Privacy Policy
Last updated: May 2026
Important notice
This Privacy Policy explains how Burrell Digital LTD ("Burrell Digital", "we", "us", "our") collects, uses, shares, retains and protects personal data in connection with the Context Guard service (the "Service"). It is written to satisfy the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018") and the Privacy and Electronic Communications Regulations 2003 ("PECR"), and applies to visitors to our website, account holders, billing contacts, prospects, support contacts, and individuals whose interactions are routed through the Service by our customers. Capitalised terms not defined here have the meaning given in our Terms of Service.
Context Guard is a hosted security proxy that inspects requests and responses passing between our customers' applications and large-language-model providers in order to detect and block prompt-injection attempts, sensitive-data exposure, jailbreak attempts and policy violations. This Policy explains the limited circumstances in which we process personal data contained in that traffic, the strict purposes for which we may use it, and the safeguards that constrain that processing. We process personal data lawfully, fairly and transparently, and we apply the data-minimisation principle: we collect and retain only what we need to deliver, secure and improve the Service.
1. Who We Are
Burrell Digital LTD is a private limited company registered in England & Wales. We are the controller for personal data we process about our customers, billing contacts, prospects, support contacts and visitors to our website. We act as processor for personal data contained within traffic our customers route through the Service for inspection (see section 3). For all privacy enquiries, including requests to exercise the rights described in section 12, contact us at legal@ctx-guard.com. We have not formally appointed a Data Protection Officer because our processing does not meet the thresholds set out in Article 37 UK GDPR; however, the address above is monitored by the team responsible for privacy matters and we will respond promptly.
2. Scope of this Policy
This Policy applies to:
- Visitors to our marketing website and dashboard at the domains we operate;
- Individuals who register for, trial or use the Service, whether on a paid or free plan;
- Billing contacts, technical contacts and authorised users named on a customer account;
- Prospects who contact us, sign up to a waitlist or correspond with our sales or support teams; and
- Individuals whose personal data is contained in traffic that a customer chooses to route through the Service.
This Policy does not cover the practices of third-party websites, applications or large-language-model providers that you or our customers may use alongside the Service. Their own privacy notices govern that processing.
3. Our Role: Controller and Processor
Our role under UK GDPR depends on the personal data in question:
- We act as controller for personal data relating to our direct relationship with you, including account registration data, billing details, support correspondence, marketing preferences, website analytics and the security and operational logs we generate to protect our infrastructure. We decide why and how that data is processed.
- We act as processor on behalf of our business customers (each a controller in its own right) for personal data contained within prompts, completions, tool calls, embeddings and other content routed through the proxy for inspection. We process that content only on the documented written instructions of the customer - principally to detect prompt injection, sensitive-data exposure, jailbreak attempts and policy violations, to apply the policies the customer has configured, and to return the results of that inspection to the customer.
If you are an end-user of an application that uses Context Guard and you wish to exercise rights over content processed in that capacity, you should contact the operator of that application in the first instance, as they are the controller and decide why and how that content is processed. We will support our customers in responding to such requests as required by our Data Processing Agreement, including by providing the information reasonably available to us.
4. Categories of Personal Data
The categories of personal data we process about you depend on how you interact with us:
- Identity and account data - name, work email address, organisation name, role, country, language preference, and the credentials used to authenticate (passwords are stored only as salted hashes).
- Billing data - billing address, VAT or tax identifier, invoice history and the limited card metadata returned to us by our payments processor (we do not store full card numbers or CVC codes).
- API and usage data - API keys (stored as hashes), request volume, endpoints invoked, response codes, latency, detector outcomes, error counts and source IP addresses associated with API calls.
- Proxy traffic content - prompts, completions, tool calls and related metadata routed through the Service for inspection. This may incidentally include personal data about end-users where customers route such content to us; the categories depend entirely on what each customer chooses to send.
- Support and communications data - the content of emails, tickets and other correspondence with us, together with the metadata of those communications.
- Technical and device data - browser type and version, operating system, referrer URL, approximate location derived from IP address, and information collected via cookies and similar technologies (see section 16).
- Marketing preferences - your subscription state and the consents you have given or withdrawn.
