# Privacy & Cookie Policy

**Last Updated:** June 2026

This Privacy Policy outlines how PrivacyGuard AI Ltd collects, processes, and protects personal data in strict compliance with the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

## 1. Identity of the Data Controller
For the purposes of account administration and platform analytics, the Data Controller is:
**PrivacyGuard AI Ltd**
Information Commissioner's Office (ICO) Data Protection Registration Number: [Pending/Insert Number]
Contact: compliance@privacyguard.ai

## 2. Data Processing Framework & Lawful Basis
We process different categories of data under specific lawful bases as per Article 6 of the UK GDPR:
*   **Account & Billing Metadata:** (Names, business emails, payment details). Processed under *Performance of a Contract* to provide you with the SaaS platform and manage your subscription.
*   **Operational Logs & Security Data:** (IP addresses, browser types, timestamp logs). Processed under *Legitimate Interests* to ensure network security, prevent fraud, and monitor platform stability.
*   **Client Application Payloads:** Text data inputted for AI analysis is processed strictly on behalf of the Client. For this data, the Client is the Data Controller, and we act solely as the Data Processor. Please refer to our Data Processing Addendum (DPA) for detailed terms.

## 3. Data Localization & Sovereignty
We are committed to absolute data sovereignty. All persistent backend infrastructure, relational databases, and diagnostic logging clusters are physically hosted within United Kingdom data centres (AWS London Region `eu-west-2`). No persistent personal data is transferred outside the UK without explicit legal safeguards.

## 4. Local-First Processing & PII Masking
Our platform employs a Local-First architecture designed to minimise data exposure. Personally Identifiable Information (PII) inputted into our system is identified and masked locally in the user's browser environment using advanced NLP techniques before any payload is transmitted to downstream inference APIs. This ensures that raw PII never touches external LLM servers.

## 5. Cookie Policy
We use essential cookies necessary for the operation of the Platform (e.g., authentication tokens, session management). Because these are strictly necessary, they do not require consent under the Privacy and Electronic Communications Regulations (PECR). We do not use third-party tracking or advertising cookies on the core platform interface.

## 6. Your Rights Under UK GDPR
You have the right to access, rectify, erase, restrict, or object to the processing of your personal data. To exercise these rights, please contact our Data Protection Officer at compliance@privacyguard.ai. You also maintain the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.