Privacy Policy

This policy tells you what data Ianura collects, why, and what rights you have. It applies to Vigilia and ianura.com.

1. About this policy

This policy describes how Ianura Ltd handles personal data in connection with Vigilia and the ianura.com website. It applies to anyone who creates an account, uses Vigilia, or visits our marketing pages. It does not cover third-party services you reach through external links.

We draft this policy to be dual-compliant with the UK General Data Protection Regulation (UK GDPR, as tailored by the Data Protection Act 2018) and the EU General Data Protection Regulation (Regulation 2016/679) (EU GDPR).

2. Who we are

Ianura Ltd is a company registered in England and Wales. We are the data controller for personal data processed in connection with Vigilia and ianura.com.

Our internal privacy lead is Corneliu Moisei. We are not required to appoint a formal Data Protection Officer under UK GDPR Article 37 or EU GDPR Article 37 (Ianura is under the 250-employee threshold and the processing is not large-scale / systematic monitoring / special-category within the meaning of those Articles), but Corneliu is the named point of contact for data protection matters within Ianura.

We have not appointed an EU representative under EU GDPR Article 27 at this time. We rely on the Article 27(2) exemption for processing that is occasional, does not include large-scale processing of special categories, and is unlikely to result in a risk to the rights and freedoms of natural persons. We will review this position as usage patterns develop.

For contact details, see §16.

3. What data we collect

We collect the following categories of personal data:

• Account data — email address, bcrypt password hash, organisation name (where you provide it), the tier you are subscribed to, the product you signed up for, account creation and last-login timestamps.
• Customer Rule Sets — the rules, controls, policies, or compliance frameworks you submit for structural analysis. For Vigilia, these are security control stacks (e.g., NIST 800-53, CIS Controls, ISO 27001 implementations). These rule sets may incidentally contain personal data; you are the controller for any personal data within a Customer Rule Set and Ianura acts as a processor for that data.
• Analysis outputs (Findings) — coverage gaps, remediation suggestions, and related reports produced by the engine from your Customer Rule Sets.
• Usage and telemetry data — IP addresses, session identifiers, page requests, user-agent strings, request timestamps, and feature usage, collected through server logs and session cookies. Used for security, diagnostics, and product improvement.
• Billing data — Stripe customer ID, subscription tier, plan cycle, Stripe subscription ID. Card details are held directly by Stripe; Ianura does not store card numbers, CVV codes, or expiry dates.
• Email-verification state — during signup only, your email address and a hashed password are held in a transient pending_signups table with a verification token, pending click-through on a verification link. Rows expire after 24 hours and are deleted on verification.
• Support communications — emails you send us at any of the addresses in §16, and any information you include in them.

4. Lawful bases for processing

We process personal data on the following lawful bases under UK GDPR Article 6 / EU GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — processing necessary to deliver the product to you under the Terms of Service: account creation, authentication, running analyses, storing Findings, handling billing through Stripe, sending verification and transactional emails.
• Legitimate interests (Art. 6(1)(f)) — product improvement, security monitoring, fraud prevention, server-log retention for diagnostics. We have assessed these interests against your rights and concluded the processing is proportionate, but you can object at any time (see §9).
• Legal obligation (Art. 6(1)(c)) — tax and accounting record-keeping, compliance with lawful requests from regulators or law enforcement.
• Consent (Art. 6(1)(a)) — any optional processing we may introduce (for example, marketing emails or optional analytics) will require explicit opt-in and can be withdrawn without detriment.

Where Ianura acts as a processor on behalf of the Customer for personal data incidentally contained in a Customer Rule Set, the Customer is responsible for identifying their own lawful basis under Article 6.

5. How we use your data

• To authenticate you and maintain your session.
• To accept Customer Rule Sets, run structural coverage analysis, and return Findings.
• To process payments through Stripe and manage your subscription.
• To send transactional emails (verification, password reset, billing receipts, service notices).
• To maintain security: detect brute-force attempts, anomalous access, and misuse consistent with the Acceptable Use Policy.
• To diagnose bugs and improve the product.
• To comply with applicable law.

