data Portability – where applicable, to request a copy of your Personal Data in a structured, commonly used, machine-readable format, or to have it transferred to another provider.
• Right to Object – to object to our processing of your Personal Data where we rely on legitimate interests (including profiling), and to object absolutely to processing for direct marketing purposes.
• Right to Withdraw Consent – if we rely on your consent, you may withdraw it at any time. This does not affect the lawfulness of processing carried out before consent was withdrawn.
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
compliance@nauasark.com.
When making a request, please:
• specify which right(s) you wish to exercise;
• provide sufficient information for us to verify your identity; and
• include any relevant context or supporting details.
We will respond in accordance with data protection laws, typically within one (1) month. Where requests are complex or numerous, this period may be extended by up to two (2) additional months; if so, we will notify you.
In some cases, we may not be able to fulfil your request where we have overriding legal obligations or legitimate interests.
Right to Lodge a Complaint
If you are unhappy with how we handle your Personal Data, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns first, so please contact us before approaching the ICO.
18. Technical and Diagnostic Data
In addition to the Personal Data you provide directly, we collect and process certain technical and diagnostic information to operate, secure, and improve the performance of our Services. This data is typically pseudonymised or anonymised and does not identify you directly.
IP Addresses
Every device connected to the internet is assigned an Internet Protocol (IP) address. We collect and store a truncated version of your IP address to:
• analyse usage patterns by region;
• monitor system performance; and
• protect against misuse or suspicious activity.
HTTP Referrer Information
We collect referrer data (e.g. which webpage, email, or link directed you to our website or platform) to:
• evaluate the effectiveness of referral sources;
• monitor legitimate access; and
• identify unusual or suspicious traffic.
Server Logs
Our servers automatically record requests made to our website and platform. These logs may include:
• date and time of the request;
• HTTP status codes and request duration;
• truncated IP address;
• browser type, language, and device details;
• operating system;
• accessed URLs or API endpoints.
We use this information to:
• ensure the security and availability of our systems;
• detect and investigate potential security incidents;
• diagnose performance or technical issues; and
• comply with applicable legal and regulatory requirements.
Sharing with Hosting and Security Providers
This technical information may be shared with our trusted third-party cloud hosting providers, analytics vendors, and cybersecurity partners strictly for:
• infrastructure support;
• protecting and monitoring our systems; and
• analysing usage to improve performance.
All such third parties are contractually bound to process this data only on our instructions, and in compliance with applicable Data Protection Laws, including the UK GDPR. Safeguards such as encryption, access controls, and data minimisation are applied at all times.
19. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your Personal Data, you may contact us at:
Email: compliance@nauasark.com
Address: NAUAS Ark Ltd, 124 City Road, London, England, EC1V 2NX
We take your privacy seriously and will do our best to resolve any issue or concern.
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority for data protection matters in your jurisdiction. In the UK, this is:
Information Commissioner’s Office (ICO)
www.ico.org.uk
We would, however, appreciate the opportunity to resolve your concerns before you approach the ICO (or another supervisory authority), so please contact us first.
To help us keep your Personal Data accurate and up to date, please notify us of any changes to your information during the course of your relationship with us.