Privacy Policy

Last Updated: March 3, 2026

Your privacy is important to us. This Privacy Policy explains how Pentesys Ltd collects, uses, shares, and protects your personal information when you use the Mirage platform.
Table of Contents
  1. Data Controller
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing
  5. Data Sharing & Third Parties
  6. International Data Transfers
  7. Data Security
  8. Data Retention
  9. Your Rights
  10. Cookies & Tracking
  11. Children's Privacy
  12. Changes to This Policy
  13. Contact Us

1. Data Controller

The data controller responsible for your personal information is:

Pentesys Ltd
Email: [email protected]

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at [email protected].

2. Information We Collect

2.1 Information You Provide
Category Examples
Account Information Name, email address, company name, job title, phone number, password (hashed)
Billing Information Payment card details (processed by Stripe), billing address, VAT number, invoice history
Organisation Information Company name, industry, size, domains owned, team member details
Target Information Domain names, IP addresses, URLs, network ranges submitted for testing
Communications Support tickets, chat messages, emails, feedback, survey responses
2.2 Information Collected Automatically
Category Examples
Usage Data Pages visited, features used, actions taken, time spent, click patterns
Device Information IP address, browser type, operating system, device identifiers, screen resolution
Log Data Access times, error logs, referrer URLs, API calls, authentication events
Location Data Country and city (derived from IP address), timezone
2.3 Information from Security Testing

When you use our security testing services, we may collect:

  • Scan Results: Vulnerabilities discovered, security findings, asset inventories
  • Technical Data: SSL certificates, HTTP headers, technology fingerprints, open ports
  • Evidence: Screenshots, proof-of-concept data, request/response logs
  • Reports: Penetration test reports, executive summaries, remediation guidance
Important: We only collect security testing data for systems you have authorised us to test. We do not intentionally collect personal data from your Target systems, though such data may incidentally appear in security findings.
2.4 Information from Third Parties
  • Identity Providers: If you use single sign-on (SSO), we receive profile information from your identity provider (e.g., Azure AD, Google Workspace)
  • Payment Processors: Stripe provides transaction confirmation and fraud prevention data
  • Public Sources: WHOIS data, DNS records, SSL certificate transparency logs (for asset discovery)

3. How We Use Your Information

Purpose Description
Service Delivery Providing attack surface monitoring, penetration testing, and security assessments
Account Management Creating and managing your account, authenticating users, processing subscriptions
Billing & Payments Processing payments, managing credits, sending invoices, handling refunds
Communication Sending service notifications, security alerts, support responses, and (with consent) marketing
Platform Improvement Analysing usage patterns, debugging issues, developing new features
Security Detecting fraud, preventing abuse, protecting our systems and users
Legal Compliance Meeting regulatory requirements, responding to legal requests, enforcing our Terms
Research & Analytics Aggregated, anonymised analysis to improve security intelligence and industry benchmarks

5. Data Sharing & Third Parties

5.1 Service Providers

We share data with trusted service providers who assist in operating our Platform:

Provider Category Purpose Data Shared
Cloud Infrastructure Hosting and data storage All platform data (encrypted)
Payment Processing (Stripe) Handling payments Billing information, transaction details
Email Services Sending notifications Email addresses, message content
Analytics Platform improvement Usage data (anonymised where possible)
Customer Support Ticket management Contact details, support history
5.2 When We May Disclose Data

We may disclose your information in the following circumstances:

  • Legal Requirements: When required by law, court order, or government request
  • Safety & Security: To protect the rights, safety, or property of Pentesys, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)
  • With Your Consent: When you have given explicit permission
5.3 What We Do NOT Do
We do NOT sell your personal information to third parties.
We do NOT share your security findings with other customers.
We do NOT use your data for advertising purposes.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the UK and European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries with adequate data protection (as determined by the UK/EU)
  • Standard Contractual Clauses: EU-approved contractual terms for data protection
  • Binding Corporate Rules: Internal policies for multinational service providers
  • Certification Schemes: Such as the UK Extension to the EU-US Data Privacy Framework

You may request a copy of the safeguards we use by contacting [email protected].

7. Data Security

We implement comprehensive security measures to protect your personal information:

7.1 Technical Measures
  • Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication, session management
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Monitoring: 24/7 security monitoring, logging, and alerting
  • Vulnerability Management: Regular security assessments and patching
7.2 Organisational Measures
  • Employee Vetting: Background checks for all staff with data access
  • Training: Regular security awareness and data protection training
  • Policies: Comprehensive information security policies and procedures
  • Incident Response: Documented procedures for handling security incidents
7.3 Multi-Tenancy

The Platform uses a multi-tenant architecture with strict data isolation. Your data is logically separated from other customers and accessible only by your authorised users.

7.4 Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay (where required)
  • Document the breach and remediation actions

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Type Retention Period Reason
Account Information Duration of account + 2 years Service delivery, re-activation
Security Scan Results 12 months from scan date Trend analysis, historical comparison
Penetration Test Reports 7 years Compliance, audit requirements
Billing Records 7 years Legal and tax requirements
Support Communications 3 years Service improvement, dispute resolution
Security Logs 1 year Security monitoring, incident investigation
Marketing Preferences Until consent withdrawn Respecting your preferences

After the retention period, data is securely deleted or anonymised for statistical purposes.

9. Your Rights

Under data protection laws, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing

Request limitation of how we use your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for marketing.

Rights Related to Automated Decisions

Not be subject to decisions based solely on automated processing.

Right to Withdraw Consent

Withdraw consent at any time (where processing is based on consent).

9.1 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within one month (extendable by two months for complex requests).

9.2 Identity Verification

We may need to verify your identity before processing your request to protect your data from unauthorised access.

9.3 Supervisory Authority

If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.

10. Cookies & Tracking

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Platform. They help us provide functionality and improve your experience.

10.2 Types of Cookies We Use
Type Purpose Duration
Essential Authentication, session management, security (CSRF protection) Session / 2 weeks
Functional Remembering preferences (theme, language, timezone) 1 year
Analytics Understanding usage patterns to improve the Platform 1 year
10.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using the Platform.

10.4 Do Not Track

We do not currently respond to "Do Not Track" browser signals as there is no industry standard for handling such requests.

11. Children's Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email or prominent Platform notice
  • Where required, seek your consent to the changes

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Enquiries

[email protected]

Data Protection Officer

[email protected]

Pentesys Ltd
United Kingdom

By using the Mirage platform, you acknowledge that you have read and understood this Privacy Policy.

Go Back