Privacy Policy
Last updated: 10 July 2026
This Privacy Policy explains how Osiris Labs Ltd ("Osiris Labs", "Osiris", "we", "us", or "our") collects, uses, shares, and protects personal data in connection with our website (osirislabs.ai) and our email security and risk-intelligence product, Osiris (the "Service").
We are committed to protecting your privacy and handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who we are
Osiris Labs Ltd is a company registered in England and Wales (company number 16380456), trading as Osiris.
- Registered office: 86–90 Paul Street, London, England, EC2A 4NE
- Contact for privacy matters: contact@osirislabs.ai
For the personal data described in this Policy relating to our website and our own business operations, Osiris Labs Ltd is the data controller. Where we process personal data contained within our customers' email environments as part of delivering the Service, we act as a data processor on behalf of our customer (see Section 4).
2. Scope of this Policy
This Policy applies to:
- Visitors to our website;
- Prospective customers who contact us, request a demo, or subscribe to communications;
- Individuals at our customers and partners who administer or use the Service;
- Job applicants.
It also explains, at a high level, how personal data within a customer's email environment is handled when we deliver the Service. The detailed terms of that processing are governed by the Data Processing Agreement (DPA) entered into between Osiris Labs Ltd and the relevant customer.
3. Personal data we collect (as controller)
a. Information you provide to us. Name, business email address, telephone number, company name, job title, and the content of any messages you send us when you request a demo, contact us, or subscribe to marketing.
b. Account and administrator data. Where you administer or use the Service, we process account credentials, authentication tokens, user and organisation identifiers, role information, and configuration settings.
c. Technical and usage data. IP address, device and browser type, operating system, referring URLs, pages viewed, actions taken, and dates and times of access. Some of this is collected via cookies and similar technologies (see our Cookie Policy).
d. Communications and support data. Records of your correspondence with us, support tickets, and feedback.
e. Recruitment data. Information contained in applications, CVs, and correspondence with candidates.
We do not intentionally collect special category personal data through our website or marketing activities.
4. Email and customer data processed through the Service (as processor)
To deliver the Service, Osiris analyses inbound and outbound email within a customer's Microsoft 365 or Google Workspace environment to detect and respond to phishing, business email compromise, fraud, malware, and data-loss signals. This may involve processing personal data contained in email headers, metadata, message content, attachments, and associated authentication and reputation signals.
When we carry out this processing, we act only on the documented instructions of our customer, who is the controller of that data. Our obligations, security commitments, retention limits, sub-processor arrangements, and international-transfer safeguards for this data are set out in the DPA between us and the customer. We do not use customer email content to train shared or third-party models, and we do not sell customer data.
Individuals whose personal data is processed through a customer's use of the Service should direct privacy requests to that customer (their employer or the organisation operating the Service). We will assist our customers in responding to such requests as required by the DPA and applicable law.
5. How we use personal data and our lawful bases
We rely on the following lawful bases under Article 6 of the UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing, maintaining, and securing the Service and our website | Performance of a contract; legitimate interests |
| Creating and managing accounts and authentication | Performance of a contract |
| Responding to enquiries, demo requests, and support | Performance of a contract; legitimate interests |
| Sending marketing communications to business contacts | Consent, or legitimate interests where permitted by PECR |
| Improving and developing our products and website | Legitimate interests |
| Ensuring security, preventing fraud and abuse | Legitimate interests; legal obligation |
| Complying with legal and regulatory obligations | Legal obligation |
| Managing recruitment | Legitimate interests; consent; steps prior to entering a contract |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You can ask us for more information about this assessment.
6. Marketing
We may send you information about our products and services where you have consented or where we are otherwise permitted to do so under PECR (for example, to existing business contacts about similar products). You can opt out at any time by using the unsubscribe link in any marketing email or by contacting us at contact@osirislabs.ai. Opting out of marketing does not affect service-related communications.
7. Cookies and similar technologies
We use cookies and similar technologies on our website. For details of the cookies we use, their purposes, and how to control them, please see our Cookie Policy.
8. Who we share personal data with
We share personal data with:
- Service providers and sub-processors who help us operate our business and deliver the Service, including cloud hosting, infrastructure, analytics, email delivery, threat-intelligence, and customer-support providers. These providers are bound by contractual obligations to protect personal data and to process it only on our instructions.
- Microsoft and Google, to the extent necessary to connect to and analyse a customer's email environment via their APIs.
- Professional advisers, such as lawyers, auditors, and accountants.
- Authorities and regulators, where required by law or to protect our rights, users, or the public.
- Acquirers or successors, in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.
A current list of the sub-processors used to deliver the Service is available to customers on request and is maintained in accordance with our DPA.
We do not sell personal data.
9. International transfers
We are based in the United Kingdom. Some of our service providers may process personal data outside the UK. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place, such as an adequacy decision by the UK government, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures required. You can contact us for more information about the safeguards we use.
10. How long we keep personal data
We retain personal data only for as long as necessary for the purposes described in this Policy, including to satisfy legal, accounting, or reporting requirements. Retention periods vary by data type — for example:
- Enquiry and marketing data: until you opt out or after a period of inactivity;
- Account and configuration data: for the duration of the customer relationship and a reasonable period afterwards;
- Support records: for a limited period after resolution;
- Recruitment data: for a limited period after a recruitment decision unless we agree otherwise with you.
Personal data processed within a customer's email environment as part of the Service is retained in accordance with the retention terms agreed in the DPA and is deleted or returned on termination as set out there.
11. How we protect personal data
We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These include encryption in transit and at rest, access controls, least-privilege principles, logging and monitoring, tenant isolation, secure software-development practices, and regular review of our security posture. No system can be guaranteed to be completely secure, but we work continuously to protect the data entrusted to us.
12. Your rights
Subject to certain conditions and exemptions, you have the following rights under the UK GDPR:
- Access — to obtain a copy of the personal data we hold about you;
- Rectification — to have inaccurate or incomplete data corrected;
- Erasure — to have your data deleted in certain circumstances;
- Restriction — to restrict our processing in certain circumstances;
- Portability — to receive certain data in a portable format;
- Objection — to object to processing based on legitimate interests, and to direct marketing at any time;
- Withdrawal of consent — where we rely on consent, to withdraw it at any time.
To exercise any of these rights, contact us at contact@osirislabs.ai. We will respond within the timeframes required by law. If your personal data is processed through a customer's use of the Service, please contact that customer directly; we will support them as required.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk. We would appreciate the opportunity to address your concerns before you approach the ICO, so please consider contacting us first.
13. Children
Our website and the Service are intended for business use and are not directed at children under 16. We do not knowingly collect personal data from children.
14. Third-party links
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites, and we encourage you to review their privacy policies.
15. Changes to this Policy
We may update this Policy from time to time. We will post the updated version on this page and revise the "Last updated" date above. Where changes are material, we will take reasonable steps to notify you.
16. Contact us
If you have any questions about this Policy or how we handle personal data, contact us at:
Osiris Labs Ltd 86–90 Paul Street, London, England, EC2A 4NE contact@osirislabs.ai