We do not intentionally collect special-category data (such as data revealing health, ethnicity, religion, sexual orientation, political opinions, philosophical beliefs, trade-union membership, or genetic or biometric data) or criminal-offence data. Customers should not route such data through the Service without first carrying out their own data-protection impact assessment and putting in place an appropriate Article 9 or Article 10 condition. We rely on the warranties customers give in their Data Processing Agreement in this regard.
5. Sources of Personal Data
We collect personal data from the following sources:
- Directly from you - when you create an account, configure the Service, contact our team, subscribe to communications or respond to a survey.
- Automatically through your use of the Service - operational, security and usage data generated by your interactions with our website, dashboard and API.
- From our customers - where you are an authorised user named on a customer account, or where personal data about you is contained in traffic the customer routes through the Service.
- From sub-processors and other service providers - for example, billing metadata returned to us by Stripe.
- From limited public sources - for example, business contact information published on a corporate website where you have indicated an interest in the Service.
6. Purposes and Lawful Bases
We process personal data only where we have a lawful basis under Article 6 UK GDPR (and, where applicable, an Article 9 or Article 10 condition). The bases on which we rely, mapped to the purposes for which we process:
- Providing, operating and supporting the Service - performance of our contract with you, or steps taken at your request prior to entering a contract (Article 6(1)(b)).
- Processing payments, managing billing and recovering debts - performance of contract (Article 6(1)(b)) and compliance with tax and accounting obligations (Article 6(1)(c)).
- Securing our infrastructure, preventing abuse, detecting fraud, enforcing our acceptable-use policy and responding to incidents - our legitimate interests in operating a secure and reliable service for all users (Article 6(1)(f)). We have assessed that these interests are not overridden by your rights and freedoms, given the limited categories of data involved and the safeguards in place.
- Improving and developing the Service - our legitimate interests in understanding how the Service is used, in aggregate or pseudonymised form (Article 6(1)(f)). We do not use customer proxy content to train, fine-tune, benchmark or evaluate general-purpose AI models.
- Sending service, security and transactional notices - performance of contract (Article 6(1)(b)) and our legitimate interests in keeping you informed about material changes to the Service (Article 6(1)(f)).
- Sending marketing communications and setting non-essential cookies - your consent (Article 6(1)(a) and PECR), which you may withdraw at any time without affecting the lawfulness of prior processing.
- Complying with legal, regulatory or law-enforcement obligations and establishing, exercising or defending legal claims - compliance with a legal obligation (Article 6(1)(c)) and our legitimate interests in protecting our rights and the rights of others (Article 6(1)(f)).
A balancing assessment has been completed for each legitimate-interests basis above and is available on request. Where we act as processor for proxy traffic content, the lawful basis for that processing is determined by the customer as controller; we rely on the customer's instructions and contractual warranties.
7. What We Do Not Do
- We do not sell personal data, and we do not share it with third parties for their own marketing purposes.
- We do not use customer proxy content to train, fine-tune, benchmark or evaluate any general-purpose AI model, whether ours or a third party's.
- We do not make solely-automated decisions that produce legal or similarly significant effects on individuals (see section 14).
- We do not engage in cross-context behavioural advertising.
- We do not knowingly direct the Service at children (see section 17).
8. Sub-processors and Other Recipients
We engage a small number of sub-processors strictly to deliver the Service, each bound by a written data-processing agreement that imposes obligations consistent with Article 28 UK GDPR. We require each sub-processor to apply technical and organisational measures appropriate to the risk and to assist us in meeting our obligations to data subjects:
- Supabase - managed PostgreSQL database and authentication for account, configuration and operational data.
- Stripe - payment processing, billing, invoicing and tax-related calculations.
- Vercel - application hosting, edge delivery and the dashboard front-end.
In addition to our sub-processors, we may disclose personal data to professional advisers (such as lawyers, auditors and accountants) under duties of confidentiality, to a successor entity in connection with a merger, acquisition, reorganisation or insolvency event, and to courts, regulators or law-enforcement bodies where we are legally required or permitted to do so. Where we are compelled to disclose customer data by law, we will, where lawful and feasible, give the customer prior notice so that they can seek a protective order or other appropriate remedy.
We will give business customers at least thirty (30) days' prior notice of any material change to our list of sub-processors so that they have an opportunity to object as set out in our Data Processing Agreement.
