privacy notice
1. Who we are
This Privacy Notice explains how Anima Core Ltd ("anima_core", "glacierr", "we", "us", or "our") processes personal data in connection with our software made available through Microsoft Security Store & Marketplaces.
Controller: Anima Core Ltd
Registered address: Suite 17 Apex House, Thomas Street, Caerphilly, United Kingdom, CF83 8DP
Email: privacy@animacore.io
Website: animacore.io
data protection officer / privacy contact
If you have any questions about this notice or how we use personal data, contact us at: privacy@animacore.io
2. What this notice covers
This notice covers personal data that we control in connection with:
- making anima_core software available to customers;
- account, commercial, and support communications with customers;
- optional diagnostics or telemetry that we receive directly; and
- security, compliance, and service administration.
anima_core software is deployed and used within Microsoft Services (Security Copilot, Defender, Sentinel). Microsoft Security Copilot processes its own Customer Data, including prompts, retrieved information, responses, pinned items, and file uploads, under Microsoft's own terms, privacy commitments, and retention settings. Security Copilot also uses on-behalf-of authentication and the permissions already assigned within the customer's Microsoft environment, where data is retained solely within the customer tenant and non-accessible by Anima Core Ltd.
3. Personal data we may process
Depending on how you use the service, we may process the following categories of personal data:
account and business contact data
Name, business email address, company name, job title, billing and commercial contact details, and other information provided during enquiries, procurement, onboarding, or support.
support and troubleshooting data
Information you choose to send to us when requesting help, such as support emails, ticket content, screenshots, exported reports, log extracts, or configuration details.
service administration and security data
Basic records needed to manage the relationship, prevent misuse, maintain security, investigate incidents, and comply with legal obligations.
optional telemetry or diagnostics
If we enable separate product telemetry or diagnostics, this may include technical usage information, error data, or performance data associated with the agent or related support tooling. Where this is optional, we will explain this clearly at the point of collection.
what we generally do not receive by default
Unless you deliberately send it to us, we do not seek direct access to your Microsoft Security Copilot prompts, responses, or Microsoft security data merely because you deploy the agent. The agent operates within Microsoft Security Copilot using your organisation's own permissions and settings.
4. Why we use personal data and our lawful bases
We use personal data for the following purposes:
to provide and support the service
We use account, support, and service information to provide the agent, respond to enquiries, assist with onboarding, investigate issues, and communicate with customers.
Lawful basis: performance of a contract, or steps taken before entering into a contract.
to secure and improve the service
We may use limited technical and support information to maintain service integrity, troubleshoot faults, prevent abuse, and improve reliability and support quality.
Lawful basis: legitimate interests, namely operating, securing, and improving our services responsibly.
to manage commercial, legal, and compliance obligations
We use relevant information for record-keeping, audit, tax, accounting, export control, dispute handling, and compliance with applicable law.
Lawful basis: legal obligation, and where applicable our legitimate interests in running our business.
for optional analytics or product improvement
If we introduce optional analytics, diagnostics, or similar improvement features that are not strictly necessary, we will either rely on a clearly explained legitimate interest where appropriate, or obtain consent where required by law.
5. Where the data comes from
We collect personal data:
- directly from you or your organisation;
- from Microsoft marketplace, procurement, or partner workflows where relevant to making the service available;
- from support interactions;
- from service administration and security processes; and
- from optional diagnostics or telemetry where enabled.
If you provide us with third-party personal data, you must ensure you are authorised to do so.
6. Who we share personal data with
We may share personal data with:
- Microsoft, where necessary for marketplace, deployment, hosting, or related platform functions;
- our service providers and subprocessors, such as hosting, support, CRM, ticketing, security, and communications providers;
- our professional advisers, such as lawyers, auditors, insurers, and accountants;
- competent regulators, courts, law enforcement, or public authorities, where required by law or to protect our legal rights.
We do not sell personal data.
7. International transfers
Some of our suppliers or service providers may process personal data outside the UK or EEA. Where this happens, we will ensure appropriate safeguards are in place, such as:
- adequacy regulations or adequacy decisions; or
- approved transfer mechanisms, such as the UK International Data Transfer Agreement, the UK Addendum, or the European Commission's Standard Contractual Clauses.
You can request further information about these safeguards by contacting us.
8. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described above. Our standard retention periods are:
- customer account and commercial records: during the contract term and for up to 7 years afterwards where required for tax, accounting, audit, or legal purposes.
- support records and troubleshooting material: usually for up to 24 months after the support matter closes, unless longer retention is needed for an ongoing issue, dispute, or security matter.
- security and audit logs that we control directly: usually for up to 12 months, unless a longer period is required for incident investigation or legal compliance.
- optional diagnostics or telemetry: for up to 90 days, unless a longer period is needed to investigate a specific fault or security event.
If specific circumstances require a different period, we will retain the data only for as long as necessary and proportionate.
9. Your rights
Subject to applicable law, you may have the right to:
- access your personal data;
- have inaccurate personal data corrected;
- request erasure of your personal data;
- request restriction of processing;
- object to processing carried out on the basis of legitimate interests;
- receive a portable copy of certain personal data; and
- withdraw consent at any time, where we rely on consent.
your right to object
Where we rely on legitimate interests, you have the right to object to that processing. We will then stop the processing unless we have compelling legitimate grounds to continue or another lawful basis applies.
To exercise your rights, contact us at privacy@animacore.io
10. Complaints
If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve the issue.
You also have the right to complain to the relevant data protection authority. In the UK, this is the Information Commissioner's Office (ICO).
11. Automated decision-making
We do not use personal data for solely automated decision-making that produces legal effects or similarly significant effects on individuals in connection with this service.
12. Changes to this notice
We may update this Privacy Notice from time to time. We will post the latest version at animacore.io/privacy-notice and update the "Last updated" date above.