Last updated: 2026
This Privacy Policy explains how PMAP (“PMAP”, “we”, “us”), Privia Security’s enterprise vulnerability management platform and multi-vendor scan orchestrator operated by Privia Security Ltd, collects and processes your personal data when you visit pmap.io or engage with our products and services. We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
Who we are
The data controller for the personal data described in this policy is Privia Security Ltd, the company that owns and operates PMAP. Where this policy refers to “PMAP”, it refers to the PMAP platform and website operated by Privia Security Ltd.
How we collect personal data and our lawful bases
We collect personal data through electronic or physical means, for example when you complete a form on pmap.io, request a demo, contact our team, or use the platform. We rely on one or more of the following lawful bases under Articles 6 and 9 of the UK GDPR:
- Consent: you have given clear consent for us to process your personal data for a specific purpose.
- Contract: processing is necessary to perform a contract with you, or to take steps at your request before entering into a contract.
- Legal obligation: processing is necessary for us to comply with the law.
- Legitimate interests: processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms.
Why we process personal data
We process personal data to respond to demo and contact requests, to provide and support the products and services you ask for, to operate and improve pmap.io, to plan and carry out our commercial activities, and to maintain the legal, technical and operational security of PMAP and the people we work with.
Who we share personal data with
We may share personal data with our service providers (such as hosting, analytics and customer support providers), our business partners and suppliers, and legally authorised public or private bodies, only where a lawful basis applies and only for the purposes set out in this policy.
International transfers
Where personal data is transferred outside the United Kingdom, such transfers take place only where an adequacy decision is in place, or appropriate safeguards (such as Standard Contractual Clauses) have been implemented in accordance with Articles 44 to 49 of the UK GDPR.
How long we keep personal data
We keep personal data only for as long as the purpose for which it was collected requires, or for as long as we are required to retain it by law. When personal data is no longer needed and there is no lawful basis to keep it, it is deleted, destroyed or anonymised.
Your rights
Under the UK GDPR you have the right to:
- access your personal data and obtain a copy of it (Art. 15);
- request correction of inaccurate or incomplete personal data (Art. 16);
- request erasure of your personal data where there is no longer a lawful basis for processing (Art. 17);
- request restriction of processing in certain circumstances (Art. 18);
- receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20);
- object to processing based on legitimate interests or for direct marketing (Art. 21);
- not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22); and
- lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your data has been processed unlawfully.
We will respond to any request as soon as possible and in any case within one month of receipt, in accordance with Article 12 of the UK GDPR.
Cookies
pmap.io uses cookies and similar technologies. For details about the cookies we use and how to manage them, please see our Cookie Policy.
Changes to this policy
We may update this Privacy Policy from time to time. The current version applies from the date it is published on pmap.io.
Contact
For any question about this policy or to exercise your rights, contact us at [email protected] or through our contact page. The supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.