← Back to Home

Privacy Notice

1. Controller and contact details

The controller (or "we", "us") is Alaris Security Inc., 2261 Market Street, 94114 San Francisco.

Where required by applicable law, we have appointed a data protection officer / EU representative who can be contacted at hello@alaris.security

2. Purposes of processing

We process personal data for the following purposes:

  • Providing and operating our services (including account management, support, and communication).
  • Handling contractual relationships and pre‑contractual requests (e.g. demo requests, candidate applications).
  • Security, fraud prevention, and service integrity (e.g. logs, abuse detection).
  • Optional marketing and analytics, where permitted by law or based on consent.

3. Legal basis (if GDPR applies)

Where GDPR applies, we rely on the following legal bases:

  • Performance of a contract or steps prior to entering into a contract (Article 6(1)(b) GDPR), for account setup, service provision and support.
  • Compliance with legal obligations (Article 6(1)(c) GDPR), for example accounting, tax or mandatory retention.
  • Legitimate interests (Article 6(1)(f) GDPR), such as IT security, service improvement, and preventing misuse, provided that your interests do not override ours.
  • Consent (Article 6(1)(a) GDPR) for optional uses, such as certain cookies, analytics or direct marketing, which you can withdraw at any time with future effect.

Where GDPR does not apply, we process personal data as permitted under applicable data protection and privacy laws in the relevant jurisdiction.

4. Recipients and international transfers

We share personal data only with:

  • Internal teams who need the data to perform their tasks (e.g. engineering, support, sales).
  • Service providers (processors) such as hosting, email, analytics, or applicant‑tracking vendors, bound by contractual data protection obligations.
  • Authorities, courts or advisors where required by law or necessary to establish, exercise or defend legal claims.

We may transfer personal data to recipients in countries outside the European Economic Area / UK that may not provide the same level of data protection. In such cases, we implement appropriate safeguards as required by Articles 44 ff. GDPR (for example, standard contractual clauses, supplementary technical and organisational measures).

5. Retention periods

We keep personal data only for as long as necessary for the purposes described above, or as required by law. Typical retention periods include for example:

  • Account and usage data: for the duration of the contractual relationship and a limited period thereafter for backup, dispute resolution and legal retention requirements.
  • Candidate data: usually 6 months after the end of the recruitment process, unless a longer period is required by law or based on explicit consent (e.g. talent pool).
  • Marketing/contact data: until you withdraw consent or object to processing, plus a short period necessary to implement your request and maintain suppression lists.

If we cannot specify an exact retention period, we use criteria such as the duration of our relationship with you, statutory limitation periods and legal retention obligations to determine how long we keep the data.

6. Mandatory data and consequences of non‑provision

Where we ask you to provide personal data, we will indicate where this is mandatory (for example, marked as required fields in forms).

If you do not provide mandatory data, we may not be able to provide the requested service (e.g. create an account, process an application). Providing any data that is not marked as mandatory is voluntary.

7. Data subject rights (if GDPR applies)

Where GDPR applies, you have the following rights, subject to the conditions set out in the law:

  • Right of access, rectification, erasure and restriction of processing (Articles 15–18 GDPR).
  • Right to data portability (Article 20 GDPR).
  • Right to object to certain processing activities based on legitimate interests or for direct marketing (Article 21 GDPR).
  • Where processing is based on your consent, the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

You can exercise these rights by contacting us at privacy@alaris.security.

If GDPR applies, you also have the right to lodge a complaint with a competent data protection authority, in particular in the EU/EEA member state of your habitual residence, place of work or of an alleged infringement.

8. Automated decision‑making

We do not use personal data to make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, unless we inform you separately and provide the information required by Article 22 GDPR.

9. Security measures

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, implementation costs, and the nature and risks of the processing.