Context Guard

Privacy Policy

Last updated: May 2026

1. Data Controller

Burrell Digital LTD ("we", "us", "our") is the data controller for personal data processed in connection with Context Guard ("the Service"). Burrell Digital LTD is a company registered in England & Wales. For privacy enquiries, contact our Data Protection Officer at dpo@ctx-guard.com.

2. Data We Collect

  • Account data: email address, company name, billing details.
  • Usage data: API request volume, endpoints used, timestamps, IP addresses.
  • Proxy traffic: prompts and completions routed through our proxy, processed transiently for threat detection (prompt injection, PII, policy violations).
  • Technical data: browser type, device information, cookies (see Section 9).

3. Why We Process Your Data

  • Service delivery: to operate the Service, provision accounts, and enforce policy rules you configure.
  • Security analysis: to detect prompt injection, data exfiltration, jailbreak attempts, and other LLM-targeted threats.
  • Billing: to process payments and issue invoices for paid subscriptions.
  • Communication: to send service announcements and respond to support requests.

4. Legal Basis for Processing

We rely on the following lawful bases under UK GDPR:

  • Contract performance (Article 6(1)(b)) — to provide the Service you have signed up for.
  • Legitimate interest (Article 6(1)(f)) — to secure our infrastructure and detect threats targeting our customers.
  • Consent (Article 6(1)(a)) — for marketing communications and non-essential cookies.
  • Legal obligation (Article 6(1)(c)) — where required by tax, accounting, or law-enforcement obligations.

5. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with the following processors strictly to operate the Service:

  • Supabase — managed Postgres and authentication.
  • Stripe — payment processing and billing.
  • Vercel — application hosting and edge delivery.

Each sub-processor is bound by a data processing agreement and appropriate technical and organisational measures.

6. Data Retention

  • Account data: retained for the duration of your active account plus 90 days after deletion.
  • Security logs: retained for 12 months for incident analysis and compliance.
  • Billing records: retained for 6 years to meet UK accounting requirements.

7. International Data Transfers

Some sub-processors are based outside the UK. Supabase operates on AWS infrastructure and Stripe processes globally. Where data is transferred outside the UK, transfers are protected by an adequacy decision (e.g. UK–EU adequacy) or by Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum.

8. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request rectification of inaccurate or incomplete data.
  • Request erasure of your data ("right to be forgotten").
  • Receive your data in a portable format.
  • Object to processing based on legitimate interest.
  • Restrict processing in certain circumstances.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email dpo@ctx-guard.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk.

9. Cookies

We use essential cookies required for authentication and session management, and — with your consent — analytics cookies to understand how the Service is used. You can manage cookie preferences via the consent banner. Withdrawing consent will not affect access to essential functions.

10. Automated Decision-Making

The Service performs automated threat detection on traffic routed through the proxy (e.g. classifying a prompt as a likely injection attempt). This is automated processing, but it does not produce legal or similarly significant effects on data subjects. We do not perform profiling for marketing purposes.

11. Data Processing Agreement

For B2B customers acting as data controllers, a Data Processing Agreement (DPA) is available. See our DPA page or request a counter-signed copy from dpo@ctx-guard.com.

12. Security

We implement appropriate technical and organisational measures including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, audit logging, and continuous monitoring. Despite these measures, no system is fully secure; we will notify affected users without undue delay if a breach is likely to result in a risk to their rights and freedoms.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

14. Governing Law

This Privacy Policy is governed by the laws of England & Wales. The ICO is our supervisory authority.

15. Contact

For privacy enquiries, contact dpo@ctx-guard.com. For all other matters, see our Terms of Service.

TermsPrivacyDPA
© 2026 Burrell Digital LTD. All rights reserved.