Privacy Policy
Effective date: March 14, 2026 · Last updated: March 14, 2026
1. Introduction
This Privacy Policy explains how Lambda Cognition Ltd ("we", "us", or "our") collects, uses, stores, and protects personal data when you use DoraLytics, our DORA (Digital Operational Resilience Act) compliance SaaS dashboard, and when you visit our website at doralytics.com (collectively, the "Service").
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU 2016/679), and applicable data protection laws.
By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
Lambda Cognition Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Email: support@doralytics.org
For compliance data that our customers upload to DoraLytics, we act as a data processor on behalf of our customers, who remain the data controllers for that data.
3. Data We Collect
3.1 Account Data
When you register for DoraLytics, we collect:
- Full name
- Email address
- Job title / role
- Company name and size
- Password (stored hashed and salted; we never store passwords in plaintext)
3.2 Usage Data
We automatically collect certain information when you use the Service:
- IP address
- Browser type and version
- Operating system
- Pages visited and features used within the dashboard
- Timestamps and session duration
- Referring URLs
3.3 Compliance Data
Our customers may upload data to DoraLytics for DORA compliance management, including ICT risk assessments, incident reports, third-party provider registers, resilience testing results, and governance documents. We process this data solely on behalf of and under the instructions of our customers in our capacity as a data processor. This data is governed by our Data Processing Agreement (DPA).
3.4 Communication Data
When you contact us via email or support channels, we collect the content of your communications, your email address, and any attachments you provide.
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined in GDPR Article 6(1):
| Legal Basis | Purpose |
|---|---|
| Contract performance (Art. 6(1)(b)) | To provide the DoraLytics Service, manage your account, and fulfil our contractual obligations to you. |
| Legitimate interests (Art. 6(1)(f)) | To improve our Service, ensure security, prevent fraud, and conduct analytics. Our legitimate interests do not override your fundamental rights and freedoms. |
| Consent (Art. 6(1)(a)) | For optional analytics cookies and marketing communications. You may withdraw consent at any time. |
| Legal obligation (Art. 6(1)(c)) | To comply with applicable laws, regulations, or lawful requests from authorities. |
5. How We Use Your Data
- Service delivery - To operate, maintain, and provide the features and functionality of DoraLytics.
- Account management - To create and manage your account, authenticate your identity, and provide customer support.
- Communications - To send you service-related notices, security alerts, and (with your consent) product updates and newsletters.
- Analytics and improvement - To understand how the Service is used and to improve its functionality, performance, and user experience.
- Security - To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity and to protect the rights and safety of our users.
- Legal compliance - To comply with applicable laws, legal processes, or enforceable governmental requests.
6. Data Sharing
We do not sell, rent, or trade your personal data to third parties. We share your data only in the following circumstances:
6.1 Sub-processors
We use the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting and infrastructure | Helsinki, Finland (EU) |
| Cloudflare, Inc. | CDN, DNS, and DDoS protection | Global (EU-compliant) |
| Stripe, Inc. | Payment processing (future) | EU/US (with SCCs) |
Each sub-processor is bound by data processing agreements that ensure an adequate level of data protection consistent with this Privacy Policy and applicable law.
6.2 Legal Disclosure
We may disclose your data if required to do so by law, in response to valid legal process, or to protect the rights, property, or safety of Lambda Cognition Ltd, our users, or the public.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your data.
7. International Data Transfers
All primary data processing takes place within the European Union / European Economic Area. Our servers are hosted by Hetzner in Helsinki, Finland.
Where data transfers outside the EU/EEA are necessary (for example, to Cloudflare edge nodes or future payment processing), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission, where applicable
- Additional technical and organisational measures as required
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your subscription + 90 days after termination |
| Compliance data | Deleted upon customer request or upon contract termination, whichever comes first |
| Usage / log data | Up to 12 months from collection |
| Communication data | Up to 24 months from last interaction |
| Backups | Purged within 30 days of the original data deletion |
After the retention period, personal data is securely deleted or anonymised.
9. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
- Right of access (Art. 15) - Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) - Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) - Request deletion of your personal data ("right to be forgotten"), subject to legal obligations.
- Right to restriction (Art. 18) - Request that we limit the processing of your data in certain circumstances.
- Right to data portability (Art. 20) - Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) - Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent (Art. 7(3)) - Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at support@doralytics.org. We will respond to your request within 30 days.
Supervisory Authorities
You have the right to lodge a complaint with a supervisory authority. Relevant authorities include:
- United Kingdom - Information Commissioner's Office (ICO): ico.org.uk
- Finland - Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi
10. Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit - All data transmitted between your browser and our servers is protected with TLS 1.2 or higher.
- Encryption at rest - All stored data is encrypted using AES-256 encryption.
- Role-based access control - Access to personal data is restricted to authorised personnel on a need-to-know basis.
- Regular security audits - We conduct periodic security assessments and vulnerability testing of our infrastructure.
- Incident response - We maintain documented incident response procedures and will notify affected individuals and supervisory authorities of a personal data breach within 72 hours as required by GDPR Article 33.
11. Cookies
DoraLytics uses a minimal set of cookies to ensure the Service functions correctly:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Essential | Maintains your authenticated session | Session |
| Language preference | Essential | Stores your selected language | 1 year |
| Cookie consent | Essential | Remembers your cookie preferences | 1 year |
We do not use third-party tracking cookies. If we introduce optional analytics in the future, they will only be activated with your explicit consent.
12. Children's Privacy
DoraLytics is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child under 16, please contact us immediately at support@doralytics.org, and we will promptly delete the data.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users via email at least 14 days before the changes take effect
- Post a prominent notice on our website
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy inquiries: support@doralytics.org
General inquiries: support@doralytics.org
Lambda Cognition Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom