Arcamus
Privacy Notice

Last updated 7 May 2026

Last updated 7 May 2026

Arcamus Enterprise Limited ("Arcamus", "we", "us", or "our") is committed to protecting personal data. This Privacy Notice explains how we collect, use, share, and protect personal data, and sets out your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

We act as a data controller for most of the processing described in this notice. Where we process personal data on behalf of our business customers, for example data they upload to the Arcamus Platform, we act as a processor and the Data Processing Addendum at arcamus.com/dpa governs that processing.

Who This Notice Applies To

This notice is written for several different groups of people because we process personal data in different ways for different audiences.

Please read the section that applies to you:

  • Part A: Website visitors and people contacting us by website, email, or phone.
  • Part B: Arcamus Platform users who are authorised users of a business customer.
  • Part C: Individuals whose personal data appears in the Arcamus Platform, such as public sector officials, company directors, or senior executives named in public sources.
  • Part D: Prospects, marketing recipients, and business contacts.
  • Part E: Job applicants.
  • Parts F to J apply across all groups and cover cookies and tracking, international transfers, security, your rights, and contact and complaints.
Who We Are

Arcamus Enterprise Limited

Registered office: 14 Bank Chambers, 25 Jermyn Street, London SW1Y 6HR, United Kingdom

Company number: 16824786 (England and Wales)

ICO registration: ZC108382

We have not appointed a statutory Data Protection Officer because we are not required to do so under Article 37 UK GDPR. Our privacy contact is responsible for data protection matters and is the first point of contact for any query.

Privacy contact:

Part A: Website Visitors And Enquirers

This section applies if you visit our website, including arcamus.com and its subdomains, or contact us by email, phone, or through a form.

A.1 What personal data we collect. Information you provide to us:

  • Identity and contact data, such as your name, job title, organisation, business email address, and telephone number.
  • Content of your communications, including anything you include in a message, email, form submission, or call.
  • Demonstration or trial request data, including additional information you provide when requesting a demo, trial, or quote.

Information collected automatically:

  • Device and technical data, such as IP address, browser type and version, operating system, device type, screen resolution, and language preference.
  • Usage data, such as pages visited, time and duration of visits, click paths, referring website, and interactions with forms and content.
  • Cookie and similar technology data, as described in Part F.

A.2 How we use it and our lawful basis:

PurposeLawful basis (UK GDPR Article 6)
Responding to your enquiry or support requestLegitimate interests - to operate our business and assist people who contact us.
Providing a demonstration, trial, or proposalSteps taken at your request prior to entering into a contract; legitimate interests.
Operating, securing, and improving our websiteLegitimate interests - to maintain and improve our website and prevent abuse.
Sending you marketing about Arcamus where you have opted in or are a relevant business contactLegitimate interests; consent where required under the Privacy and Electronic Communications Regulations (PECR).
Complying with legal and regulatory obligationsLegal obligation.

A.3 Where we rely on legitimate interests, we have carried out a balancing exercise between our interests and your rights and freedoms. Our legitimate interests are to operate, secure, promote, and develop our business. We believe this processing is necessary, proportionate, and within your reasonable expectations when you engage with a B2B service provider. You have the right to object at any time.

A.4 Who we share it with:

  • Hosting and infrastructure providers.
  • Analytics and marketing technology providers.
  • CRM and email providers.
  • Professional advisers such as lawyers, accountants, and auditors.
  • Law enforcement, regulators, or other authorities where required by law.

A current list of categories of recipients and the specific providers we use is available on request from legal@arcamus.com.

A.5 How long we keep it:

DataRetention period
Website enquiry records where no business relationship developsUp to 24 months from last contact.
Enquiry records that lead to a contractDuration of the relationship plus 6 years (to meet commercial or tax record retention).
Website log and analytics dataUp to 26 months, unless aggregated and anonymised.
Marketing suppression lists used to honour opt-outsRetained indefinitely so we do not re-contact you.
Part B: Platform Users

This section applies if you are an authorised user of the Arcamus Platform accessing it on behalf of a business customer.

Your employer or other business customer is the data controller for most of the personal data you enter into, or generate within, the Platform. We act as a processor on their behalf under a Data Processing Addendum available at arcamus.com/dpa. For questions about how your employer uses your data, please contact your employer's data protection contact. However, we also process certain data about you as an independent controller, for example account administration data and platform telemetry, and this section covers that processing.

