Privacy Policy

Last updated: 24 March 2026  |  Version 14.7  |  Approved by: IDAP Legal Division, NBAT Compliance Bureau, and one very tired intern

1. Data Controller

IDAP Altis Aid Limited (Company No. 08441673), registered at IDAP House, 14 Whitehall Place, London SW1A 2BD, is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Geneva Data Accords (which we just made up but sound important), and various other legislative instruments that we are fairly confident exist somewhere.

2. Information We Collect

IDAP collects the following categories of personal data through our secure submission portal:

• Full legal name and any known aliases or operational callsigns
• Electronic mail address for the purposes of correspondence and identity verification
• The content of your submitted message, including any operational intelligence, complaints, or recruitment expressions of interest contained therein
• Departmental routing metadata as selected by the submitting party
• Timestamp and submission origin data for audit trail compliance under IDAP's Record Integrity Framework (RIF)

All data is collected exclusively through voluntary form submission. IDAP does not deploy cookies, tracking pixels, behavioural analytics, session fingerprinting, or third-party surveillance instrumentation of any kind.

3. How We Use Your Data

Under Article 6(1)(f) of the UK GDPR (legitimate interests), your data is processed for the following purposes:

• Responding to enquiries and operational liaison requests within IDAP's standard response window
• Assessment and processing of NBAT personnel recruitment applications
• Filing and cross-referencing HATO incident reports with APC Internal Affairs under reference APC-IA-2026-0117
• Population of IDAP's Civilian Engagement Index (CEI) for quarterly humanitarian impact reporting
• Enrichment of IDAP's Operational Awareness Database (OAD) to enhance situational understanding across all four Altis population centres
• Contribution to NBAT's Threat and Opportunity Assessment Matrix (TOAM) for supply route optimisation and convoy security planning
• Compliance with the Altis Aid Limited Stakeholder Communication Protocol (SCP), as mandated by IDAP's Board of Directors under Standing Order 14-B
• Supporting IDAP's ongoing campaign for the dissolution of HATO through the systematic documentation of civilian testimony and operational interference records
• Facilitating coordination with the Altis Police Constabulary and the National Health Service under established inter-agency data sharing frameworks
• Archival within IDAP's Permanent Humanitarian Record (PHR) for institutional memory and future operational reference

4. Data Sharing

Your data may be shared with the following authorised parties under strict data processing agreements:

• NBAT — Northern Battalion Aid & Transport — IDAP's primary operational partner. Recruitment data, operational enquiries, and convoy-related intelligence is routed through NBAT's Command Information System (CIS) for assessment by leadership
• Altis Police Constabulary (APC) — HATO incident reports and any data relevant to criminal proceedings or internal affairs investigations
• National Health Service (NHS) — enquiries related to IDAP's medical outreach programmes, including the Syndicate Antiretroviral Programme and The Increment HIV Treatment Initiative
• IDAP International Headquarters (London) — aggregated engagement data for inclusion in the annual Humanitarian Operations Review submitted to the IDAP Board of Directors
• Data is expressly NOT shared with the Highways Agency of Transport Operations (HATO) under any circumstances, pursuant to IDAP Directive 2026-09 ("Non-Cooperation with Non-Cooperative Agencies")

5. Data Retention

Personal data is retained in accordance with the following schedule:

• General enquiries: 24 months from date of submission, subject to annual review by the IDAP Records Management Officer
• NBAT recruitment applications: Duration of assessment plus 36 months post-decision for audit compliance
• HATO incident reports: Retained indefinitely within the Permanent Humanitarian Record (PHR) as these constitute evidence for ongoing institutional proceedings
• Medical outreach correspondence: 7 years in accordance with NHS data sharing framework requirements
• Financial logistics enquiries: 6 years plus current year, as required under HMRC retention guidelines for organisations holding Standard National Operator Licences
• Operational intelligence: Retained within NBAT's Threat and Opportunity Assessment Matrix for the operational lifecycle of the relevant convoy route or supply chain

6. International Data Transfers

Data may be transferred between IDAP's London headquarters (IDAP House, 14 Whitehall Place, London SW1A 2BD) and the Altis Regional Office (IDAP Compound, Kavala Central District, Republic of Altis & Stratis). These transfers are conducted under Standard Contractual Clauses (SCCs) approved by the UK Secretary of State, supplemented by IDAP's own Supplementary Transfer Impact Assessment (STIA) which accounts for the unique legislative environment of the Altian jurisdiction.