9. International Transfers
We are based in the United Kingdom and prefer UK or EEA-region infrastructure where it is offered by our sub-processors. Some processing may nonetheless take place outside the UK - in particular, Stripe operates a global payments network, and Supabase and Vercel may use cloud infrastructure located in the United States or other regions. Where personal data is transferred outside the UK to a country that is not the subject of UK adequacy regulations, we rely on appropriate safeguards under Article 46 UK GDPR - namely the European Commission's Standard Contractual Clauses as supplemented by the UK International Data Transfer Addendum issued by the Information Commissioner, or the UK International Data Transfer Agreement - together with such supplementary measures (such as encryption in transit and at rest, role-based access controls and contractual commitments to challenge unlawful access requests) as we consider necessary in light of the circumstances of the transfer. A description of the safeguards used for a specific transfer is available on request from the address in section 21.
10. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Policy, after which we delete or irreversibly anonymise it. Where retention periods are required or permitted by law (for example, six years for UK accounting records), we apply those periods. Indicative retention periods are:
- Account and configuration data: for the duration of your account, and for up to 90 days after closure to allow for reactivation, dispute resolution and lawful recovery, after which the data is deleted or anonymised.
- Proxy traffic content: processed transiently for inspection and not retained by default. Where logging is enabled by the customer or required to deliver a feature (for example, a security event log), associated content is retained for up to 30 days unless the customer has agreed a different period in writing.
- Security and audit logs: retained for up to 12 months to support incident investigation, fraud prevention and legal compliance.
- Billing and tax records: retained for 6 years from the end of the relevant accounting period to meet UK statutory obligations under the Companies Act 2006 and applicable tax legislation.
- Marketing data: retained until you withdraw consent or after a defined period of inactivity, whichever is earlier; suppression records are kept indefinitely so that opt-outs are honoured.
- Support correspondence: retained for up to 3 years from the close of the relevant ticket.
- Records of processing, DPIAs and consents: retained for as long as necessary to demonstrate compliance with UK GDPR, and typically for at least the duration of the underlying processing plus the relevant limitation period.
When retention periods expire, data is either securely deleted or irreversibly anonymised so that it can no longer be associated with an identifiable individual. Backups are overwritten on a rolling basis and any residual copies in backups are protected by the same access controls as the live system until they are cycled out.
11. Security
We have implemented technical and organisational measures appropriate to the risk of the processing, including: encryption of data in transit using TLS 1.2 or above; encryption of data at rest in our managed databases and object storage; hashing of API keys and account passwords using modern algorithms; least-privilege role-based access controls and multi-factor authentication for administrators; logical isolation between customer tenants; centralised audit logging and continuous monitoring; vulnerability scanning and regular dependency patching; secure software-development practices including peer code review; data-minimisation by design (we collect and retain only what we need to deliver the Service); written incident-response procedures that are tested periodically; documented business-continuity arrangements; and confidentiality obligations on personnel and contractors. Despite these measures, no system can be guaranteed to be completely secure, and we cannot warrant absolute security. Customers remain responsible for the security of their own systems, credentials and integrations, and for the choices they make about what data to route through the Service.
12. Your Rights
Subject to the conditions and exemptions set out in UK GDPR and the DPA 2018, you have the following rights in respect of personal data we process about you as controller:
- Right of access - to be told whether we process your data and to receive a copy of it together with the supplementary information required by Article 15.
- Right to rectification - to have inaccurate or incomplete data corrected without undue delay.
- Right to erasure - to have your data deleted in defined circumstances (sometimes called the "right to be forgotten").
- Right to restrict processing - to limit how we use your data while a query or objection is resolved.
- Right to data portability - to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.
- Right to object - to processing based on legitimate interests (including profiling), and to direct-marketing processing at any time and without justification.
- Right to withdraw consent - where processing is based on consent, without affecting the lawfulness of processing carried out beforehand.
- Rights related to automated decision-making and profiling - see section 14.
- Right to lodge a complaint - see section 13.
Where you wish to exercise rights in respect of personal data we process as a processor on behalf of one of our customers, please contact that customer directly; we will assist them in responding as required by our Data Processing Agreement.