B.1 What personal data we collect:

  • Account data, such as name, business email address, job title, organisation, hashed authentication credentials, and multi-factor authentication factors.
  • Access and authentication logs, such as login times, IP addresses, device information, and session identifiers.
  • Platform usage telemetry, such as pages and features used, searches performed, items viewed, exports generated, actions taken, and time spent.
  • Support communications.
  • Information you provide voluntarily, such as user feedback.

B.2 How we use it and our lawful basis:

PurposeLawful basis
Authenticating you and providing access to the PlatformPerformance of a contract with your employer and legitimate interests.
Detecting and preventing misuse, credential sharing, scraping, or security incidentsLegitimate interests - to protect our service and our customers.
Operating, securing, improving, and developing the PlatformLegitimate interests.
Providing technical supportPerformance of a contract with your employer and legitimate interests.
Generating aggregated and anonymised analytics about Platform usage, called Derived DataLegitimate interests - to understand how the Platform is used and to improve it. We aggregate and anonymise this data so it does not identify individuals.
Complying with legal, regulatory, or audit obligationsLegal obligation and legitimate interests.

B.3 Who we share it with:

  • Sub-processors used for hosting, email, support, and similar technology services. A current list is maintained at arcamus.com/subprocessors.
  • Your employer, which has administrative visibility over account data, usage logs, and activities carried out under its subscription.
  • Law enforcement, regulators, or other authorities where required by law.

B.4 How long we keep it:

DataRetention period
Account dataFor the duration of your account plus 12 months after deactivation, longer where required by law.
Access and authentication logsUp to 12 months, longer where required for investigation of a security incident.
Platform usage telemetry that remains identifiableUp to 12 months.
Aggregated and anonymised analytics, or Derived DataRetained indefinitely because it no longer identifies individuals.
Support communicationsDuration of the customer relationship plus 6 years.
Part C: Individuals Whose Personal Data Appears In The Arcamus Platform

This section applies if your personal data appears in the Arcamus Platform because you are, for example, a public sector official named in a tender notice, contract award notice, or other procurement document, a director, secretary, or person with significant control of a UK company, or a senior executive, board member, or other individual whose role is recorded in publicly available corporate, procurement, or commercial information sources.

We collect this data from publicly available sources rather than directly from you. Under Article 14 UK GDPR, we are required to tell you how we use that data. If you would prefer we did not process your personal data in this way, please see your rights in Part I, including the right to object.

C.1 What personal data we process:

  • Your name.
  • Your professional role or job title.
  • The organisation you work for or are associated with, including as a director, officer, or person with significant control.
  • Business contact details where they have been published, for example a procurement contact email or telephone number.
  • Information about your professional activities, for example tenders you have run, contracts you have awarded, companies you are a director of, and board appointments.
  • Data we derive by linking and enriching the above, for example linking a procurement contact to their employing authority or mapping an individual's role history.

We do not knowingly collect or process special category personal data, such as health, religion, or political opinion, through the Platform. We do not process data about members of the public or private individuals except where they are acting in a professional or commercial capacity that is on the public record.

C.2 Where we get it from. Our sources include, but are not limited to:

  • The UK Find a Tender service (https://www.find-tender.service.gov.uk).
  • Contracts Finder (https://www.gov.uk/contracts-finder).
  • Companies House (https://www.gov.uk/government/organisations/companies-house).
  • NHS and other UK public sector open data publications.
  • Local authority transparency publications, such as over-£25k spend data.
  • Government and public body websites.
  • Other publicly available commercial and organisational data sources.

Data from UK public sector sources is made available under the Open Government Licence v3.0 or similar open licences.

C.3 How we use it and our lawful basis:

  • Aggregate, structure, clean, link, and enrich information about UK public sector procurement and the organisations and individuals involved in it.
  • Provide market intelligence, analytics, search, benchmarking, and reporting services to business customers through the Platform.
  • Support legitimate business activities of customers, including competitive analysis, market research, bid preparation, and business development.
  • Improve data quality, accuracy, and coverage.

Our lawful basis for this processing is legitimate interests under UK GDPR Article 6(1)(f).

C.4 Our legitimate interests assessment:

  • Purpose: to provide a market intelligence service that supports the legitimate commercial activities of businesses engaging with the UK public sector, and that in turn supports transparency, competition, and efficiency in public procurement.
  • Necessity: processing personal data relating to individuals' professional roles is necessary to provide the service. There is no less intrusive means of enabling customers to understand, for example, which procurement officers at which authorities are running which tenders, or which companies are led by which directors. Anonymisation would remove the value of the service.
  • Balancing: the data relates to professional activities, not private life; it is already publicly available, typically because the law requires its publication or because you or your organisation has chosen to publish it; the processing is within the reasonable expectations of individuals in public-facing professional roles; we do not use the data to make decisions about you personally, profile you in ways that affect you, or target you with advertising; we provide the data to business customers for business use, not to the general public; and we apply safeguards including security measures, access controls, retention limits, and the rights framework described in Part I.

