Privacy Policy

Last updated: May 29, 2026

1. Introduction

Arceo Labs, Inc., doing business as Resilience, including its subsidiaries and affiliates (collectively, the “Company” or “Resilience” or “we”) respects your privacy and is committed to protecting it through compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you visit this website and other websites operated or controlled by Resilience, including www.cyberresilience.com and portal.cyberresilience.com (collectively, the “Website”), including any content, functionality, and services offered on or through the Website, as well as any other media channel, mobile browser accessible website or mobile application related, linked, or otherwise connected thereto.

Reference to “you” or “your” in this policy shall mean you, your authorized representatives, and any entity you may represent in connection with your use of the Website.

To deliver and operate our Website, including portal.cyberresilience.com (the “Platform”), applications, and related products and services (collectively, the “Solutions”), we collect, use, store, share, and otherwise handle personal information about individuals who access, use, or register for the Solutions.

If you have a separate, written agreement with the Company regarding your use of the Website, that agreement will govern to the extent it conflicts with or addresses the same subject matter as this Privacy Policy. In all other respects, this Privacy Policy will apply.

This policy applies to information we collect:

  • Through the Website
  • In email, text, and other electronic messages between you and the Website
  • When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy
  • Through automated technologies, such as cookies, pixels and analytics tools that collect information about user interactions with the Website
  • Through any other means in connection with your interactions with the Website
  • Via third parties or publicly available information

Please read this policy carefully to understand our policies and practices regarding your personal information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy.

The Website and Solutions are not intended for individuals who have not reached the age of majority under the laws of their jurisdiction of residence and Resilience does not knowingly collect personal information from these individuals. This policy may change from time to time. Your continued use of this Website after we make changes is deemed to be acceptance of those changes.

2. Personal Information We Collect About You and How We Collect It

Personal data, or personal information, means any information about an individual from which that person can be identified. We collect several types of personal information from and about users of our Website, whether provided by you or collected by automatic means, including when you contact us through our Website, use our Solutions, or otherwise engage with the functionality of the Website.

We may collect and process the following personal information about you:

  1. Personal information you give us

You may give us personal information by accessing the Website, using our Solutions, filling in forms, and corresponding with us. This includes:

  • Contact Information: We collect personal information such as your name, job title, email address, phone number, mailing address, and the organization you represent, when you request information about our Solutions, request customer or technical support, apply for a job, or otherwise communicate with us. We also collect any personal information contained in your correspondence with us.
  • Job Applicant Information: If you apply for a role with us, we will use your personal information to administer and consider your application, including your name, address, contact information, and CV or résumé. 
  • Upload Information: Any content, files, or information that you create, upload, share, communicate to, or receive from Resilience when using the Website and our Solutions.
  1. Personal information we receive automatically
  • Technical Information: We automatically collect technical information such as the Internet Protocol (IP) address used to connect your device to the Internet, browser type and version, operating system, device make and model, and platform or OS version. We also receive information associated with each request, including time zone settings, date and time, and HTTP status code.
  • Interaction Information: We automatically collect information about your use of the Website and our services, including the full Uniform Resource Locators (URL), clickstream to, through and from our Website (including date and time), content you viewed or searched for, content response times, length of visits to certain content, interaction information (such as scrolling, clicks, and hover-overs), and methods used to browse away from content.
  • Location Information: We may derive your approximate regional location from your IP address, in order to localise our Website and services to you and ensure the services displayed to you are accurate for your location.
  1. Personal information we receive from other sources

We may obtain information about you from other sources, including through third-party services and organizations, to supplement information provided by you. This supplemental information allows us to verify information you have provided and to enhance our ability to provide you with information about our business and Solutions.