13. Exercising Your Rights and Complaints
To exercise any of the rights above, email legal@ctx-guard.com. We may need to verify your identity before responding, particularly for sensitive requests, and may ask for limited additional information to do so. We will respond within one month of receipt as required by Article 12(3) UK GDPR; where a request is complex or where you have made a number of requests, we may extend that period by up to a further two months and will tell you why within the original month. There is no fee for exercising your rights, although we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive, in which case we will explain why and tell you how to challenge that decision.
If you are unhappy with how we have handled your personal data, please raise the matter with us first so that we can try to resolve it. You also have the right at any time to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority responsible for enforcing UK data-protection law: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline 0303 123 1113; ico.org.uk. Lodging a complaint with the ICO does not affect any other legal remedy you may have, including the right to seek a judicial remedy.
14. Automated Processing and Profiling
The Service performs automated inspection of traffic routed through the proxy - for example, classifying a prompt as a likely injection attempt, scoring potential sensitive-data exposure, or matching content against rules configured by the customer. This is automated processing within the meaning of UK GDPR. It is performed under the control and instruction of our customers as part of their security pipeline; on its own, it does not produce legal effects concerning data subjects or otherwise significantly affect them within the meaning of Article 22(1) UK GDPR. We do not use solely-automated decision-making for marketing or to evaluate personal aspects of website visitors, prospects or applicants.
Where customers integrate detector outputs into decisions that have a legal or similarly significant effect on individuals, the customer is responsible for any required Article 22 safeguards, including informing affected individuals, providing meaningful information about the logic involved, and offering the rights to obtain human intervention, to express a point of view and to contest the decision.
15. Personal Data Breaches
We maintain documented incident-response procedures designed to identify, contain, investigate and remediate security incidents, including triage, forensic analysis, root-cause review and post-incident learnings. Where we detect a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected individuals without undue delay in clear and plain language as required by Article 34, providing the information specified in that Article and the steps we recommend they take to protect themselves. Where we act as processor for a customer, we will notify that customer without undue delay after becoming aware of a relevant breach, providing the information reasonably available to us so that the customer can meet its own notification obligations.
16. Cookies and Similar Technologies
We use a small number of cookies and similar technologies on our website and dashboard. Strictly necessary cookies are used for authentication, session management, load balancing and security (for example, CSRF protection); these do not require consent under PECR but are limited to what is necessary to deliver the service you have requested. Optional analytics or preference cookies, where used, are set only with your consent through our cookie banner. You can withdraw or change your consent at any time via the cookie controls on the site, and you can also block or delete cookies through your browser settings, although doing so may affect the functioning of certain features. Where any cookie causes a transfer of personal data outside the UK, the safeguards described in section 9 apply.
17. Children
The Service is intended for business and professional users aged 18 or over and is not directed at children. We do not knowingly collect personal data from children, and we do not provide the Service to anyone we know to be under 18. If you believe a child has provided us with personal data, please contact legal@ctx-guard.com and we will take appropriate steps to investigate and, where appropriate, delete it.
18. Data Processing Agreement
Where we process personal data on behalf of a business customer, our processing is governed by our standard Data Processing Agreement, which is incorporated into the Terms of Service and forms part of the contract between us. The Data Processing Agreement deals with, among other things, the subject-matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, our obligations as processor, sub-processor management, security measures, breach notification, international transfers, deletion or return of personal data on termination, and the assistance we provide to customers in meeting their obligations under UK GDPR. A counter-signed copy is available on request from legal@ctx-guard.com.
19. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Service, in our processing or in applicable law. The "Last updated" date at the top of this page reflects the most recent revision. Where changes are material - for example, the introduction of a new purpose, lawful basis or sub-processor - we will give you reasonable advance notice by email or via a prominent notice on the Service before the change takes effect. Where required by law, we will obtain your fresh consent. Continued use of the Service after the effective date constitutes acceptance of the updated Policy to the extent permitted by applicable law.
20. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of England & Wales, and any disputes arising from or in connection with it are subject to the exclusive jurisdiction of the courts of England & Wales, save that nothing in this Policy limits your statutory rights as a data subject under UK GDPR or your right to complain to the ICO or to seek a judicial remedy in another competent forum where permitted by law.
21. Contact
For privacy enquiries, including requests under section 12, contact legal@ctx-guard.com. For all other enquiries, please see our Terms of Service or our Data Processing Agreement.