Privacy
Privacy Policy.
Last updated: 4 June 2026. This policy explains how Thesmios collects, uses, shares, and retains personal data.
Who we are
Thesmios Ltd is the controller for this website and for Thesmios services where it decides why and how personal data is processed. Thesmios Ltd is registered in England and Wales, company number 17150638, with registered office at 2 South Quay Square, London, E14 9LT.
Contact for privacy queries
Contact privacy@thesmios.com for privacy questions, rights requests, or data protection concerns.
What data we collect
We may collect contact details, account details, scan inputs and results, credentials or profile data you provide, payment and billing status, device and technical logs, and communications with us.
Lawful bases
Consent applies to optional analytics and voluntary profile actions. Contract applies where data is needed to provide paid services. Legitimate interests may apply to business communications, fraud prevention, security logging, and product improvement where those interests are not overridden by individual rights.
Recipients and subprocessors
We use subprocessors for hosting, email, analytics, and AI processing where required. The current list is maintained on the subprocessors page, and B2B processor terms are summarised in the Data Processing Addendum.
See Subprocessors.
B2B customers can also review the Data Processing Addendum.
International transfers
Some subprocessors are based outside the UK. Where personal data is transferred internationally, Thesmios relies on adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, or another lawful transfer mechanism.
Your rights
You have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where consent is the lawful basis. Authenticated users can download a privacy export and record data-rights requests from settings; privacy requests are tracked in the customer operations queue. We aim to respond to data subject access requests within one month, subject to lawful extensions. You can also complain to the Information Commissioner.
ICO contact details
The Information Commissioner's Office can be contacted at ico.org.uk or Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Changes to this policy
This policy was last updated on 4 June 2026. Material changes will be published on this page.
Retention periods
| Contact enquiries | 24 months after the last interaction |
|---|---|
| Waitlist records | Until launch outreach is complete or deletion is requested |
| Profile records | Until account deletion or the retention period selected in the product |
| Technical logs | Up to 12 months unless needed for security investigation |
| Payment records | 6 years where required for tax and accounting |