HowPenteorTechnologyLimitedcollects,uses,stores,andprotectsyourpersonaldataunderGDPR.
Penteor Technology Limited operates an on-demand, manual security testing platform accessible via our website, our cloud-based application, and associated digital services. Throughout this document, “we”, “us”, or “our” refers to Penteor Technology Limited, which acts as the data controller under GDPR. For all data protection enquiries, including to contact our Data Protection Officer, please visit our Contact page. This policy covers personal data collected through our public-facing website only. A separate privacy notice for registered platform users is provided during account registration.
We collect only the minimum personal data necessary. When you submit our Contact form, we collect your full name, email address, and message content — used to address you and respond to your enquiry, based on our legitimate interest under Art. 6(1)(f) GDPR. Automatically, we and our technology partners may record your IP address, device and browser identifiers, clickstream data, and marketing conversion data. Where we rely on consent for these, you may withdraw at any time via our cookie preference center.
We use third-party tools that may receive or process your personal data as independent controllers, where applicable, including Google Analytics for aggregate site usage measurement. Where these tools use non-essential cookies, your prior consent is collected through our cookie management interface. Each provider is bound by Data Processing Agreements restricting the processing of your personal data. Where providers are outside the EEA, we apply appropriate transfer safeguards.
We adhere to the storage limitation principle under GDPR Art. 5(1)(e). Contact form enquiries are retained for 24 months from last contact. Analytics data retention follows each tool's configuration, typically 14–26 months. Marketing data is kept until opt-out or consent withdrawal. Legal and compliance records are retained as required by applicable law. Backup copies are purged in line with our scheduled rotation policy.
Our core operations are within the EEA. Where third-party tools transfer data outside the EEA, we ensure at least one safeguard applies: an adequacy decision by the European Commission (e.g. EU–US Data Privacy Framework), Standard Contractual Clauses (SCCs) approved by the Commission, or other appropriate safeguards under Art. 46 GDPR. You may request transfer mechanism details via our Contact page.
We rely on a specific lawful basis for each processing activity under GDPR Art. 6: Consent for non-essential cookies and direct marketing; Contract performance for platform users; Legal obligation for financial and regulatory recordkeeping; Legitimate interests for responding to enquiries, site security, and service improvement — following a balancing test against your rights and freedoms. You may object to legitimate interest processing; see Your Rights.
We do not sell, rent, or commercially exploit your personal data. Disclosure occurs only to: data processors acting under our instruction (bound by Art. 28 GDPR agreements); entities within the Penteor group; in corporate transactions (merger, acquisition) with prior notice; where required by law, court order, or regulatory authority; or with your explicit consent.
Ideas, product suggestions, or other unsolicited content you send voluntarily will not be treated as confidential information. By submitting such content, you grant us a perpetual, royalty-free right to use, reproduce, and distribute it, unless agreed otherwise in writing.
Under GDPR Chapter III, you have the right to: Access your data (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Object to processing (Art. 21) — direct marketing objections are absolute, Withdraw consent (Art. 7(3)), and protection from automated decisions (Art. 22 — we do not make solely automated decisions). Requests are handled within one calendar month and are free of charge. Contact us via our Contact page. You may also lodge a complaint with a supervisory authority, in particular in your Member State of residence.
We apply technical and organizational security measures proportionate to the risks involved, as required by Art. 32 GDPR, including encryption in transit, access controls, and regular security reviews. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours (Art. 33) and communicate with affected individuals where the risk is high (Art. 34).
Our Site may contain links to external websites outside our control. This policy does not apply to those sites. We encourage you to consult the privacy notices of any external sites you visit. The presence of a link does not indicate our endorsement of a third party’s privacy practices.
We review and update this policy periodically to reflect changes to our processing activities, applicable law, or regulatory guidance. Where changes are material, we provide clear notice on the Site and, where required, seek fresh consent. The effective date appears at the top of this document.
Penteor does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals, as defined under GDPR Article 22. No decisions regarding service access, pricing, or engagement terms are made solely by automated means without meaningful human involvement. Should we introduce any form of automated processing that could affect your rights in the future, we will update this policy, conduct a Data Protection Impact Assessment (DPIA) where required, and implement appropriate safeguards including the right to obtain human intervention, to express your point of view, and to contest the decision.
For all privacy enquiries, data subject rights requests, or complaints, please visit our Contact page. You also have the right to lodge a complaint with a supervisory authority, in particular in your Member State of residence, at any time.