Privacy Policy
Effective date: 10 March 2026 · Approved by: Ben Todd, 10 March 2026
1. Who we are
Arcola AI Limited ("we", "us", "our") operates the AI incident monitoring platform at platform.arcolaai.com.
| Company | Arcola AI Limited |
| Company number | 16964635 (England & Wales) |
| Registered address | Fleur Cottage, Owletts Farm, Ashurstwood, East Grinstead, RH19 3SL, United Kingdom |
| Directors | Ben Todd, Simon Mylius |
| Data Protection Lead | Ben Todd |
| Contact | data@arcolaai.com |
| ICO registration | (pending) |
2. What our platform does
We provide an AI-powered monitoring platform for AI safety. The platform:
- Ingests publicly available information about AI incidents from news articles, regulatory notices, academic papers, court judgments, and social media
- Uses large language model (LLM) classification to identify, categorise, and assess AI incidents
- Provides a dashboard and API for organisations to monitor AI incidents relevant to their domain
We monitor incidents, not individuals. The platform indexes by incident, not by person - we do not build profiles or dossiers on individuals.
3. Personal data we collect
From dashboard users (our customers)
| Data | Source | Purpose |
|---|---|---|
| Name, email, organisation | Account registration | Providing the service |
| API keys | Self-generated | Programmatic access |
| Email address | Transactional email system | Authentication and notifications |
From incident data sources (individuals mentioned in public reports)
| Data | Source | Purpose |
|---|---|---|
| Names, job titles, organisational affiliations | News articles, regulatory notices, academic papers, court judgments | AI incident classification |
| Public statements | Published articles, press releases | Incident context |
| Social media handles | Bluesky (public posts) | Social media incident monitoring |
We do not target special category data (health, ethnicity, political opinions, religious beliefs, etc.).
4. How we protect personal data - pseudonymisation
Before any personal data from incident reports is processed by our AI systems, we apply pseudonymisation:
- What this means: All personally identifying information (names, emails, identifiers) is replaced with randomly generated tokens before it reaches our LLM processors
- Separate lookup table: A mapping between tokens and original data is stored in a separate, access-controlled database table that is never shared with LLM processors
- LLMs never see real PII: Our AI classification and enrichment pipeline only ever processes pseudonymised data. The LLM processors receive tokens, not real names or identifiers
- Why this matters: Even if a processor retained data from our requests, that data would contain no real personal information - only meaningless tokens
- Reconstruction when needed: We can reconstruct the link between tokens and real identities when required for legitimate purposes, such as responding to your data subject access request or executing your right to be forgotten
Access to the lookup table is strictly limited to the Data Protection Lead and Technical Lead, and is logged in our audit trail.
5. Lawful basis for processing
| Processing activity | Lawful basis | Detail |
|---|---|---|
| Dashboard user accounts | Article 6(1)(b) - contractual necessity | Required to provide the service you signed up for |
| Incident data (public figures) | Article 6(1)(f) - legitimate interests | AI safety monitoring of publicly available information |
| Employee/financial data | Article 6(1)(b) + 6(1)(c) | Contractual necessity and legal obligation (HMRC) |
For our legitimate interests processing, we have completed a full Legitimate Interest Assessment which concluded that our interests in AI safety monitoring are not overridden by the rights of the individuals mentioned in public reports. Key factors: data is already public, we add classification value without revealing private information, and we index by incident not by person.
6. Who we share data with
To provide our service we use categories of processors including:
- EU-hosted cloud infrastructure (hosting, storage, database)
- EU-hosted LLM inference providers for incident classification (pseudonymised data only)
- Authentication and identity management
- Transactional email
- Error tracking, logging, and observability
All processors are located within the EU. LLM processors receive only pseudonymised data -- see Section 4 for how our pseudonymisation works.
A complete, current sub-processor list -- including processor names, locations, and categories of data handled -- is available to customers under our Data Processing Agreement. Contact data@arcolaai.com to request it.
We do not sell personal data to anyone.
7. International transfers
All of our processing takes place within the EU (Germany, France). We do not transfer personal data outside the EU.
All LLM inference runs in Frankfurt, Germany: our primary gateway (Requesty) is configured for EU-only processing with zero data retention, and our failover (Amazon Bedrock) is pinned to eu-central-1. Both receive pseudonymised data only.
EU Standard Contractual Clauses are available where applicable.
8. How long we keep data
| Data category | Retention period | Reason |
|---|---|---|
| Classified incident data | Indefinite | Core product and research asset; pseudonymised |
| LLM processing logs | 365 days | Debugging, quality assurance, and audit trail |
| Customer account data | Duration of relationship + 2 years | Service provision and follow-up |
| Pseudonymisation lookup table | As long as linked incident exists | Required for data access and erasure requests |
| Financial records | 6 years from financial year end | HMRC requirement |
Articles that are assessed and rejected during triage (not classified as AI incidents) are not stored in our database. Only summary analytics counters are retained for 48 hours.
When a Right to be Forgotten request is executed, the pseudonymisation lookup table entries for that individual are permanently deleted, making re-identification impossible.
9. Your rights
Under UK GDPR, you have the following rights:
| Right | What it means | How we handle it |
|---|---|---|
| Access (Article 15) | See what data we hold about you | We search our records using the pseudonymisation lookup and provide a report |
| Rectification (Article 16) | Correct inaccurate data | We update the record and the lookup table |
| Erasure (Article 17) | Have your data deleted | We execute our RTBF process: hard-delete from lookup table, tombstone audit records, delete tokens from incident records |
| Restrict processing (Article 18) | Stop us processing your data while a concern is resolved | We flag your records as restricted |
| Data portability (Article 20) | Receive your data in a structured format | We provide a JSON or CSV export |
| Object (Article 21) | Object to processing based on legitimate interests | We assess your objection against our Legitimate Interest Assessment |
| Complain | Lodge a complaint with the ICO | ico.org.uk |
Contact for all rights requests: data@arcolaai.com
We will respond within 30 days. If a request is complex, we may extend to 90 days with notice.
Erasure limitation: When we delete your data from our systems, any pseudonymised data that may have been retained by our LLM processors contains only random tokens - with the lookup table deleted, it is impossible for anyone (including us) to connect those tokens back to you.
10. Cookies
We use only strictly necessary cookies required for the platform to function:
| Cookie | Type | Purpose |
|---|---|---|
| Session cookie | Functional (session) | Authentication - keeps you logged in |
| CSRF token | Functional (security) | Prevents cross-site request forgery |
We do not use:
- Advertising cookies
- Third-party tracking pixels
- Cross-site tracking
- Analytics cookies
11. Children
Our platform is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us immediately at data@arcolaai.com.
12. Changes to this policy
We may update this policy from time to time. When we make material changes:
- We will update the effective date at the top of this page
- We will notify registered dashboard users by email
- Previous versions are retained in our document control system
13. What we will never do
- Build profiles or dossiers on individuals - our platform indexes incidents, not people
- Sell personal data to third parties
- Send real PII to LLM processors - pseudonymisation is always applied first
- Use personal data for marketing without your explicit consent
- Process special category data (health, ethnicity, political opinions, etc.)
- Index incidents by individual - there is no person-search feature