We do not use your personal data or your Customer Rule Sets to train any machine learning or artificial intelligence model — our own or any third party's. We do not sell personal data. We do not use personal data for advertising profiling. We do not share personal data with any entity except the sub-processors listed in §6.

6. Data sharing — sub-processors

We engage a small number of sub-processors to deliver the product. Each is bound by a data-processing agreement (DPA) with obligations materially no less protective than those set out here:

• Stripe, Inc. — payment processing. Ianura shares only a Stripe customer ID and subscription details; card data is held by Stripe. Stripe's privacy notice: stripe.com/privacy. Stripe is established in Ireland (EU) and the United States; transfers outside the UK/EEA rely on Standard Contractual Clauses.
• Postmark (ActiveCampaign, Inc.) — transactional email delivery (signup verification, password reset, billing receipts). Postmark's privacy notice: postmarkapp.com/privacy-policy. Postmark is established in the United States; transfers rely on Standard Contractual Clauses.
• Hetzner Online GmbH — hosting infrastructure. The Ianura production servers are located in Germany. Hetzner's privacy notice: hetzner.com/legal/privacy-policy. No transfer outside the EU/EEA for hosting.

A current list of sub-processors is available on request to legal@ianura.com. We will give reasonable prior notice before engaging a new sub-processor that processes personal data.

We do not share personal data for advertising, profiling, or resale.

Ianura-operated infrastructure

We operate self-hosted observability tools on our own infrastructure. These are not shared with third parties and do not involve data transfers outside the UK or the sub-processor list above:

• Web analytics (Umami) — aggregate visit counts, page views, and referrer sources. No tracking cookies are set; no personally identifiable data is collected. Deployed as an Ianura-operated container alongside the product stack.
• Error monitoring (GlitchTip) — application errors and a small set of aggregate business events (signup submission, tier-pick, checkout initiation) are recorded to maintain product reliability. Request data is scrubbed of sensitive fields (email, password, session tokens, Stripe customer ID) before any event is recorded. Event metadata is limited to product name, tier class, and billing cycle. Deployed as an Ianura-operated container alongside the product stack.

Our lawful basis for this processing is legitimate interests (UK GDPR Art. 6(1)(f)) — operating a reliable product and measuring aggregate usage. We have assessed these interests against your rights and concluded the processing is proportionate; you can object at any time (see §9).

7. International transfers

Hosting is in the EU (Germany). Stripe and Postmark are established in the United States; data transferred to them is subject to Standard Contractual Clauses (SCCs) under UK GDPR and EU GDPR, supplemented by our sub-processor DPAs.

The UK has adequacy decisions with the EEA (data flows UK↔EEA are free). The UK does not currently have an adequacy decision with the United States; the UK Extension to the EU-US Data Privacy Framework applies to participating US organisations. Where a sub-processor does not participate in the Framework, we rely on SCCs as the Article 46 UK GDPR transfer mechanism.

We do not transfer personal data to any other third country.

8. Retention

We retain personal data only as long as necessary for the purposes set out in §5, or as required by law:

• Account data and Customer Data — retained for the duration of your subscription and for thirty (30) days after termination (see ToS §7.5), after which we delete it, save to the extent retention is required by law.
• Billing records — retained for six (6) years after the end of the accounting period, in accordance with UK tax law (HMRC requirements).
• Server and application logs — retained for ninety (90) days for security and diagnostics, then deleted.
• Pending signup records — retained for twenty-four (24) hours, then expired and deleted.
• Support communications — retained for two (2) years from the last correspondence, then deleted.

9. Your rights

You have the following rights under UK GDPR and EU GDPR in respect of personal data we hold about you:

• Right of access (Art. 15) — you may ask us for a copy of the personal data we hold about you, along with information about how we process it.
• Right to rectification (Art. 16) — you may ask us to correct inaccurate or incomplete personal data.
• Right to erasure / "right to be forgotten" (Art. 17) — you may ask us to delete personal data, subject to the lawful bases on which we retain it (e.g., tax records).
• Right to restriction (Art. 18) — you may ask us to restrict processing in certain circumstances, for example while you contest the accuracy of data.
• Right to data portability (Art. 20) — where processing is based on contract or consent and is carried out by automated means, you may ask us to provide your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — you may object at any time to processing based on legitimate interests (§4).
• Right to withdraw consent (Art. 7(3)) — where we process on the basis of consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• No automated decision-making with legal or similarly significant effects (Art. 22) — we do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. Findings produced by Ianura are structural observations that you, the Customer, decide how to act on.