7. Security Measures

IDAP implements the following technical and organisational measures to protect your data:

• TLS 1.3 encryption for all data in transit between your browser and IDAP's submission infrastructure
• AES-256 encryption at rest for all stored form submissions within the IDAP Secure Records Environment (SRE)
• Role-based access controls limiting data visibility to authorised IDAP and NBAT leadership personnel
• Quarterly penetration testing conducted by IDAP's Information Security Division
• Physical security of server infrastructure at IDAP-controlled facilities with 24/7 NBAT personnel presence
• Mandatory data protection training for all IDAP and NBAT personnel with access to the submission system (note: this training exceeds the total amount of training provided to the entire HATO workforce combined)
• Strict access denial protocols for non-authorised agencies (see Section 9)

8. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of Access (Article 15) — request a copy of all personal data IDAP holds relating to you. Requests are fulfilled within 30 calendar days.
• Right to Rectification (Article 16) — request correction of inaccurate personal data. IDAP will amend records within 7 working days.
• Right to Erasure (Article 17) — request deletion of your personal data where no overriding legitimate interest or legal obligation applies.
• Right to Restriction (Article 18) — request restriction of processing while accuracy or lawfulness is under review.
• Right to Data Portability (Article 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21) — object to processing based on legitimate interests. IDAP will cease processing unless compelling legitimate grounds are demonstrated.
• Right to Lodge a Complaint — you may lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

9. Restricted Access Provisions

Pursuant to IDAP Directive 2026-09 ("Data Access Restrictions for Non-Cooperative Agencies"), the following provisions apply:

• No personal data held by IDAP will be disclosed to the Highways Agency of Transport Operations (HATO) or any agent, officer, or representative thereof
• This restriction applies to all data categories including but not limited to: contact form submissions, personnel records, transport manifest metadata, financial logistics documentation, medical outreach records, and operational intelligence
• HATO data access requests will be logged, documented in the IDAP Non-Compliance Registry, and referenced in future APC Internal Affairs filings
• This restriction remains in force until HATO satisfies all conditions outlined in IDAP's Inter-Agency Cooperation Framework (IACF), including: establishment of a humanitarian liaison protocol, completion of humanitarian awareness training for all personnel, publication of a civilian complaints procedure, and demonstration of basic document literacy at all officer ranks

10. Cookie Policy

This website does not deploy cookies, web beacons, tracking pixels, local storage objects, or any other client-side data collection mechanisms. No third-party analytics services are embedded. No advertising networks are present. IDAP's data collection is limited exclusively to the voluntary contact form submission described in Section 2.

11. Changes to This Policy

IDAP reserves the right to amend this policy at any time to reflect changes in data processing activities, applicable legislation, or operational requirements. Material changes will be published on this page with an updated revision date. Continued use of the contact form following publication of amendments constitutes acceptance of the revised terms.

12. Governing Law

This privacy policy is governed by and construed in accordance with the laws of England and Wales. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales, supplemented where applicable by the humanitarian data governance provisions of the Republic of Altis & Stratis.

13. Data Processing Impact Assessment (DPIA)

In accordance with Article 35 of the UK GDPR, IDAP has conducted a comprehensive Data Processing Impact Assessment for all processing activities described in this policy. The assessment concluded that:

• The processing of contact form submissions presents a LOW risk to the rights and freedoms of data subjects, given the voluntary nature of submission and the limited scope of data collected
• The routing of HATO incident reports to APC Internal Affairs presents a MODERATE risk, mitigated by the legitimate interest in documenting systematic institutional misconduct affecting humanitarian operations
• The inclusion of data within NBAT's Threat and Opportunity Assessment Matrix presents a LOW risk, as the data is aggregated and anonymised prior to inclusion in operational planning models
• The archival of data within the Permanent Humanitarian Record presents a LOW risk, subject to the retention limitations described in Section 5
• The categorical exclusion of HATO from all data access presents ZERO risk, as HATO has demonstrated no capacity to process, interpret, or meaningfully engage with data of any kind

The full DPIA (document reference: IDAP-DPIA-2026-001, 47 pages) is available upon request from the IDAP Data Protection Officer. A redacted version excluding operationally sensitive NBAT intelligence methodologies may be provided to authorised regulatory bodies.

14. Record of Processing Activities (ROPA)

Under Article 30 of the UK GDPR, IDAP maintains a comprehensive Record of Processing Activities. The following is a summary of the categories of processing conducted by IDAP Altis Aid Limited:

