Privacy Policy

Last updated: 10 July 2026

This Privacy Policy explains how Osiris Labs Ltd ("Osiris Labs", "Osiris", "we", "us", or "our") collects, uses, shares, and protects personal data in connection with our website (osirislabs.ai) and our email security and risk-intelligence product, Osiris (the "Service").

We are committed to protecting your privacy and handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).


1. Who we are

Osiris Labs Ltd is a company registered in England and Wales (company number 16380456), trading as Osiris.

For the personal data described in this Policy relating to our website and our own business operations, Osiris Labs Ltd is the data controller. Where we process personal data contained within our customers' email environments as part of delivering the Service, we act as a data processor on behalf of our customer (see Section 4).

2. Scope of this Policy

This Policy applies to:

It also explains, at a high level, how personal data within a customer's email environment is handled when we deliver the Service. The detailed terms of that processing are governed by the Data Processing Agreement (DPA) entered into between Osiris Labs Ltd and the relevant customer.

3. Personal data we collect (as controller)

a. Information you provide to us. Name, business email address, telephone number, company name, job title, and the content of any messages you send us when you request a demo, contact us, or subscribe to marketing.

b. Account and administrator data. Where you administer or use the Service, we process account credentials, authentication tokens, user and organisation identifiers, role information, and configuration settings.

c. Technical and usage data. IP address, device and browser type, operating system, referring URLs, pages viewed, actions taken, and dates and times of access. Some of this is collected via cookies and similar technologies (see our Cookie Policy).

d. Communications and support data. Records of your correspondence with us, support tickets, and feedback.

e. Recruitment data. Information contained in applications, CVs, and correspondence with candidates.

We do not intentionally collect special category personal data through our website or marketing activities.

4. Email and customer data processed through the Service (as processor)

To deliver the Service, Osiris analyses inbound and outbound email within a customer's Microsoft 365 or Google Workspace environment to detect and respond to phishing, business email compromise, fraud, malware, and data-loss signals. This may involve processing personal data contained in email headers, metadata, message content, attachments, and associated authentication and reputation signals.

When we carry out this processing, we act only on the documented instructions of our customer, who is the controller of that data. Our obligations, security commitments, retention limits, sub-processor arrangements, and international-transfer safeguards for this data are set out in the DPA between us and the customer. We do not use customer email content to train shared or third-party models, and we do not sell customer data.

Individuals whose personal data is processed through a customer's use of the Service should direct privacy requests to that customer (their employer or the organisation operating the Service). We will assist our customers in responding to such requests as required by the DPA and applicable law.

5. How we use personal data and our lawful bases

We rely on the following lawful bases under Article 6 of the UK GDPR:

PurposeLawful basis
Providing, maintaining, and securing the Service and our websitePerformance of a contract; legitimate interests
Creating and managing accounts and authenticationPerformance of a contract
Responding to enquiries, demo requests, and supportPerformance of a contract; legitimate interests
Sending marketing communications to business contactsConsent, or legitimate interests where permitted by PECR
Improving and developing our products and websiteLegitimate interests
Ensuring security, preventing fraud and abuseLegitimate interests; legal obligation
Complying with legal and regulatory obligationsLegal obligation
Managing recruitmentLegitimate interests; consent; steps prior to entering a contract

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You can ask us for more information about this assessment.

6. Marketing

We may send you information about our products and services where you have consented or where we are otherwise permitted to do so under PECR (for example, to existing business contacts about similar products). You can opt out at any time by using the unsubscribe link in any marketing email or by contacting us at contact@osirislabs.ai. Opting out of marketing does not affect service-related communications.

7. Cookies and similar technologies

We use cookies and similar technologies on our website. For details of the cookies we use, their purposes, and how to control them, please see our Cookie Policy.

8. Who we share personal data with

We share personal data with:

A current list of the sub-processors used to deliver the Service is available to customers on request and is maintained in accordance with our DPA.

We do not sell personal data.

9. International transfers

We are based in the United Kingdom. Some of our service providers may process personal data outside the UK. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place, such as an adequacy decision by the UK government, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures required. You can contact us for more information about the safeguards we use.

10. How long we keep personal data

We retain personal data only for as long as necessary for the purposes described in this Policy, including to satisfy legal, accounting, or reporting requirements. Retention periods vary by data type — for example:

Personal data processed within a customer's email environment as part of the Service is retained in accordance with the retention terms agreed in the DPA and is deleted or returned on termination as set out there.

11. How we protect personal data

We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These include encryption in transit and at rest, access controls, least-privilege principles, logging and monitoring, tenant isolation, secure software-development practices, and regular review of our security posture. No system can be guaranteed to be completely secure, but we work continuously to protect the data entrusted to us.

12. Your rights

Subject to certain conditions and exemptions, you have the following rights under the UK GDPR:

To exercise any of these rights, contact us at contact@osirislabs.ai. We will respond within the timeframes required by law. If your personal data is processed through a customer's use of the Service, please contact that customer directly; we will support them as required.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk. We would appreciate the opportunity to address your concerns before you approach the ICO, so please consider contacting us first.

13. Children

Our website and the Service are intended for business use and are not directed at children under 16. We do not knowingly collect personal data from children.

14. Third-party links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites, and we encourage you to review their privacy policies.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and revise the "Last updated" date above. Where changes are material, we will take reasonable steps to notify you.

16. Contact us

If you have any questions about this Policy or how we handle personal data, contact us at:

Osiris Labs Ltd 86–90 Paul Street, London, England, EC2A 4NE contact@osirislabs.ai