To exercise any of these rights, email legal@ianura.com from the email address associated with your account (we may ask for reasonable additional identification if we cannot verify the request from the email alone). We will respond without undue delay and in any event within one month of receipt of your request (Art. 12(3)). We may extend this by two further months where necessary, taking into account the complexity and number of the requests, and will notify you of any extension within the first month.

Exercising these rights is free unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by Art. 12(5).

10. Cookies

We use a single session cookie for authentication (vigil_session). It is an essential cookie: without it, you cannot stay logged in. It is set with HttpOnly, Secure, and SameSite=Lax flags.

No analytics cookies. We do not use Google Analytics, Hotjar, Facebook Pixel, or any third-party analytics or advertising tracker. We do not set cookies for marketing, retargeting, or cross-site profiling.

Under the UK Privacy and Electronic Communications Regulations 2003 (PECR) and the EU ePrivacy Directive, the session cookie is strictly necessary for the service you have requested and does not require a consent banner. If we introduce any non-essential cookies in future, we will request consent first.

11. Security

We use technical and organisational measures appropriate to the risk of processing, including:

• TLS in transit (HTTPS across all product domains).
• Encryption at rest for database volumes and backups.
• Password hashing with bcrypt.
• Role-based access controls and session expiry on inactivity.
• Audit logs for authentication, account changes, and rule-set ingestion.
• Regular backups with a restore procedure and a documented rollback plan.
• Segregation of production, staging, and development environments.

We maintain records of our processing activities in accordance with UK GDPR Article 30 where applicable. No security regime is absolute; if you believe you have discovered a vulnerability or suspect a compromise, contact security@ianura.com.

12. Children

Ianura products are business-to-business tools. We do not knowingly collect personal data from anyone under the age of 18, or the age of legal contracting capacity in the user's jurisdiction, whichever is higher. If you believe we hold data about someone below that age, please contact legal@ianura.com and we will delete it promptly.

13. Breach notification

In the event of a personal-data breach (as defined in UK GDPR Article 4(12)), Ianura will:

• Notify the relevant supervisory authority (the UK ICO for UK users; the lead EU supervisory authority for EU users) without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, in accordance with UK GDPR Article 33 / EU GDPR Article 33.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Art. 34.
• Where Ianura is a processor for Customer Data, notify the Customer (as controller) without undue delay upon becoming aware of a breach affecting that data, in accordance with Art. 33(2).

To report a suspected breach or security incident, contact security@ianura.com.

14. Complaints to a supervisory authority

If you consider that we have infringed data-protection law, you have the right to lodge a complaint with a supervisory authority:

• UK users — the UK Information Commissioner's Office (ICO): ico.org.uk. Helpline: 0303 123 1113.
• EU users — the supervisory authority of the Member State where you reside, work, or where the alleged infringement took place. A list of EU member-state authorities is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.

We encourage you to contact us first at legal@ianura.com so we can try to resolve the matter directly, but you are not required to do so.

15. Changes to this policy

We may update this policy from time to time. The effective date at the top reflects the latest revision. Material changes will be notified to registered account holders by email in advance of the change. A version history is maintained internally and is available on request.

16. Contact

For different privacy-related matters, please use the relevant mailbox:

• Data subject rights requests (Art. 15–22 UK/EU GDPR): legal@ianura.com
• General privacy questions: info@ianura.com
• Data breach reports or security incidents: security@ianura.com
• Complaints about our data handling: legal@ianura.com
• Anonymous reports of suspected misuse (cross-reference to the Acceptable Use Policy): abuse@ianura.com

Postal address available on request (UK registered office).