Arra Privacy Policy

Effective Date: 13 January 2026

Arra Energy Ltd (“Arra”, “we”, “us”, “our”) respects your privacy and is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you access or use the Arra platform, website, and related services (together, the “Platform”). This Privacy Policy is provided for information purposes and is not contractual in nature. It does not override or limit your statutory rights.

1. Who We Are and Our Role

For the purposes of applicable data protection law:

  • Arra Energy Ltd is the data controller in respect of personal data relating to Platform accounts, user profiles, communications, analytics, security, and compliance.
  • Arra Energy Ltd also acts as a data controller for the specific purpose of developing and improving its proprietary AI models where explicit consent has been provided.
  • Arra Energy Ltd acts as a data processor in respect of personal data contained in documents or materials uploaded by users to data rooms or project areas, where such data is uploaded at the direction of, and for the purposes determined by, the uploading user.
  • Where required, Arra will enter into a separate Data Processing Agreement with business users.

2. Personal Data We Collect

We collect the following categories of personal data:

  • a) Account and Profile Information: Name, email address, telephone number, company name, role or job title, login credentials, and related account details.
  • b) Project and Data Room Content: Personal data contained within documents, files, or materials uploaded to the Platform by users or their representatives. Users are responsible for ensuring that any personal data uploaded is lawful, relevant, and limited to what is necessary. The Platform is not intended for the storage of special category data (such as health data, biometric data, or data revealing racial or ethnic origin), and users should not upload such data unless strictly necessary and lawful.
  • c) Usage and Technical Data: IP address, device identifiers, browser type, operating system, log data, timestamps, and information about interactions with the Platform.
  • d) Communications: Information contained in emails, messages, enquiries, or other communications with Arra.

3. How We Use Personal Data

We use personal data for the following purposes:

  • To provide, operate, maintain, and administer the Platform;
  • To manage user accounts and facilitate access to projects and data rooms;
  • To enable automated Due Diligence DD features, including document recognition and categorization;
  • To enable introductions and communications between users where initiated through the Platform;
  • To provide customer support and respond to enquiries;
  • To monitor usage, analyse performance, and improve Platform functionality;
  • To ensure security, prevent fraud, and protect the integrity of the Platform; and
  • To comply with legal, regulatory, and contractual obligations.

4. Lawful Bases for Processing

We process personal data on the following lawful bases, as applicable:

  • Performance of a contract: where processing is necessary to provide the Platform and related services to users;
  • Legitimate interests: where processing is necessary for operating, improving, securing, and administering the Platform, provided such interests are not overridden by users' rights;
  • Legal obligation: where processing is required to comply with applicable laws or regulatory requirements; and
  • Consent: where we seek explicit consent for specific processing activities, including AI training as described below. Where processing is based on legitimate interests, users have the right to object.

5. Use of Personal Data for AI Training

Arra uses artificial intelligence to streamline the due diligence process by automating the classification and analysis of project documents.

  • Arra does not use personal data for AI or machine‑learning training by default.
  • Where a user has explicitly opted in to the AI Training Consent Agreement, Arra may process limited categories of personal data for the purpose of training and improving its internal AI systems.
  • Lawful basis: Consent (Article 6(1)(a) UK GDPR).
  • Categories of data: Aggregated usage data, interaction data, and technical metadata, as well as the structure, headers, and content types found within uploaded materials.
  • Purpose: To train the AI to recognize specific document types, automatically organize data rooms, and identify missing documents or discrepancies.
  • AI training data is processed in a manner designed to prevent re‑identification of individuals and is not used to train publicly available or third‑party models.
  • Users may withdraw consent at any time via account settings. Withdrawal of consent does not affect processing already carried out prior to withdrawal, but no further personal data will be used for AI training following withdrawal.

6. Data Sharing and Disclosure

We may share personal data with the following categories of recipients:

  • Service providers and vendors who support Platform operations, hosting, analytics, security, and communications, acting under contractual confidentiality and data protection obligations;
  • Professional advisers, including legal, accounting, and audit advisers;
  • Regulatory authorities or law enforcement bodies where disclosure is required by law; and
  • Other users, where necessary to facilitate Platform functionality, such as user‑initiated introductions or controlled access to project information.

We do not sell personal data.

7. International Transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area, Arra ensures that appropriate safeguards are in place, including the use of UK International Data Transfer Agreements, Standard Contractual Clauses, or other lawful transfer mechanisms recognised under applicable data protection law.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including:

  • Account and profile data: for the duration of the user account and a limited period thereafter;
  • Communications: for as long as necessary to resolve enquiries or maintain records;
  • Usage and technical data: for analytics and security purposes, typically in aggregated or anonymised form; and
  • Legal and compliance data: for as long as required by applicable law.

Personal data is securely deleted or anonymised when no longer required.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. While we take reasonable steps to safeguard data, no system can guarantee absolute security.

10. Your Rights

Under applicable data protection law, you may have the right to access, request correction, or request erasure of your personal data. You may also restrict or object to processing, withdraw consent, or request data portability. You have the right to lodge a complaint with the Information Commissioner's Office (ICO). Requests will be responded to within one month, subject to identity verification. Requests may be submitted to hello@arra.energy.

11. Cookies and Tracking Technologies

Arra does not currently deploy non‑essential cookies on the Platform. Basic technical information is processed for security and functionality. If we introduce cookies in the future, we will update this Privacy Policy accordingly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or by email.

13. Contact Information

If you have questions about this Privacy Policy, please contact Arra Energy Ltd at hello@arra.energy or 85d Brondesbury Villas, London, NW6 6AG, United Kingdom.