Last updated: 5 May 2026
This Privacy Policy explains how Pental Limited (we, us, our, Pental) collects, uses, and shares personal data when you visit pental.io, register for an account, subscribe to the Pental platform (Platform), or use a customer portal hosted on the Platform. It applies to all individuals whose personal data we process, including prospective customers, customer staff (administrators, testers, contractors), and end users of customer portals (such as a customer firm's own clients). It is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018 (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and equivalent frameworks in other jurisdictions.
Pental is a business management platform sold to penetration testing firms and consultancies. The data our customers store on the Platform is sensitive by nature, including vulnerability findings, exploit evidence, client records, and authorisation credentials. Our practices reflect that.
Pental Limited is a company registered in England and Wales (company number 17172077) with its registered office at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF. For all privacy enquiries, data subject requests, or to contact our designated privacy contact, email hello@pental.io.
The way we handle personal data depends on what data is involved.
Controller, for our own data. We act as the data controller for personal data we collect directly: account information you provide when subscribing, billing details, marketing communications, support correspondence, and our own server logs. This is described in Section 4.
Processor, for Customer Data. When you, as a Pental customer, upload data to the Platform, including your client records, assessments, findings, proposals, invoices, credentials, and reports, we process that data on your instructions, on your behalf, and for your purposes. You remain the controller; we are your processor (or, on Enterprise Bring Your Own Database, we may act as a sub-processor or have no role at all in respect of certain data flows). The applicable terms are set out in Section 6 and in the Data Processing Agreement that forms part of our Terms of Service.
We collect and process the following categories of personal data, in our role as controller:
Account information. Name, work email address, company name, role, country, billing address, and VAT number where applicable. Payment card details are collected and processed by Stripe; we never see or store full card numbers.
Authentication data. Email-based one-time login codes (transient), session tokens, multi-factor authentication enrolment timestamps, WebAuthn credential identifiers (public keys only, we never have access to the private key on your device or hardware token), and login history.
Usage and telemetry data. Pages viewed, features used, error logs, request timestamps, referring URLs, IP addresses, browser type, device type, and operating system. Collected for security, debugging, and capacity planning.
Communications. Emails, contact form submissions, support tickets, and any correspondence with us. We retain message content, your email address, name, and submission timestamp.
Marketing data. Where you opt in to marketing emails or product announcements, we retain your email and a record of your opt-in until you unsubscribe.
Cookie and security data. Authentication cookies, theme preference, CSRF state during OAuth, and Google reCAPTCHA tokens used to detect automated abuse on login and contact forms. See our Cookie Policy.
Under Article 6 of UK GDPR and EU GDPR, we rely on the following lawful bases for our controller-role processing:
Contract. Processing your account information, authentication data, and billing information is necessary to perform our contract with you (your Subscription).
Legitimate interests. We process usage and telemetry data, security cookies, and reCAPTCHA results for the legitimate interests of platform security, fraud prevention, abuse detection, debugging, and service improvement. We have considered whether these interests are overridden by your rights and freedoms, and we have concluded they are not. You may object at any time (see Section 11).
Consent. Where we send marketing communications to individual subscribers, we do so on the basis of your opt-in consent. You may withdraw consent through the unsubscribe link in any marketing email or by emailing us.
Legal obligation. We retain certain records (such as financial records and tax documents) where required by HMRC, Companies House, or other applicable laws.
We use the personal data described in Section 3 to: provide, operate, and maintain the Platform; create and manage your account; process payments and Subscription billing; send transactional emails (login codes, multi-factor codes, invoices, account notifications); respond to your questions and provide customer support; detect, investigate, and prevent fraud, abuse, and security incidents; comply with our legal obligations including tax and accounting requirements; conduct internal analytics on aggregate, de-identified usage patterns to improve the Platform; and enforce our Terms of Service.
We do not sell personal data, share it with advertising networks, or use it to train artificial intelligence or machine learning models. Pental does not run AI or ML inference over Customer Data as part of normal Platform operation. If we ever introduce optional AI features, they will be off by default, opt-in per tenant, and the relevant sub-processor will be added to the list in Section 7 with prior notice as set out there.
Penetration testing firms that subscribe to the Platform store sensitive operational data in their portal: details of testing engagements, vulnerability findings, exploit evidence, client contact details, client portal user accounts, proposals, invoices, and (where the customer chooses to use the feature) authorisation credentials provided by their own clients for the purpose of an engagement. We refer to all of this as Customer Data.
Starter and Professional plans. Customer Data is stored in our managed Supabase database. Tenant isolation is enforced at the database level via row-level security policies and per-tenant scoping on every server-side function. We act as the data processor for Customer Data on these plans; the customer is the controller.
Enterprise plan with Bring Your Own Database. Customer Data is stored exclusively in the customer's own Supabase project, owned, billed, and operated by the customer. Pental does not hold the Supabase project's administrative credentials and cannot read Customer Data outside an authenticated end-user session that is established directly against the customer's project. The customer is the controller and the operator of the storage. We act as a processor only with respect to data that flows through our application servers (for example, when a tester opens a finding in the portal); we do not have ongoing administrative access to the project.
Credentials Vault. Customers may collect authorisation credentials (passwords, API keys, MFA seeds, login URLs) from their own clients through an encrypted credential submission form. These are encrypted at rest with a per-tenant AES key and are designed to be wiped from the database immediately after the assigned tester acknowledges receipt. Customers and their clients are responsible for the lawful basis under which they collect and submit such credentials.
