Argus Parliamentary Intelligence Platform
Home/Legal/Privacy
07 · Legal · Privacy

Privacy Policy.

Last updated · 2026-04-26

This policy explains how ARGUS HOLDINGS — KLL1 LTD, trading as KL Leung Holdings ("the Company", "we", "us"), processes personal data in connection with arguswatch.org and the Argus parliamentary intelligence platform.

01Scope & data controller

This Privacy Policy applies to all data processed through arguswatch.org and the Argus platform — including its APIs, dashboards, briefings, and associated services (collectively, the "Platform").

We are a UK Ministry of Defence (MoD) JAGGAER One Registered Supplier. Our data-handling practices reflect the standards expected of organisations operating within government and defence supply chains.

KLL1 LTD acts as the Data Controller for website visitor information and account data, and as a Data Processor for Customer Data uploaded to or generated within the Platform on behalf of subscribing organisations.

Registered Office: England & Wales. Company registration details are available on request via kaluleui@klleungholdings.com.

02Legal basis & compliance framework

We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our lawful bases for processing are:

  • Contract performance — processing necessary to deliver the Platform under your subscription agreement.
  • Legitimate interests — Platform security, fraud prevention, service improvement, and maintaining immutable audit trails for forensic accountability.
  • Legal obligation — compliance with applicable UK law, regulatory requirements, and government contractual obligations.
  • Consent — where required for specific activities (for example, marketing communications). You may withdraw consent at any time.

Where we act as a Data Processor for Customer Data, the subscribing organisation remains the Data Controller and is responsible for ensuring a valid lawful basis for the personal data it submits to the Platform.

03Information we collect

Account & organisation data. Business name, business email, user roles, billing information, and authentication credentials for authorised users within your organisation.

Customer Data (Argus). Search queries, monitored jurisdictions, alert configurations, watchlists, and analytical parameters. Argus processes publicly available parliamentary records, committee transcripts, regulatory filings, OJEU notices, and open-source intelligence. It does not collect or store private communications.

Public-site visitor data. When you browse arguswatch.org we collect anonymised request metadata via our CDN (CloudFront) — IP address, user-agent, referrer, requested path. This is used solely for security and operational diagnostics and is not joined to any account record.

Cookies & local storage. The public site uses no advertising or analytics cookies. We use a single browser localStorage entry to remember your light/dark theme and language preference. No personal data is transmitted to us by these mechanisms.

Usage & telemetry (Platform). Anonymised platform usage metrics, API call logs, error reports, and performance telemetry. This data is aggregated and cannot identify individual users or reconstruct Customer Data.

04Authentication

The Platform supports passwordless authentication via WebAuthn, including biometric methods such as Face ID and Touch ID. Specifically:

  • Your biometric data (fingerprint, facial geometry) never leaves your device. It is processed entirely within your device's secure enclave or trusted platform module.
  • We receive and store only a cryptographic public key generated by your device during registration. This key cannot be used to reconstruct your biometric data.
  • Authentication works by your device signing a challenge with its private key (unlocked locally by your biometric). We verify the signature against the stored public key.

This architecture means that even in the event of a server-side breach, your biometric data remains uncompromised because it was never transmitted to us in the first place.

05Immutable audit logging

For security, regulatory compliance, and forensic accountability, all user actions within the Platform are permanently recorded in an immutable audit trail. This includes:

  • IP addresses and device metadata (browser, OS, screen resolution).
  • Timestamps of every login, logout, and session refresh.
  • All read, write, update, and delete actions performed on Platform data.
  • API calls, query parameters, and response metadata.
  • Authentication events — successful logins, failed attempts, credential changes.

These logs are append-only and tamper-proof. They cannot be modified or deleted by any user, including Company administrators. This is a deliberate design decision to ensure a forensically sound chain of evidence.

Audit logs are retained for the duration of your subscription plus twenty-four (24) months, or longer where required by law or government contract obligations.

06How we use Customer Data

Customer Data is processed exclusively to deliver the Platform services contracted under your subscription. Specifically, Argus processes search queries against public parliamentary, regulatory, and open-source databases to generate intelligence reports, risk assessments, forecasts, and alerts.

We do not use Customer Data to train general-purpose AI models, sell to third parties, serve advertising, or for any purpose outside the scope of delivering your contracted services. Full stop.

07Third-party sub-processors

We use enterprise-grade AI APIs and cloud infrastructure as sub-processors. Customer Data sent to these services is not used to train their public models.

Anthropic — Claude API. Advanced reasoning, report synthesis, and multi-source intelligence correlation. Processed via Anthropic's commercial API under their enterprise usage policy.

Google Cloud — Gemini API. Natural language processing, document analysis, and structured data extraction. Processed via Google Cloud's enterprise API tier under our Data Processing Agreement.

Perplexity API. Real-time information retrieval and source verification for intelligence validation. Processed via Perplexity's enterprise API under commercial terms.

Amazon Web Services. Hosting, content delivery (CloudFront), object storage (S3), certificate management (ACM), and DNS (Route 53), all operated under the AWS Customer Agreement and Data Processing Addendum. The public site is served from AWS regions in us-east-1 with edge caching across CloudFront's global network.

We maintain Data Processing Agreements (DPAs) with all sub-processors and conduct periodic compliance reviews. We will not engage additional sub-processors that materially change how Customer Data is processed without providing advance notice to active subscribers.

08Data security

We implement security measures appropriate for government and defence data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls with mandatory multi-factor authentication.
  • Strict tenant isolation ensuring complete data segregation between customer organisations.
  • Short-lived, OIDC-federated credentials for deploys — no long-lived static keys.
  • JWT-based session management with immutable token audit trails.
  • Regular security audits, dependency scanning, and vulnerability assessments.

No system is infallible. In the event of a data breach that may compromise Customer Data, we will notify affected customers promptly and no later than seventy-two (72) hours after becoming aware of the breach, in accordance with UK GDPR requirements.

09Data retention & deletion

Customer Data is retained for the duration of your active subscription plus a thirty (30) day grace period following termination. After this period:

  • Customer Data is permanently deleted from primary systems within sixty (60) days.
  • Encrypted backups are purged within ninety (90) days.
  • Immutable audit logs are retained for twenty-four (24) months post-termination, or longer where required by law.

You may request a complete data export in standard formats (JSON, CSV) at any time during your active subscription. We will fulfil export requests within ten (10) business days.

10Your rights under UK GDPR

Under the UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your personal data (subject to legal retention obligations).
  • Restriction — request that we limit processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at kaluleui@klleungholdings.com. We will respond to verified requests within thirty (30) days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

11Changes to this policy

We may update this Privacy Policy to reflect changes in our data practices or applicable law. For material changes, we will provide at least thirty (30) days' written notice to active subscribers via email or in-platform notification. The "Last updated" date at the top of this page will always reflect the most recent revision.