  • Public Information: For users of the Platform, Resilience may collect additional information, such as publicly available information obtained via scans of the internet, public databases, publicly available social media information, and controls and permissions in explicitly authorized account scans. Information obtained through scans may relate to any individuals and is not limited to Website or Platform users.
  • Business Partner Information: If you access our Solutions through a broker, agent, or other business partner acting on your behalf (a “Business Partner”), that partner may provide us with your personal information, including your professional contact information and other data such as insurance applications and known corporate domains, in order to create your account and provide our services to you. In such cases, that partner is responsible for having the legal basis to share your information with us, and for informing you that your information will be shared. We will use your information in accordance with this Privacy Policy.

3. Cookie Policy

Our Cookie Policy explains what cookies are and how we use them, the types of cookies and similar technologies that we use, how that information is used, and how to manage your cookie settings.

4. How We Use Your Personal Information

We use personal information that we collect about you or that you provide to us, including any personal information, for the following purposes:

  • To present our Website and its contents to you
  • To provide the Solutions
  • To activate, maintain, and service your account
  • To identify and authenticate your access to the parts of the Website that you are authorized to access
  • To provide you with information, products, or services that you request from us and respond to any of your inquiries
  • To establish and verify your identity
  • Where applicable, to provide you with notices about your account, including expiration and renewal notices
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection
  • To notify you about changes to our Website or any products or services we offer or provide through it
  • To improve the Website or Solutions
  • To allow you to participate in interactive features on our Website
  • To sell, market, provide, and improve our products and services in accordance with applicable law. You may opt out of promotional emails at any time by following the unsubscribe instructions included at the bottom of each promotional email
  • To personalise your experience on the Website
  • To comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities as permitted by applicable law
  • To evaluate and respond to applications submitted for job openings listed on our Website or other platforms, and to maintain communication with applicants throughout the recruitment process
  • To share your information with Business Partners, such as your insurance broker, in connection with risk advisory, account management, and related services they provide to you, with your consent.
  • For any other purpose with your consent
Additional Information for Users in Europe and the United Kingdom

If you are located in the EEA, Switzerland, or UK, we process your personal information when we have a valid legal basis, as required under applicable law. The appropriate legal basis will depend on how we use your personal information and the specific context in which we collect it.  We typically process personal information:

  • With your consent, for example when you accept our use of cookies;
  • Where the processing is necessary to perform a contract with you, for example when you sign up to use our Solutions;
  • Where it is necessary for our legitimate interests and those interests are not overridden by your data protection interests or fundamental rights and freedoms, for example when we use your personal information to understand how you use our Solutions so that we can make improvements; or
  • To comply with our legal obligations.

Where we rely on consent, you have the right to withdraw such consent at any time by contacting us (see the “How to Contact Us About This Notice” section below).

We strive to provide you with choices regarding certain personal information uses, particularly around marketing and advertising. We may use your personal information to form a view on what Solutions or other offerings we think you may want or need, or what may be of interest to you. You may receive marketing communication from us if you have requested information from us, have consented to marketing or have used our Solutions and you have not opted out of receiving that marketing or where we are otherwise legally permitted to send you marketing.

5. Third-Party Features Used in Connection with the Website

Our Website, including the Platform, may support integrations with third-party services that clients choose to connect for purposes such as authentication, data analysis, communication, or security monitoring. These integrations are initiated and managed by the client and may involve the exchange of data between the Website and the third-party service. Any personal information shared in connection with these integrations is subject to the applicable third party’s terms and privacy policy.

6. Sharing and Disclosure of Your Personal Information

We may disclose aggregated information about Website users, and information that does not identify any individual, without restriction.