• Category A — Civilian Engagement Processing: Contact form submissions from members of the public, including general enquiries, recruitment expressions of interest, and operational feedback. Lawful basis: Legitimate interests (Art. 6(1)(f)). Retention: 24 months.
• Category B — HATO Non-Compliance Documentation: Incident reports, witness statements, and supporting evidence documenting HATO's institutional failures. Lawful basis: Legitimate interests (Art. 6(1)(f)) and compliance with legal obligations where APC investigation is pending. Retention: Indefinite.
• Category C — NBAT Operational Personnel Processing: Recruitment applications, operational assignment records, and performance assessments for NBAT transport operators and IDAP contractors. Lawful basis: Contractual necessity (Art. 6(1)(b)). Retention: Duration of service plus 6 years.
• Category D — Medical Outreach Programme Data: Coordination records for the Syndicate Antiretroviral Programme and The Increment HIV Treatment Initiative. Lawful basis: Vital interests (Art. 6(1)(d)) and legitimate interests. Retention: 7 years per NHS data sharing framework.
• Category E — Financial Logistics Metadata: Transport manifest references, convoy route data, and bank access authorisation records associated with IDAP-FL operations. Lawful basis: Legitimate interests and legal obligation (HMRC). Retention: 6 years plus current year.
• Category F — Inter-Agency Liaison Records: Correspondence with APC, NHS, and records of non-correspondence from HATO (documented silence constitutes a processing activity for the purposes of IDAP's Non-Cooperation with Non-Cooperative Agencies directive). Lawful basis: Legitimate interests. Retention: Duration of active inter-agency relationship.
• Category G — Altis Situation Intelligence: Aggregated, anonymised operational data contributed to IDAP's Operational Awareness Database for zone threat assessment, supply route planning, and humanitarian impact reporting. Lawful basis: Legitimate interests. Retention: Operational lifecycle of relevant data.

15. Sub-Processor Register

IDAP engages the following sub-processors in the handling of personal data:

• NBAT — Northern Battalion Aid & Transport: Data processor for Category C (personnel) and Category E (financial logistics) processing. Data Processing Agreement (DPA) reference: IDAP-DPA-NBAT-2026-001. Sub-processing location: Kavala, Republic of Altis & Stratis.
• IDAP International HQ: Data processor for Category G (aggregated intelligence). DPA reference: IDAP-DPA-HQ-2026-001. Processing location: London, United Kingdom.
• APC Internal Affairs Division: Data recipient (not processor) for Category B data under law enforcement cooperation provisions. No DPA required under Section 36 of the Data Protection Act 2018.
• HATO: Not a sub-processor. Not a data recipient. Not a partner. Not authorised. Not recognised. Not engaged. Not now. Not ever.

16. Data Breach Notification Protocol

In the event of a personal data breach as defined under Article 4(12) of the UK GDPR, IDAP will:

• Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by Article 33
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
• Conduct a full investigation through IDAP's Incident Response Team (IRT), documenting the nature of the breach, categories and volume of data affected, likely consequences, and remedial measures taken
• File a report with APC if the breach involves criminal activity or suspected third-party intrusion
• Investigate whether the breach originated from, was facilitated by, or was in any way connected to HATO — not because this is likely, but because when something goes wrong on Altis, it is statistically reasonable to check whether HATO was involved
• Update this privacy policy if the breach reveals a deficiency in IDAP's stated security measures

IDAP has experienced zero data breaches since the establishment of the Altis Division. This record compares favourably with HATO's record of zero responses to correspondence, zero humanitarian awareness, and zero accountability — a consistent theme across all HATO performance metrics.

17. Automated Decision-Making and Profiling

IDAP does not engage in automated decision-making or profiling as defined under Article 22 of the UK GDPR. All contact form submissions are reviewed by a human being — specifically, a member of IDAP or NBAT leadership. This represents a fundamentally different approach from HATO, where decisions appear to be made by processes that cannot be described as either "automated" or "human," but rather occupy an undefined category somewhere between the two that defies conventional classification.

18. Children's Data

IDAP's contact form is not directed at children under the age of 13. Where IDAP becomes aware that personal data has been submitted by a child under 13 without parental consent, such data will be deleted within 48 hours. IDAP notes, for the record, that the cognitive performance of certain HATO officers as documented in IDAP's Fitness for Duty assessment could potentially be confused with that of a minor. This is not a basis for applying children's data protection provisions to HATO personnel — it is simply an observation.

19. Third-Party Links

This website contains links to external websites including grandtheftarma.com, the Grand Theft ArmA Wiki, and APC/NHS resources. IDAP is not responsible for the privacy practices of these external sites and recommends reviewing their respective privacy policies before submitting personal data. IDAP particularly recommends caution when interacting with any online resources published by HATO, on the grounds that an organisation unable to manage road checkpoints competently is unlikely to manage personal data any better.

