Privacy Policy.

01Who we are

The data controller behind this site.

What's Exposed Ltd ("whats.exposed", "we", "us", "our") is the data controller for personal data processed through this website and our delivery platform.

We are a security testing firm registered in Ireland. CREST-certified offensive expertise, white-labelled for partners and continuous for end clients.

02What we collect

The categories of personal data we process.

Information you give us

• Contact details, name, work email, phone, employer, role, when you fill in a contact form, request a demo, sign a partner agreement, or apply for a role.
• Engagement information, scoping details, asset lists, technical contacts and authorisations needed to deliver a security test you have asked us to perform.
• Account information, username, hashed password, MFA device metadata when you are issued access to our delivery platform.
• Communications, messages, emails and notes you send us, plus our response.

Information collected automatically

• Device & log data, IP address, user-agent, timestamps, pages requested and basic session metadata. Used for security, abuse prevention and platform reliability.
• Cookies & similar technologies, see our Cookies Policy for the full inventory and your controls.

Information from third parties

• Partners & resellers, where a partner introduces you to us, we receive your contact details from them so we can support the engagement.
• Public sources, for sales prospecting we may consult company information that is in the public domain (e.g. company websites, LinkedIn).

We do not knowingly collect data from anyone under the age of 16 and our services are not directed at children.

03Why we use it

The purposes for which we process your data.

• Deliver our services, scope, perform, report on and remediate security testing engagements.
• Run our partner programme, onboard partners, enable white-label delivery, and pay commercial entitlements.
• Operate the platform, provide accounts, deliver findings in real time, run notifications and exports.
• Communicate, respond to enquiries, send service updates, and (with your permission) share occasional product or industry updates.
• Secure our environment, detect, investigate and prevent abuse, fraud, and unauthorised access.
• Meet legal obligations, accounting, tax, regulatory reporting, and lawful requests from authorities.
• Improve what we do, anonymised analytics on how the site and platform are used, so we can make them better.

04Legal bases

Why processing is lawful under GDPR.

Contract

Where we need to process data to deliver a service you have engaged us for, or to enter into one (Art. 6(1)(b)).

Legitimate interests

For running our business safely and effectively, securing our platform, preventing fraud, basic analytics, B2B prospecting (Art. 6(1)(f)). We balance this against your rights and you may object at any time.

Consent

For optional cookies (analytics, marketing) and for marketing emails to non-customers. You can withdraw consent at any time without affecting prior processing (Art. 6(1)(a)).

Legal obligation

Where we must process data to comply with a law we are subject to, for example tax, accounting, or a regulator's request (Art. 6(1)(c)).

05Sharing & processors

Who we share data with, and why.

We do not sell personal data. We share it only where it is necessary to deliver the service or to meet a legal obligation. Categories of recipient:

• Sub-processors we have contracted to provide infrastructure on our behalf, cloud hosting, email, ticketing, analytics. We require GDPR-aligned data processing terms with each.
• Channel partners where you have engaged us through one, limited to what they need to support and bill the engagement.
• Professional advisers, legal, audit, insurance, under duties of confidence.
• Authorities where we are required by law to disclose, or where disclosure is needed to protect our rights or someone's safety.
• Acquirers in the event of a corporate transaction, subject to confidentiality and continuity of this Policy.

A current list of sub-processors is available on request from hello@whats.exposed.

06International transfers

When data leaves the EEA / UK.

Our primary infrastructure is hosted in the EEA. Some of our sub-processors are based outside the EEA / UK (notably the United States). Where this happens we rely on:

• Adequacy decisions issued by the European Commission or the UK Government, where one applies.
• Standard Contractual Clauses (the EU 2021 SCCs and the UK International Data Transfer Addendum) with each recipient where adequacy does not apply.
• Encryption in transit and at rest, access controls, and pseudonymisation where appropriate.

07Retention

How long we keep what.

Engagement records

For the term of the engagement plus 7 years, to meet our legal, accounting and professional obligations.

Test artefacts (raw)

Encrypted and retained for up to 90 days after delivery of the final report, then securely destroyed unless you ask us to retain them for re-test.

Platform accounts

For the duration of your access plus 12 months, then deleted or anonymised.

Marketing contacts

Until you unsubscribe or after 24 months of inactivity, whichever comes first.

Server logs

30–90 days for security and reliability purposes.

08Your rights

What you can ask us to do, for free.

1. Access a copy of the personal data we hold about you.
2. Rectify inaccurate or incomplete data.
3. Erase data where we no longer have a basis to process it ("right to be forgotten").
4. Restrict our processing while a query or objection is resolved.
5. Object to processing based on our legitimate interests, or to direct marketing.
6. Portability, receive data you provided in a structured, machine-readable form.
7. Withdraw consent at any time, where we rely on consent.
8. Not be subject to a decision based solely on automated processing that has legal or similarly significant effects. We do not currently make such decisions.

To exercise any of these rights email hello@whats.exposed. We will respond within one calendar month and may need to verify your identity first.

09Security

How we protect what you trust us with.

Security is the work, and we hold ourselves to the standards we audit our clients against:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Multi-factor authentication required for all platform and infrastructure access.
• Least-privilege access controls, regularly reviewed.
• Independent third-party penetration testing of our own platform on a continuous basis.
• An incident response process aligned with the GDPR 72-hour notification requirement.

If you believe you have found a security issue affecting our services, please follow our Responsible Disclosure process.

10Changes

How we update this policy.

We may update this Policy from time to time. The "Effective" and "Last updated" dates at the top of this page reflect the current version. Material changes will be communicated to active customers and partners by email at least 14 days before they take effect.

11Contact & complaints

How to reach us, and how to escalate.

For any data protection question, including subject access requests, contact us first. We aim to respond within 5 business days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. Our lead authority is the Irish Data Protection Commission (dataprotection.ie). UK residents may complain to the Information Commissioner's Office (ico.org.uk).