Privacy & Cookie Policy

Mira Software Ltd, trading as Cyber Assure ("we", "our", "us"), operates the website at cyberassure.cloud and the Cyber Assure portal at cyberassure.app (together, the "Service"). This Privacy and Cookie Policy explains how we collect, use, store and protect personal information, and how we use cookies and similar technologies.

1. Definitions

• Account means a unique account created for your organisation to access the Service.
• Personal Data means information relating to an identified or identifiable individual.
• Customer Data means data submitted by you, such as domains, IP addresses, uploaded files, supplier and asset records, and user account details.
• Usage Data means data collected automatically when using the Service (e.g. IP address, browser/device type, login activity, usage logs).
• Reports means analyses, alerts, or recommendations generated by the Service based on Customer Data or Usage Data.
• Sub-Processor means a third party engaged by us to process data on our behalf (e.g. hosting, billing, email delivery, threat intelligence).

2. Who we are

The Service is operated by Mira Software Ltd, trading as Cyber Assure, a company registered in England and Wales (Company No. 16509483), registered office: Castle Hill House, High Street, Huntingdon, PE29 3TE.

We are registered with the Information Commissioner's Office (ICO) under registration number ZB996566.

For any privacy or data protection matter, contact our Data Protection Lead at privacy@cyberassure.cloud. For general enquiries, contact hello@cyberassure.cloud.

3. Information we collect

We may collect:

• Account information – name, email, job title, organisation details, and login credentials.
• Subscription/payment data – processed securely by Stripe; we do not see or store full card details.
• Usage Data – IP address, login activity, device/browser information.
• Customer Data you submit – domains, IP addresses, uploaded evidence and policy files, and entries you create in registers (risks, suppliers, assets, incidents).
• Microsoft 365 data – where you choose to connect your Microsoft 365 tenant, we access read-only Microsoft Secure Score metrics via the Microsoft Graph API, with your administrator's consent. We do not access mailbox content, files, or user data beyond the security posture metrics required for the feature.
• Communications – emails and notifications sent via Mailgun, and support tickets handled via Freshdesk.

4. How we use your information

We use your information to:

• Provide and maintain the Service.
• Manage your Account and subscription.
• Process payments.
• Send notifications, updates, and reports.
• Monitor usage for security and performance.
• Respond to enquiries and support requests.
• Comply with legal or regulatory obligations.
• Support business changes, such as a merger, acquisition, or sale of assets. If this happens, your data will remain subject to protections consistent with this Policy.
• Improve the Service through anonymised analysis.

5. Automated processing and AI features

Certain features of the Service use artificial intelligence to assist you — for example, reviewing uploaded policy documents, enriching dark web alerts, and suggesting risks or remediation steps.

• AI-generated output is guidance only and should be reviewed by an appropriately informed person before you act on it. It does not constitute professional, legal or security advice.
• AI processing is carried out using Microsoft Azure OpenAI services hosted in the UK South region. Your Customer Data is not used to train foundation models.
• For technical reasons, some processing operations may occur globally across Microsoft's secure infrastructure, protected under Microsoft's Data Protection Addendum and applicable safeguards.

6. Lawful basis for processing

We process data under the following lawful bases (UK GDPR and Data Protection Act 2018):

• Contract – to deliver the Service.
• Legal obligation – to comply with applicable laws.
• Legitimate interests – to secure, monitor, and improve the Service.
• Consent – for non-essential cookies and marketing communications.

7. Data retention

We retain personal data only as long as necessary to provide the Service and comply with our legal obligations:

• Account and subscription data – retained while your organisation has an active subscription.
• Billing records – retained for up to 6 years to meet legal and tax requirements.
• Uploaded files and register data – retained until deleted by you or your account is closed (subject to limited backup retention).
• Communications and support tickets – retained as required for support and compliance.
• Usage Data – retained for a limited period unless required for security or compliance.

Deleted data may remain in secure backups for a limited period before being permanently removed. Aggregated or anonymised data that does not identify you may be retained indefinitely.