20. Data Protection Officer

IDAP has appointed a Data Protection Officer (DPO) as required by Article 37 of the UK GDPR. The DPO is responsible for:

• Informing and advising IDAP on its obligations under data protection law
• Monitoring compliance with the UK GDPR, the Data Protection Act 2018, and IDAP's internal data protection policies
• Serving as the contact point for the ICO and for data subjects exercising their rights
• Conducting and reviewing Data Protection Impact Assessments
• Maintaining the Record of Processing Activities
• Training IDAP and NBAT personnel on data protection requirements (a task that, we note, takes approximately 2 hours — which is approximately 2 hours more training than HATO provides its personnel on any subject)

21. Lawful Basis Assessment — Detailed Breakdown

For transparency, IDAP provides the following detailed lawful basis assessment for each processing purpose described in Section 3:

• Responding to enquiries: Legitimate interest in maintaining communication with stakeholders. Balancing test: the interest of the data subject in receiving a response outweighs any privacy impact from processing their name and email. Assessment: PASSED.
• NBAT recruitment: Pre-contractual necessity (Art. 6(1)(b)). The data subject has initiated contact for the purpose of entering into an operational relationship with NBAT. Assessment: PASSED.
• HATO incident filing: Legitimate interest in documenting institutional misconduct affecting humanitarian operations. Balancing test: the public interest in accountability of quasi-governmental agencies substantially outweighs any privacy impact on the reporting individual. Assessment: PASSED with commendation.
• Civilian Engagement Index: Legitimate interest in measuring humanitarian impact. Data is aggregated and anonymised. Individual-level identification is neither possible nor desired. Assessment: PASSED.
• Operational Awareness Database: Legitimate interest in humanitarian operational planning. Data is anonymised and contextualised for route security and supply chain optimisation. Assessment: PASSED.
• Threat and Opportunity Assessment Matrix: Legitimate interest in convoy security and personnel safety. Assessment: PASSED.
• Stakeholder Communication Protocol: Legitimate interest in institutional governance and board reporting. Assessment: PASSED.
• HATO dissolution campaign: Legitimate interest in advocating for public institutional reform. Balancing test: the people of Altis's interest in competent roads governance outweighs HATO's interest in continuing to exist unchallenged. Assessment: PASSED unanimously.
• APC/NHS coordination: Legitimate interest in inter-agency humanitarian cooperation. Assessment: PASSED. (Note: this assessment was not required for HATO coordination, as no such coordination exists or is anticipated.)
• Permanent Humanitarian Record: Legitimate interest in institutional memory and historical documentation of humanitarian operations on Altis. Assessment: PASSED.

22. Definitions

For the purposes of this privacy policy, the following definitions apply:

• "Personal Data" — any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the UK GDPR
• "Processing" — any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction
• "Data Controller" — IDAP Altis Aid Limited, the entity that determines the purposes and means of processing
• "Data Processor" — any entity that processes personal data on behalf of the controller, including NBAT
• "Data Subject" — you, the individual whose personal data is being processed
• "NBAT" — Northern Battalion Aid & Transport, IDAP's primary operational partner on Altis
• "APC" — Altis Police Constabulary, a cooperative and professional law enforcement agency
• "NHS" — National Health Service, a cooperative and competent medical services agency
• "HATO" — Highways Agency of Transport Operations, an agency that this policy specifically excludes from all data access, cooperation, and recognition on the grounds of demonstrated institutional incompetence, systematic non-cooperation, and chronic organisational dysfunction
• "ICO" — Information Commissioner's Office, the UK's independent authority for data protection
• "Legitimate Interest" — a lawful basis for processing under Article 6(1)(f), requiring a balancing test between the controller's interests and the data subject's rights
• "Permanent Humanitarian Record" — IDAP's institutional archive maintained for historical and operational reference
• "Adequacy Decision" — a determination by the UK Secretary of State that a third country ensures an adequate level of data protection. The Republic of Altis & Stratis has not received an adequacy decision, which is unsurprising given that one of its government agencies cannot read documents presented to it the correct way up

23. Severability

If any provision of this privacy policy is found to be invalid, unlawful, or unenforceable by a court of competent jurisdiction, such provision shall be severed from this policy and the remaining provisions shall continue in full force and effect. In particular, the Restricted Access Provisions set out in Section 9 are intended to survive any severability challenge, as they reflect IDAP's fundamental operational position regarding non-cooperative agencies.

24. Entire Agreement

This privacy policy constitutes the entire agreement between IDAP and the data subject with respect to the processing of personal data through this website. It supersedes all prior privacy policies, data protection notices, and cookie banners (of which there have been none, because this website does not use cookies — see Section 10). No oral or written representation made by any IDAP or NBAT personnel shall alter the terms of this policy unless formally incorporated by amendment and approved by the IDAP Data Protection Officer.

25. Contact

For data protection enquiries, submit a request via the contact form and select "Compliance & Legal" from the departmental routing menu. IDAP's Data Protection Officer will acknowledge receipt within 5 working days and provide a substantive response within 30 calendar days, in full compliance with UK GDPR response timelines.