We may share personal information that we collect or you provide as described in this privacy policy with:

  • Our subsidiaries and affiliates, who may also process your personal information for the purposes set out in this policy;
  • Organizations who process your personal information on our behalf and in accordance with our instructions.  This includes contractors, service providers, and other third parties we use to support our business such as data hosting services, fulfilment services, communications providers, fraud detection services, advertising services, marketing services, each of which is bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;
  • Analytics and search engine providers that assist us in the improvement and optimisation of our Website or Solutions, which are subject to our Cookie Policy;
  • Professional advisors, including banks, accountants, and lawyers, where necessary in the course of the professional services they provide to us;
  • A buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Resilience’s assets, whether as a going concern or as part of bankruptcy, insolvency, liquidation, or similar proceeding, in which personal information held by Resilience about our Website users is among the assets transferred; 
  • Third parties where required or legally permitted to establish, exercise, or defend legal rights; to comply with any court order, law, or legal process, including to respond to any government or regulatory request; to enforce or apply our Terms and Conditions and other agreements with you; or to protect the rights, property, or safety of Resilience, our customers, or others. This includes exchanging personal information with other companies and organisations for the purposes of fraud protection, credit risk reduction, and cybercrime prevention; and
  • Business Partners, such as insurance brokers, for the purposes of providing risk advisory, account management, and related services.

We may also disclose personal information for any other purpose disclosed by us when you provide the information, or with your consent.

7. Artificial Intelligence and Automated Processing

We use artificial intelligence and machine learning technologies to deliver and improve our services, including to analyse security data and provide interactive insights. We do not use your data to train or improve AI models.

We do not undertake solely automated decision-making which has a legal or similarly significant effect on you.

8. Data Security

We have implemented measures designed to protect your personal information from accidental loss, as well as from unauthorised access, use, alteration, and disclosure. While we take all reasonable precautions to secure your data, the safety of your information also depends on actions you take. If we have provided you with (or you have chosen) a password to access certain parts of our Website, it is important that you keep this password confidential to help ensure the security of your account.

Please note that no method of transmission over the internet is completely secure. Although we are committed to safeguarding your data, we cannot guarantee the security of information transmitted to our Website. Any transmission of personal information is done at your own risk. We are not responsible for any unauthorised access resulting from a failure to keep your account credentials secure or from circumvention of any security measures in place on the Website.

9. How Long Does Resilience Keep Your Information?

We will not keep personal information for longer than necessary for the purpose for which it is processed, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

If you are, or have previously been, a customer of Resilience, we may continue to hold and process your information for the purpose of continuing to carry out our obligations in connection with that relationship. We will retain and process your information for the duration of the relationship and for a reasonable period of time afterwards in accordance with Resilience’s Document and Record Retention Policy and as required by applicable law. You may contact us at privacy@cyberresilience.com to learn about the specific retention period applicable to your personal data.

When we no longer have ongoing legitimate business needs to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.

10. Your Privacy Rights and Choices

Depending on where you are located, you may have rights that allow you greater access to and control over your personal information. The following sections describe the rights available to you based on your jurisdiction.

In the United Kingdom and European Economic Area

In the EEA, Switzerland, and UK you have certain rights in certain circumstances to:

  • Request access to and obtain a copy of your personal information;
  • Request rectification or correction of your personal information if it is inaccurate or incomplete;
  • Request erasure of your personal information;
  • Restrict the processing of your personal information;
  • Request data portability, where applicable;
  • Object to the processing of your personal information; 
  • Not be subject to solely automated decision-making, including profiling, which produces legal or similarly significant effects on you; and
  • Withdraw your consent at any time where we are relying on consent to process your personal information. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, nor processing carried out on other legal grounds.

You can exercise your rights by contacting us using the details in the “How to Contact Us About This Notice” section below. We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the UK, if you have concerns about how we handle your personal information, you have the right to complain to us using the contact details mentioned in the section “How to Contact us About this Notice” below. We will acknowledge your complaint within 30 days of receipt, investigate and respond to you without undue delay and keep you informed of progress. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator. You can complain to the ICO at any time, whether or not you have complained to us first.

If you are located in the EEA or Switzerland and believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

You may change your preferences and object to receiving further marketing at any time by selecting the “unsubscribe” link at the end of our marketing and promotional communications, or by contacting us using the details in the “How to Contact Us About This Notice” section below.