Personal data within Customer Data, for example a client portal user's name and email, is processed by us solely on the customer's documented instructions, in accordance with the Data Processing Agreement that forms part of our Terms of Service.
To deliver the Platform we engage the following sub-processors. Each is bound by a written contract that imposes data protection obligations no less protective than ours and includes appropriate safeguards for international transfers where relevant. We will give reasonable advance notice of any new sub-processor through this page.
Supabase Pte. Ltd. (Singapore) — managed Postgres database hosting, authentication, file storage, and realtime services. Region selectable; default region for Pental's managed instance is the European Union (Frankfurt). For Enterprise BYO, the region is selected by the customer. Transfer mechanism: EU and UK Standard Contractual Clauses where applicable.
Vercel Inc. (United States) — application hosting and edge network for the Platform's web application and API routes. Transfer mechanism: EU and UK Standard Contractual Clauses, plus EU-US Data Privacy Framework certification.
Stripe, Inc. (United States) — payment processing for Subscription billing. We share only what is necessary to process your payment. Transfer mechanism: EU and UK Standard Contractual Clauses, plus EU-US Data Privacy Framework certification.
Resend (Resend Inc.) (United States) — transactional email delivery for Pental's own outbound emails. Customers configure their own SMTP provider for portal-originated emails; Resend is not used for those. Transfer mechanism: EU and UK Standard Contractual Clauses.
Google LLC (United States) — Google reCAPTCHA v3 for bot and abuse detection on login and contact forms only. Transfer mechanism: EU and UK Standard Contractual Clauses, plus EU-US Data Privacy Framework certification.
Pental is established in the United Kingdom. Some of our sub-processors process data outside the UK and the EEA. Where transfers occur to a country that does not benefit from a UK or EU adequacy decision, we rely on appropriate safeguards under Article 46 of UK GDPR and EU GDPR, principally the EU Standard Contractual Clauses (2021/914) for transfers from the EEA, and the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA) for transfers from the UK. In each case we have carried out a transfer impact assessment to determine that the level of protection in the destination country is essentially equivalent to that under UK and EU law, and we apply supplementary technical and organisational measures (encryption in transit and at rest, key management, access controls) where appropriate.
We retain personal data only for as long as necessary for the purposes for which it was collected, including any legal or regulatory retention requirement.
Account information — for the duration of your Subscription and 12 months thereafter, then deleted unless we are required to retain it for tax or legal reasons.
Customer Data — retained while the Subscription is active. On termination: 90 days read-only retention to allow export, then permanent deletion (or for Enterprise BYO, deletion of any caches or indices we hold; the customer's own database is unaffected).
Credentials Vault entries — encrypted blob is wiped immediately upon tester acknowledgement; redacted metadata (auth type, label, submitter, time) is retained until the assessment is closed.
Server and access logs — up to 90 days, then aggregated or deleted.
Authentication logs (logins, MFA events) — up to 12 months for security investigation purposes.
Email delivery logs — up to 30 days.
Contact form and support correspondence — up to 24 months.
Financial and tax records — 7 years (HMRC requirement for UK-registered businesses).
Marketing data — until you unsubscribe, then a suppression-only record indefinitely to honour your opt-out.
We implement appropriate technical and organisational measures to protect personal data, including: TLS 1.2+ encryption for data in transit on all endpoints; AES-256 encryption at rest for managed databases; per-tenant encryption keys for the Credentials Vault; multi-factor authentication on Pental staff accounts; principle of least privilege for internal access; row-level security policies on every database table; comprehensive audit logging; periodic security reviews; and a documented incident response procedure. No system is perfectly secure; we describe our security model honestly without overstating it.
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and where required will report to the relevant supervisory authority within 72 hours of becoming aware, in accordance with Article 33 of UK GDPR and EU GDPR.
Under UK GDPR, EU GDPR, and equivalent frameworks elsewhere, you have the following rights in relation to your personal data:
Right of access — to request a copy of the personal data we hold about you.
Right to rectification — to request correction of inaccurate or incomplete data.
Right to erasure (right to be forgotten) — to request deletion of your personal data, subject to overriding legal obligations.
Right to restriction — to ask that we limit processing in specific circumstances.
Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
Right to object — to processing that relies on legitimate interests, including for direct marketing purposes.
Rights related to automated decision-making — we do not make decisions about you based solely on automated processing that produces legal or similarly significant effects.
To exercise any of these rights, email hello@pental.io. We will respond within one month (extendable by two further months for complex requests, with notice). There is no charge for reasonable requests.
If your personal data sits within Customer Data uploaded by one of our customer firms, for example, if you are a client portal user of a penetration testing firm that uses Pental, you should normally direct your data subject request to that firm in the first instance, since they are the controller of that data. We will assist them in responding to you and, where necessary, will respond directly.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk (our lead supervisory authority) or to the supervisory authority in your country of residence.
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information (we do neither), and the right to limit use of sensitive personal information. Pental does not sell or share personal information for cross-context behavioural advertising. To exercise your CCPA rights, email hello@pental.io.
The Platform is a business product directed at organisations and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us and we will delete it.
We may update this Privacy Policy from time to time. Material changes will be notified to subscribed customers by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current revision. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.
For privacy enquiries, sub-processor questions, data subject requests, or complaints, contact us at hello@pental.io.