Privacy Policy

ProvenanceOne is a UK-based cyber security company focused on securing agentic AI, MCP-connected systems, and enterprise data workflows. For the purposes of UK data protection law, ProvenanceOne is the data controller for the personal data covered by this Privacy Policy.

Privacy and data rights requests should be sent to [email protected].

ProvenanceOne does not currently publish separate data protection officer contact details. If that changes, this policy will be updated.

This policy applies to personal data collected through this website and through related marketing, contact, demo, and subscription interactions that link to or refer to this policy.

It does not apply to third-party websites, services, or platforms that we do not control, even where those services are linked from our website.

Depending on how you interact with us, we may collect:

• Contact and identity data, such as your name, work email address, company name, role, and business contact details.
• Enquiry and communications data, such as the contents of messages you send us, meeting requests, demo requirements, and correspondence history.
• Technical and usage data, such as IP address, browser type, device information, approximate location derived from IP, referring page, pages viewed, and timestamps.
• Marketing and preference data, such as subscription choices, consent records, and opt-out preferences.
• Security and fraud-prevention data, such as logs used to detect abuse, malicious traffic, or unauthorised access attempts.

In some cases we may also receive limited business contact information from publicly available sources, referral partners, event organisers, or third-party service providers where that is relevant to a business enquiry.

We may use personal data to:

• operate, secure, and improve this website and related services;
• respond to enquiries, schedule meetings, and provide demos;
• manage relationships with prospective customers, partners, and suppliers;
• send service, security, legal, or policy-related updates where relevant;
• send marketing communications where permitted by law, including under PECR where applicable;
• prevent fraud, investigate misuse, protect our systems, and enforce our legal rights; and
• comply with legal, regulatory, and governance obligations.

We rely on one or more lawful bases under the UK GDPR depending on the context:

• Legitimate interests: to run and secure our website, respond to business enquiries, improve our services, and maintain records of our commercial relationships, provided our interests are not overridden by your rights and freedoms.
• Steps prior to a contract or contract performance: where you ask us for information, a quote, a demo, or other pre-contract support.
• Legal obligation: where we need to retain or disclose information to comply with applicable laws, regulations, court orders, or statutory duties.
• Consent: where we rely on your consent, for example for certain marketing activities or optional technologies where consent is required.

We use limited technical and security-related technologies in connection with this site. More detail is set out in our Cookie Policy.

If we introduce optional analytics, advertising, personalisation, or embedded third-party technologies, we will update our Cookie Policy and on-site controls before doing so, where required by law.

We may share personal data with trusted third parties where necessary, including:

• hosting, infrastructure, and content delivery providers;
• website security, monitoring, anti-abuse, and IT support providers;
• CRM, email, marketing, and productivity service providers;
• professional advisers such as lawyers, auditors, and insurers;
• regulators, courts, law enforcement, or public authorities where required;
• a buyer, investor, or successor entity where there is a reorganisation, merger, financing, or sale of all or part of our business.

We do not sell personal data in the ordinary course of business.

Some of our service providers may process personal data outside the UK. Where that happens, we take steps to ensure appropriate safeguards are in place, such as an adequacy decision, the UK International Data Transfer Agreement, the UK Addendum to standard contractual clauses, or another lawful transfer mechanism.

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected, including to satisfy legal, regulatory, accounting, security, and reporting requirements.

• Enquiry and demo records are generally retained for up to 24 months after our last meaningful interaction, unless a longer period is needed.
• Website security and technical logs are generally retained for up to 12 months, subject to operational and incident-response needs.
• Marketing suppression records may be kept for longer where needed to honour an unsubscribe or objection request.

We use technical and organisational measures designed to protect personal data against accidental loss, unauthorised access, misuse, alteration, or disclosure. No internet transmission or storage environment is completely secure, but we aim to apply controls proportionate to the sensitivity of the data and the risks involved.

Under UK data protection law, you may have the right to request access to your personal data, ask for correction, request erasure, restrict processing, object to processing, request portability, and withdraw consent where consent is the basis we rely on.

To exercise your rights, contact [email protected]. We may need to verify your identity before fulfilling a request.

If you have a concern about how we handle personal data, please contact us first at [email protected]. We will review and respond in line with our legal obligations.

You also have the right to complain to the Information Commissioner's Office (ICO). Details are available at ico.org.uk/make-a-complaint.

ProvenanceOne does not currently make solely automated decisions about individuals using personal data that produce legal or similarly significant effects in connection with this website.

This website is intended for business audiences and is not directed at children. We do not knowingly collect personal data from children through this website.

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. Where changes are material, we will update the date at the top of this page and take additional steps where appropriate.