In Canada

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), residents of Canada have the right to access, correct, and request the deletion of their personal information. To exercise any of these rights, please contact us using the details in the “How to Contact Us About This Notice” section below. If you have concerns about how your personal information is handled, you may file a complaint with the Office of the Privacy Commissioner of Canada. We will consider and act upon any request in accordance with applicable data protection laws.

Quebec

If you are a resident of Quebec, your personal information is also protected under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25). In addition to the rights described above, you have the right to request portability of your personal information in a structured, commonly used technological format, and to request de-indexing or cessation of dissemination of personal information about you in certain circumstances. To exercise these rights or to raise a concern, you may contact our Privacy Officer at privacy@cyberresilience.com or file a complaint with the Commission d’accès à l’information du Québec (CAI) at cai.gouv.qc.ca.

In the United States

Many US states provide their residents with privacy rights regarding personal information, including rights to access, correct, delete, and opt out of certain uses of their personal information. These rights vary by state and may include the right to:

  • Confirm whether we process your personal information;
  • Access and delete certain personal information;
  • Correct inaccuracies in your personal information;
  • Request portability of your personal information;
  • Opt out of personal information processing for targeted advertising, sales, or profiling in furtherance of decisions that produce legal or similarly significant effects; and
  • Limit or require consent to process sensitive personal information.

The exact scope of these rights varies by state. To exercise any of these rights, please contact us using the details in the “How to Contact Us About This Notice” section below. We may request specific information to verify your identity and will respond in accordance with applicable law. We will notify you if we need additional time to respond to your request.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. These include the right to:

  • Know the categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it;
  • Access the personal information we have collected about you;
  • Delete personal information, subject to certain exceptions;
  • Correct inaccuracies in your personal information;
  • Opt out of the “sale” or “sharing” of your personal information;
  • Limit the use and disclosure of your sensitive personal information, if applicable; and
  • Not be discriminated against for exercising any of these rights.

Use of Sensitive Personal Information: The right to limit the use of sensitive personal information means that you have the right to direct businesses to only use your sensitive personal information for limited purposes. We only collect sensitive personal information (such as your payment information) as defined by applicable laws for the purposes allowed by law or with your consent. We do not collect or process sensitive personal information for the purpose of inferring characteristics about you. You may request to limit any additional uses by contacting us using the details in the “How to Contact Us About This Notice” section below.

Opting Out of Sale or Sharing / Global Privacy Control (GPC): Resilience does not sell your personal information in exchange for money, but some of our website tracking may qualify as “selling” or “sharing” under California law.  You have the right to opt out of the sale or sharing of personal information and may do so through certain browser enabled opt-out preference signals, such as Global Privacy Control (GPC).  Our Website is designed to recognize and honor GPC signals. If your browser or device sends a GPC signal, we treat it as a valid request to opt out of the sale or sharing of your personal information.

Submitting a Request: To exercise your California privacy rights, you may contact us using the details in the “How to Contact Us About This Notice” section below. You may also designate an authorised agent to make a request on your behalf. We may need to verify your identity before processing your request and will respond within the timeframes required by law.

In the Asia Pacific Region

If you are located in the Asia Pacific region, the following rights may apply to you depending on your jurisdiction. To exercise any of these rights, or for questions about how we handle your personal data, please contact us at privacy@cyberresilience.com.

Cambodia

Individuals in Cambodia may have rights regarding the collection, use, and disclosure of their personal data under applicable local laws. To the extent such rights exist, you may have the ability to access, correct, or delete your personal data, and to withdraw consent for its processing.

Hong Kong SAR

Under the Personal Data (Privacy) Ordinance, individuals have the right to request access to and correction of their personal data. A data user should provide reasons when refusing a data subject’s request.

Indonesia

Under Indonesia’s Personal Data Protection Law, you may request access to, correction, or deletion of your personal data, object to our processing, and request portability of your personal data where technically feasible.

