Noctara Red
Back to Home

Legal

Privacy Policy

Last updated: 30 April 2026

1. Who We Are

Noctara Security Ltd ("we", "us", "our") is the data controller for personal data we process to operate the Noctara Red platform, including account, subscription, and operational data. When customers upload engagement evidence, scan outputs, or report content into the platform, we act as a data processor on the customer's instructions.

2. Data We Collect

  • Account registration data such as email address and company name.
  • Authentication and session data used to keep users signed in securely.
  • Billing and subscription data required to manage plans, invoices, and payments.
  • Customer Data uploaded into the platform, including scan outputs, evidence files, report drafts, and related pentest content.
  • AI-assisted processing outputs generated from uploaded Customer Data, such as enriched findings, remediation guidance, and report narratives.
  • Operational and security logs needed to keep the service reliable and secure.

3. Why We Use Your Data

  • To create and manage user accounts.
  • To authenticate users and maintain secure access to the platform.
  • To process uploaded evidence and generate platform outputs for customers.
  • To manage subscriptions, token balances, billing events, and payments.
  • To detect abuse, investigate incidents, and protect the platform.
  • To provide support and respond to operational or legal requests.

4. UK GDPR Lawful Bases

  • Contract: where processing is necessary to provide the Noctara Red service you signed up for.
  • Legitimate interests: for platform security, fraud prevention, service operations, and support.
  • Legal obligations: where we must retain or disclose data under applicable law.
  • Customer instructions: where we process Customer Data on behalf of customers as their processor.

5. Data Retention

We retain different categories of data for different periods depending on the purpose and legal basis. Customer Data is generally retained for the duration of the subscription plus 30 days after termination, unless a longer retention period is required by law. Account, billing, and support records may be retained longer where needed for contractual, tax, or dispute-resolution reasons.

Full retention periods are described in our Data Retention Policy.

6. Processors and Sharing

We use service providers to operate the platform, including:

  • Supabase for authentication, database, and storage infrastructure
  • Stripe for subscription billing, payments, and customer billing workflows
  • OpenAI for AI-assisted report generation and enrichment features
  • Vercel for application hosting and delivery infrastructure

A current list of subprocessors is maintained on our Subprocessor List.

Some processing may occur outside the UK or EEA. Where that happens, we rely on appropriate transfer safeguards under UK data protection law, such as adequacy decisions or contractual transfer mechanisms.

7. Your Rights

Under UK GDPR, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time where processing relies on consent

If your personal data appears inside Customer Data uploaded by one of our customers for a security engagement, that customer is usually the data controller for that data and may be the correct first point of contact for rights requests.

8. Contact

For privacy requests, contact info@noctara.tech