Privacy Notice
This Privacy Notice explains how Priam Cyber AI Ltd ("we", "us", "our") collects,
uses, and protects personal data when you visit priam.ai or contact us. This notice covers
our marketing website only. Our security operations product, AVA — accessible at ava.priam.ai — is governed by a separate notice referenced at signup.
We are committed to processing personal data lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the Data Protection Act 2018.
1. Who we are
Controller
Priam Cyber AI Ltd
71–75 Shelton Street, London, Greater London, United Kingdom, WC2H 9JQ
Companies House registration number: 12932723
Contact
General inquiries: [email protected]
Privacy and data protection: [email protected]
2. What this notice covers
This notice applies to personal data we process through:
-
The marketing website at
priam.ai, including its forms (briefing requests, trial signup intake, general contact) -
Email correspondence sent to
[email protected],[email protected], or[email protected] - Server and edge logs generated when you visit the site
- Aggregate analytics (planned: Plausible self-hosted, cookieless — see §5)
It does not cover:
- The AVA product environment at
ava.priam.ai(separate notice) - Personal data processed under a contract or commercial agreement with us (handled per the relevant agreement)
- Third-party websites linked from
priam.ai(their own notices apply)
3. Personal data we collect
3.1 Information you provide directly
When you submit a form or contact us, we collect:
- Briefing request form (homepage
Book a briefingandSend us one alertCTAs): name, work email, company, role, and the content of the message or alert payload you choose to share - Trial signup form (
/trial): work email, full name, company, title, daily alert volume range - Email correspondence: any information you choose to disclose in the body of the message, including signature blocks, attachments, and prior thread context
3.2 Information collected automatically
When you visit priam.ai, our infrastructure (Cloudflare) automatically processes:
- IP address (truncated where possible at the edge)
- User agent string (browser, OS, device class)
- Requested URL, referrer, timestamp
-
Bot management signals (Cloudflare's
__cf_bmfunctional cookie — see Cookies Policy)
We do not run advertising trackers, social media pixels, or behavioural profiling tools.
3.3 Aggregate analytics
We plan to deploy a self-hosted instance of Plausible Analytics, which is cookieless and processes no personal data. Plausible aggregates page visits and referrer counts at the page level without setting any cookies, fingerprinting devices, or identifying individuals. Until Plausible is live, no analytics platform is active on the site.
4. Why we use it (legal basis)
| Purpose | Legal basis (UK GDPR / GDPR Article 6) |
|---|---|
| Responding to briefing requests, trial inquiries, and general contact | 6(1)(b) — pre-contractual steps at your request |
| Maintaining records of correspondence for service quality and follow-up | 6(1)(f) — legitimate interest in operating the business |
| Server and edge logging for security, abuse prevention, and infrastructure operation | 6(1)(f) — legitimate interest in protecting the service |
| Aggregate, cookieless analytics for site improvement | 6(1)(f) — legitimate interest, no personal data processed |
We do not rely on consent for any processing on the marketing site at this time, because no consent-requiring cookies or trackers are active. If this changes, we will update this notice and present a consent mechanism before any new processing begins.
5. Sub-processors
We use a small number of carefully selected sub-processors to operate the marketing site. Each is contractually bound to GDPR-compliant terms.
| Sub-processor | Role | Jurisdiction |
|---|---|---|
| Microsoft Corporation (Microsoft 365) | Hosting of hello@, briefings@, trial@ mailboxes | EU and UK (per Microsoft EU Data Boundary commitments) |
| Cloudflare, Inc. | DNS, edge CDN, hosting (Cloudflare Pages), bot management, TLS termination | Global edge network; EU data localization where supported |
| Stripe Payments UK Ltd | Payment processing for /trial (Phase 5 — not yet active) | United Kingdom |
| Resend, Inc. | Transactional email delivery for form responses (Phase 5 — not yet active) | United States, with EU-aligned subprocessor terms |
| Microsoft Corporation (Azure) | Hosting of self-hosted Plausible Analytics instance (planned) | United Kingdom (Azure UK South region) |
A full and current sub-processor list is also published on our Trust page. When we add or change a sub-processor that materially affects how personal data is processed, we will update both lists.
6. Data residency
Primary data processing occurs within the EU and the UK:
- Mailboxes (Microsoft 365): EU/UK Microsoft data centres under the EU Data Boundary
- Cloudflare edge: EU data localization applied where supported; some operational metadata may transit Cloudflare's global network
- Self-hosted Plausible (planned): Microsoft Azure UK South region
Where any sub-processor processes personal data outside the UK or EEA, we rely on Standard
Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, with transfer impact
assessments available on request to [email protected].
7. Retention
| Data category | Retention |
|---|---|
| Form submissions (briefing, trial, contact) | 24 months from last contact, unless converted to an active customer relationship in which case retained per the customer agreement |
| Email correspondence | Per Microsoft 365 default retention policies (Inbox: indefinite until deleted; Deleted Items: 30 days) |
| Cloudflare edge logs | Per Cloudflare's default retention (typically 30–90 days) |
| Aggregate analytics (planned) | Indefinite at aggregate level; no individual records exist |
You may request deletion of your data at any time — see §8.
8. Your rights
Under UK GDPR and GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion (subject to legal retention obligations)
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent (currently not applicable on this site)
- Lodge a complaint with a supervisory authority
To exercise any right, email [email protected]. We will respond within one calendar
month.
If you are unhappy with our response, you may complain to:
- United Kingdom: Information Commissioner's Office (ICO) —
ico.org.uk - European Union: your local Data Protection Authority — list at
edpb.europa.eu/about-edpb/about-edpb/members_en
9. International transfers
We aim to keep personal data within the UK and EEA. Where transfers outside this region occur (for example, Resend's US operations or Cloudflare's global edge), we rely on:
- Standard Contractual Clauses (EU and UK versions)
- The UK International Data Transfer Addendum where applicable
- Transfer impact assessments documenting the safeguards in place
Documentation is available on request to [email protected].
10. Security
We follow security practices appropriate to our scale and the sensitivity of the data we hold. Specific measures are described on our Trust page. At a minimum:
- TLS 1.2+ in transit, sub-processor-managed encryption at rest
- Multi-factor authentication on all administrative accounts
- Hardware-key-protected access to production hosting and DNS
- Incident notification commitments per UK GDPR Article 33 (within 72 hours of discovery for incidents affecting personal data)
Responsible disclosure: [email protected]. See Trust page for our 90-day disclosure
commitment.
11. Children
The marketing site is not directed at children under 16, and we do not knowingly collect
personal data from them. If you believe a child has submitted information through our forms,
contact [email protected] and we will delete it.
12. Changes to this notice
We may update this notice as our processing changes. The Last updated date at the top
reflects the most recent revision. Material changes — those that affect your rights or how we process
your data — will be highlighted on the site for at least 30 days.
13. Contact
For any privacy or data protection question:
- Email:
[email protected] - Post: Priam Cyber AI Ltd, 71–75 Shelton Street, London WC2H 9JQ, United Kingdom
We aim to respond to all privacy inquiries within 5 working days.
This notice is currently a working draft. Substantive iteration, including legal review, is scheduled post-launch.