Japan

Under Japan’s Act on the Protection of Personal Information, you may request disclosure, correction, addition, or deletion of your personal information, request cessation of use or third-party provision of your personal information, and withdraw your consent to our processing.

Laos

Laos’ Law on Electronic Data Protection (No. 25/NA, 2017) provides protections for electronic personal data. We are committed to handling your personal data responsibly and to processing it only with proper authorisation and in accordance with applicable law.

Macao

The Personal Data Protection Act provides individuals with the right to access, correct, and delete their personal data. You may also withdraw your consent to the processing of your personal data.

Malaysia

Under Malaysia’s Personal Data Protection Act, you may request access to and correction of your personal data, withdraw consent to our processing (subject to legal restrictions), and request portability of your personal data where technically feasible.

Mongolia

Under Mongolia’s Personal Data Privacy Law (effective May 2022), you may request access to, rectification, deletion, restriction of processing, or portability of your personal data, object to our processing, and withdraw your consent to our processing.

Philippines

Under the Philippines’ Data Privacy Act of 2012 (Republic Act No. 10173), you have the right to be informed about how your personal data is processed, the right of access, the right to object, the right to erasure or blocking, the right to rectification, the right to data portability, the right to lodge a complaint with the National Privacy Commission (NPC), and the right to damages for any violation of your privacy rights. You may contact the NPC at privacy.gov.ph. In connection with our use of artificial intelligence technologies to deliver our services, we disclose that certain features of our platform use automated processing to analyse security data and provide insights about your risk posture.

Republic of Korea

Under the Personal Information Protection Act, you may request access to, correction, deletion, or suspension of processing of your personal information, withdraw your consent, request portability of your personal data, and request an explanation of, or review of, any automated processing that significantly affects your rights or obligations.

Singapore

Under the Personal Data Protection Act 2012, you may request access to and correction of your personal data held by us, withdraw consent to our use of your personal data (subject to legal and contractual restrictions), and request that we transmit your personal data to another organisation where technically feasible.

Taiwan

Under Taiwan’s Personal Data Protection Act, you may request access to, review, copy, supplement, or correction of your personal data, request cessation of collection, processing, or use of your personal data, and request deletion of your personal data.

Thailand

Under Thailand’s Personal Data Protection Act, you may request access to, correction, deletion, restriction of processing, or portability of your personal data, object to our processing, and withdraw your consent.

Vietnam

Under Vietnam’s Law on Personal Data Protection (Law No. 91/2025/QH15, effective January 1, 2026), you have the right to know how your personal data is processed, the right to consent or withdraw consent, the right of access, the right to deletion, the right to restriction of processing, the right to data portability, and the right to object to our processing of your personal data.

11. International Data Transfer

As a global company, Resilience may transfer or share your personal information across borders for the purposes outlined in this privacy policy. We may transfer your information internationally to our group companies, service providers, business partners, or governmental and public authorities.

We may collect, use, process, disclose and transfer your personal information to the United States and other countries or territories, which may not provide the same level of data protection as your country of residence. By using our Website, you acknowledge and consent that your information may be transferred to the United States and other countries as described in this policy.

Where we transfer your personal data outside of the EEA and UK, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We transfer your personal information to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State or the European Commission; or
  • We implement standard contractual clauses with the recipients of your personal information to safeguard transfers to countries outside of the UK and EEA.  We also ensure that recipients adopt the necessary organizational and technical security measures to safeguard personal data and process it only in accordance with our instructions and not for any other purpose.  

12. Changes to Our Privacy Policy

Resilience may update this Privacy Policy at any time to reflect changes to our information practices. If we make significant changes in how we use your personal information, we will notify you by email if feasible or by means of a notice on the Website. The date the Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and this Privacy Policy to check for any changes.

13. How to Contact Us About This Notice

If you have any questions about this Privacy Policy or our privacy practices, please contact us at: privacy@cyberresilience.com