If you would like to see the full legitimate interests assessment, please contact support@arcamus.com.

C.5 We do not make decisions about you based solely on automated processing that have legal or similarly significant effects on you. We use algorithms and analytics to structure, link, enrich, and analyse data, and to produce outputs such as market maps, trend analyses, and rankings. These outputs are provided to business customers as decision-support information, and where we score or rank organisations those scores and rankings relate to organisations, not to individuals personally.

C.6 Who we share it with:

  • Business customers through their access to the Platform, subject to our End User Licence Agreement and its re-use restrictions.
  • Sub-processors used for hosting, infrastructure, and technical services.
  • Professional advisers and auditors where relevant.
  • Law enforcement, regulators, or other authorities where required by law.

C.7 We retain personal data in the Platform for as long as it remains relevant to the service. For public sector procurement data, this typically reflects the published retention of the source. For Companies House and similar registers, we reflect the current state of the register and historical data up to a maximum of 10 years. We periodically review and refresh our data to remove outdated entries. Where you exercise a right to object or erasure, we will remove your personal data from active processing as described in Part I.

C.8 Your rights in relation to this processing. To exercise any right, including the right to object, contact:

Part D: Prospects, Marketing Recipients, And Business Contacts

This section applies if you are a business contact or prospect we engage with for sales, marketing, or partnership purposes.

D.1 What personal data we collect:

  • Business contact data, such as name, job title, organisation, business email address, telephone number, LinkedIn profile, or other professional profile information.
  • Source data showing where we obtained your information, such as a register, introduction, conference, or your employer's website.
  • Engagement data, such as whether you opened or clicked emails, attended events, or responded to outreach.
  • Communication history, including records of conversations, meetings, and correspondence.

D.2 How we use it and our lawful basis:

PurposeLawful basis
B2B marketing to corporate email addresses of individuals in relevant rolesLegitimate interests (B2B) and soft opt-in under PECR where applicable. You can opt out at any time.
B2B marketing to non-corporate addresses or where requiredConsent.
CRM administration, opportunity tracking, and relationship managementLegitimate interests.
Event invitations and attendance managementLegitimate interests, and consent for dietary or accessibility data.
Partner management and introductionsLegitimate interests.

D.3 You can opt out of marketing at any time by clicking the unsubscribe link in any marketing email or by emailing support@arcamus.com. Opting out of marketing does not affect other processing, such as responding to a direct enquiry from you.

D.4 How long we keep it:

DataRetention period
Active prospect and contact recordsWhile the contact remains relevant to our business, reviewed at least every 24 months.
Dormant records with no engagementDeleted after 24 months of no engagement.
Opt-out or suppression recordsRetained indefinitely to honour your opt-out.
Part E: Job Applicants

E.1 What we collect:

  • Identity and contact data.
  • CV, cover letter, employment history, qualifications, and references.
  • Interview notes and assessment results.
  • Right-to-work documentation where you are invited to interview.
  • Equal opportunities data where voluntarily provided and processed separately on an anonymised basis.

E.2 Lawful basis:

  • Steps taken at your request before entering into a contract, for example processing your application.
  • Legitimate interests, such as managing recruitment and considering future opportunities.
  • Legal obligation, such as right-to-work and equality monitoring.
  • Consent, where you ask us to retain your details for future opportunities.

E.3 Unsuccessful applicants are retained for 12 months after the recruitment decision unless you consent to longer retention for future opportunities. Successful applicants are retained as part of the employee record under the employee privacy notice.

Part F: Cookies And Similar Technologies

Cookies are small text files placed on your device when you visit a website. Similar technologies include pixels, local storage, and SDKs. We use these technologies on our website and in our Platform.

F.1 When you first visit our website, we present a cookie banner that lets you accept or reject non-essential cookies or customise your choices. You can change your preferences at any time via the cookie preferences link in the website footer. You can also control cookies through your browser settings, although disabling essential cookies will affect how our website and Platform function.

