Privacy Policy

Last updated: 20 March 2026

This Privacy Policy explains how Artanis Ltd ("Artanis", "We", "Us", or "Our") collects, uses, shares, and protects personal data when You use Our website and platform. We are committed to protecting Your privacy and processing Your personal data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1. Data Controller

Artanis Ltd is the data controller for the personal data described in this Privacy Policy. Our details are:

Company: Artanis Ltd
Address: 71-75 Shelton Street, London WC2H 9JQ, United Kingdom
Email: privacy@artanis.ai

Important distinction: Artanis acts as a data controller for account and usage data (described in this Privacy Policy). Where Customers submit data to the Service that may contain personal data, Artanis acts as a data processor on the Customer's behalf, governed by Our Data Processing Agreement.

2. Data Protection Contact

Given the nature and scale of Our data processing activities, We are not currently required to appoint a Data Protection Officer under Article 37 of the UK GDPR. For any questions about data protection or to exercise Your rights, please contact us at privacy@artanis.ai.

3. What Personal Data We Collect

3.1 Account Data

When You create an account via Google OAuth, We receive and store:

Name
Email address
Profile photograph (as provided by Google)
Google account identifier

3.2 Usage Data

We automatically collect certain technical information when You use the Service:

IP address
Browser type and version
Device type and operating system
Pages visited and features used within the Service
Date and time of access
Referring URL

3.3 Communication Data

If You contact us via email or through the website, We collect Your name, email address, and the content of Your communication.

3.4 Customer-Submitted Data

Customers may submit data to the Service (such as prompts, AI inputs and outputs, labels, and evaluation data) that could contain personal data. We process this data as a data processor on the Customer's behalf, under the terms of Our Data Processing Agreement. This Privacy Policy does not govern Customer-submitted data; the Customer's own privacy policy applies to that data.

4. How and Why We Use Your Data

We only process Your personal data when We have a lawful basis to do so under Article 6(1) of the UK GDPR:

Purpose	Lawful Basis	Data Used
Providing and maintaining the Service	Contract (Art. 6(1)(b))	Account data, usage data
Account authentication via Google OAuth	Contract (Art. 6(1)(b))	Account data
Responding to Your enquiries	Legitimate interest (Art. 6(1)(f))	Communication data
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))	Usage data, IP address
Product improvement and analytics	Legitimate interest (Art. 6(1)(f))	Aggregated usage data
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))	Account data, billing data
Marketing communications	Consent (Art. 6(1)(a))	Name, email address

Where We rely on legitimate interests, We have conducted a balancing test to ensure that Our interests do not override Your fundamental rights and freedoms.

5. Google OAuth

We use Google OAuth as Our sole authentication method. When You sign in with Google, We receive the data listed in Section 3.1. We do not receive or store Your Google password. Our use of information received from Google APIs adheres to Google's API Services User Data Policy.

6. Cookies and Tracking Technologies

We use only strictly necessary cookies to operate the Service, including session cookies for authentication and security. We do not use third-party advertising or tracking cookies. Because these cookies are strictly necessary for the operation of the Service, they do not require Your consent under the Privacy and Electronic Communications Regulations 2003 (PECR).

7. Who We Share Your Data With

We share personal data only with the following categories of recipients, and only to the extent necessary:

Sub-Processor	Purpose	Location
Vercel Inc.	Application hosting and content delivery	United States
Google LLC	Authentication (Google OAuth) and AI processing (Gemini API)	United States

We may also disclose personal data where required by law, regulation, legal process, or governmental request.

We do not sell Your personal data. We do not share personal data with third parties for their own marketing purposes.

8. International Data Transfers

Some of Our sub-processors are based in the United States. When personal data is transferred outside the United Kingdom, We ensure appropriate safeguards are in place in accordance with Article 46 of the UK GDPR, including:

The UK International Data Transfer Agreement (UK IDTA) issued by the Information Commissioner's Office; or
The EU Standard Contractual Clauses (2021) supplemented by the UK Addendum.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@artanis.ai.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

Account data: retained for the duration of Your account, plus 30 days after account deletion to facilitate data export.
Usage data: retained for up to 24 months, then aggregated or deleted.
Communication data: retained for up to 24 months after the last communication.
Billing records: retained for 7 years as required by UK tax law (HMRC).

Customer-submitted data is retained and deleted in accordance with Our Data Processing Agreement.

10. Your Rights Under UK GDPR

Under the UK GDPR, You have the following rights in relation to Your personal data. You may exercise any of these rights by contacting us at privacy@artanis.ai.

Right of access (Art. 15): You have the right to request a copy of the personal data We hold about You, together with information about how We process it.
Right to rectification (Art. 16): You have the right to request that We correct any inaccurate or incomplete personal data We hold about You.
Right to erasure (Art. 17): You have the right to request that We delete Your personal data, subject to certain legal exceptions (for example, where We are required to retain data for legal compliance).
Right to restriction of processing (Art. 18): You have the right to request that We restrict the processing of Your personal data in certain circumstances, such as where You contest the accuracy of the data.
Right to data portability (Art. 20): You have the right to receive Your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to object (Art. 21): You have the right to object to processing of Your personal data based on legitimate interests. Where You object to processing for direct marketing purposes, We will stop processing immediately.
Rights related to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects You. We do not currently make any such automated decisions.

We will respond to Your request within one month. In complex cases, We may extend this period by a further two months, in which case We will inform You of the extension and the reasons for it within the first month.

We will not charge a fee for handling Your request unless the request is manifestly unfounded or excessive, in which case We may charge a reasonable fee or refuse to act on the request.

11. Withdrawing Consent

Where We process Your personal data on the basis of consent (such as for marketing communications), You have the right to withdraw Your consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal. You may withdraw consent by contacting us at privacy@artanis.ai or by using the unsubscribe link in any marketing email.

12. Right to Lodge a Complaint

If You are unhappy with how We have handled Your personal data, You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the chance to address Your concerns before You approach the ICO, so please contact us first at privacy@artanis.ai.

13. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If We become aware that We have collected personal data from a child, We will take steps to delete that data promptly.

14. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by Us. We have no control over and assume no responsibility for the privacy practices of any third-party sites. We encourage You to review the privacy policy of every site You visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify You of material changes by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

16. Contact Us

If You have any questions about this Privacy Policy or wish to exercise Your data protection rights, please contact us:

By email: privacy@artanis.ai
By post: Artanis Ltd, 71-75 Shelton Street, London WC2H 9JQ, United Kingdom