8. Sharing of data

We share data only with trusted Sub-Processors required to deliver the Service. Our current Sub-Processors, their purpose, and their data location are set out in our Sub-Processor List, which forms part of this Policy.

Our core data storage (the Xano backend database and Microsoft Azure file storage) is located in the United Kingdom. Some Sub-Processors process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place — such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses.

Threat intelligence and security checks. Some features rely on specialist providers:

• Vulnerability scanning, web and mail checks send only technical query data (such as IP addresses and domain names) to perform the check. Where relevant, we use Google's DNS-over-HTTPS service to resolve domain records.
• Dark web monitoring necessarily processes personal data — specifically email addresses and exposed credential data associated with your monitored domains — in order to alert you to potential exposure. This is carried out by SOS Intelligence Limited (UK). Results are processed and stored securely in the UK.

We may also disclose data to comply with legal obligations, to protect our rights and users' safety, or in connection with business transfers. We do not sell or rent your data.

9. Cookies and similar technologies

What are cookies? Cookies are small text files stored on your device when you visit a website or application. They help us recognise you, improve your experience, and measure performance. Cookies may be set by us ("first-party") or by trusted providers we use ("third-party").

Marketing website (cyberassure.cloud). Our marketing website uses both essential and non-essential cookies (such as analytics and marketing cookies). If you are in the UK or EU, you will see a cookie banner allowing you to accept or reject non-essential cookies. A detailed list is available through the banner.

Analytics cookies. We use Microsoft Clarity and Google Analytics to understand how visitors interact with our website. This helps us improve the website experience. Data may be processed outside the UK with appropriate safeguards.

Web application (cyberassure.app). The portal uses only essential cookies required for logging in and maintaining sessions, security functions such as CSRF protection, and payment processing (e.g. Stripe fraud prevention). These are strictly necessary and cannot be disabled.

Email tracking. Some emails may contain tracking pixels that tell us whether an email has been opened or a link clicked. You can disable tracking by blocking images in your email client, or unsubscribe at any time.

Managing cookies. You can control cookies in your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

10. Security of data

We apply a "security by design" approach and use technical and organisational measures to protect your data, including encryption in transit (TLS/HTTPS) and at rest, role-based access controls, logical separation of customer data, ongoing monitoring for vulnerabilities and threats, and incident response procedures.

Mira Software Ltd holds Cyber Essentials certification. Our full security measures are described in our Technical and Organisational Measures document, available on request. No system is 100% secure, but our goal is to minimise risk through layered defences, regular review, and continuous improvement.

11. Your rights

Under the UK GDPR and Data Protection Act 2018, you have the right to: access a copy of your data; have inaccurate data corrected; request deletion ("right to be forgotten"); restrict processing in certain circumstances; object to processing based on legitimate interests; request portability; and withdraw consent where processing is based on consent (e.g. marketing emails).

If you delete your Account, all associated Customer Data and Personal Data will be permanently deleted from our active systems. This process is irreversible, though we may retain limited records where required by law (e.g. billing records).

To exercise these rights, contact privacy@cyberassure.cloud. We may need to verify your identity before processing your request. Requests are handled within one month in line with applicable law.

12. Communications and updates

We may use your contact details to send important updates about the Service (feature releases, security notices, new functionality). These form part of our service communications, sent under our legitimate interests in keeping you informed about the Service you use.

We may also send occasional newsletters or product announcements relating to similar services, under our legitimate interests in developing our services. You can opt out at any time via the "unsubscribe" link in any email or by contacting privacy@cyberassure.cloud. We use Mailchimp to manage and distribute newsletters. We do not sell or share your contact details for marketing by third parties.

13. Children's data

The Service is intended for use by organisations and their staff. Users of the Service must be 18 or over. The Service is not intended to store the personal data of children or pupils. Customers must not upload or enter the personal data of children into the Service. If we become aware that such data has been provided to us, we will take steps to delete it.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, or legal requirements. Minor changes take effect immediately upon posting, with the "last updated" date reflecting the change. Material changes will be notified to you by email or through the Service before they take effect.

15. Contact us