F.2 Categories of cookies we use:

  • Strictly necessary cookies required for the website or Platform to function, such as authenticating you, remembering your session, and enforcing security. These cannot be switched off in our systems and do not require consent under PECR.
  • Analytics and performance cookies that help us understand how visitors and users interact with our website and Platform so we can improve them. These are set only with your consent where non-essential.
  • Functionality cookies that remember your preferences, such as language or display settings, to personalise your experience. These are set only with your consent where non-essential.
  • Marketing cookies may be used by our online data partners or vendors to associate website activity with other personal information they or others have about you, including by association with your email. We or service providers on our behalf may then send communications and marketing to those email addresses. You can opt out of the collection of your personal data in compliance with GDPR by visiting https://www.rb2b.com/rb2b-gdpr-opt-out.

F.3 Cookie table:

Cookie nameProviderPurposeDurationCategory
[e.g., arcamus_session]ArcamusAuthenticates your sessionSessionStrictly necessary
[e.g., _ga]Google AnalyticsAnalytics2 yearsAnalytics
[e.g., cookie_consent]ArcamusRecords your cookie preferences12 monthsStrictly necessary
Part G: International Transfers

Arcamus is based in the UK and hosts the Platform primarily in the UK and/or EEA. Some sub-processors may be located outside the UK, including in the United States. Where this involves a restricted transfer under UK GDPR, we put in place appropriate safeguards.

Those safeguards may include:

  • Transfers to countries benefiting from UK adequacy regulations, such as EEA countries.
  • The UK International Data Transfer Agreement.
  • The EU Standard Contractual Clauses as supplemented by the UK Addendum.
  • Any other lawful transfer mechanism recognised under UK GDPR.

We conduct transfer risk assessments where appropriate to consider any additional safeguards needed. You can request a summary of our transfer arrangements by emailing support@arcamus.com.

Part H: How We Keep Personal Data Secure

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, loss, destruction, or damage.

These measures include:

  • Encryption in transit and at rest.
  • Access controls and multi-factor authentication.
  • Network and infrastructure security.
  • Secure development practices.
  • Monitoring and logging.
  • Incident response procedures.
  • Business continuity arrangements.
  • Due diligence on sub-processors.
  • Training for our personnel.

A fuller description of our technical and organisational measures is available in the Data Processing Addendum (Annex 2) at arcamus.com/dpa. No system can guarantee absolute security, and we encourage you to use strong passwords and keep your credentials safe.

Part I: Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights. Some rights apply only in certain circumstances.

RightWhat it means
Right to be informedTo be told how we use your personal data (this notice does that).
Right of accessTo obtain a copy of the personal data we hold about you.
Right to rectificationTo have inaccurate or incomplete personal data corrected.
Right to erasureTo have your personal data deleted in certain circumstances, sometimes called the "right to be forgotten".
Right to restrict processingTo limit how we use your personal data in certain circumstances.
Right to data portabilityTo receive your personal data in a structured, machine-readable format and to have it transferred to another controller where technically feasible and the processing is based on consent or contract.
Right to objectTo object to processing based on legitimate interests, including the processing described in Part C. We will stop unless we can show compelling legitimate grounds or the data is needed for legal claims.
Right to object to direct marketingAn absolute right to object to direct marketing at any time.
Rights relating to automated decision-makingNot to be subject to decisions based solely on automated processing that have legal or similarly significant effects. See Part C.5 for our position.
Right to withdraw consentWhere we rely on consent, you can withdraw it at any time (this does not affect processing before withdrawal).

I.1 To exercise your rights, email support@arcamus.com with enough information for us to locate your data, such as your name, any organisations you are associated with, and the nature of your request. We may ask you to verify your identity before responding. We will respond within one month, with a possible extension of up to two further months for complex or numerous requests. Responses are generally free of charge, although we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

I.2 If you object to the processing of your personal data in the Arcamus Platform under Part C, we will review the objection against our legitimate interests assessment. Where we uphold the objection, we will remove your personal data from active processing in the Platform. We may retain a minimal suppression record, such as your name, organisation, and the fact of the objection, so we do not reintroduce your data from source feeds. Where we do not uphold the objection, we will explain our reasoning and inform you of your right to complain to the ICO.

Part J: Contact Us And Complaints

For any privacy query, including to exercise a right, contact:

We hope to resolve any concern directly. If you remain dissatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office.

Information Commissioner's Office website:

ICO helpline: 0303 123 1113

ICO post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

If you are based in the EEA, you may also be able to complain to your local data protection authority.

Changes To This Notice

We may update this notice from time to time to reflect changes in our processing, legal developments, or feedback. We will post the updated version on our website with a revised last updated date. If changes are material, we will take reasonable steps to notify you, for example by email to registered users or by prominent notice on our website. Continued use of our website or Platform after the effective date of an update constitutes acknowledgement of the updated notice.