1. Introduction and Scope
Welcome to the Privacy Policy of Metatext AI LLC ("Metatext AI," "Company," "we," "us," or "our"), a Delaware (USA) limited liability company and the entity behind Guardion.AI — an AI security and observability platform for generative AI systems.
This Privacy Policy describes how we collect, use, store, share, and protect personal data when you access or use our website at guardion.ai, our platform at console.guardion.ai, and any related services, APIs, or tools (collectively, the "Platform").
This Policy applies to:
- Visitors to our website;
- Users of the Guardion.AI Platform;
- Representatives of our Customers (organizations that contract with us);
- Any individual whose personal data is processed through the Platform in the course of AI interactions monitored by our Customers.
We are committed to compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU), the Lei Geral de Protecao de Dados (LGPD) (Brazil), and the California Consumer Privacy Act (CCPA) (California, USA).
Where Guardion.AI processes personal data on behalf of a Customer (i.e., the organization using our Platform to monitor its own AI systems), we act as a data processor (GDPR/LGPD) or service provider (CCPA). In such cases, our Customer is the data controller and determines the purposes and means of processing. This Policy primarily addresses our practices as a data controller for data we collect directly (e.g., account information, website usage). Our processing activities as a data processor are governed by our Data Processing Agreement (DPA) with each Customer.
2. Definitions
For purposes of this Privacy Policy:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1), LGPD Art. 5(I), and CCPA Section 1798.140(v). |
| Processing | Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction. |
| Customer | An organization or entity that contracts with Metatext AI to use the Guardion.AI Platform. |
| User | An individual who accesses or uses the Platform, whether as a representative of a Customer or otherwise. |
| End User | An individual who interacts with a Customer's AI system that is monitored or secured by the Guardion.AI Platform. |
| Platform | The Guardion.AI product suite, including the website (guardion.ai), the console (console.guardion.ai), APIs, SDKs, and related services. |
| Data Subject | Any natural person whose personal data is processed, as defined under GDPR and LGPD. |
| Consumer | A California resident whose personal information is subject to CCPA protections. |
| Subprocessor | A third-party service provider engaged by Metatext AI to process personal data on our behalf. |
| DPO | Data Protection Officer, the individual responsible for overseeing data protection strategy and compliance. |
3. What Data We Collect
3.1 Account Data
When you create an account or interact with us as a Customer representative, we may collect:
- Full name
- Business email address
- Organization name and role/title
- Phone number (if provided)
- Billing and payment information (processed by third-party payment processors)
- Authentication credentials (passwords stored in hashed form)
3.2 Usage Data
When you access the Platform, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Pages visited and features used within the Platform
- Date, time, and duration of access
- Referring URLs
- Clickstream data and interaction logs
3.3 AI Interaction Data
In the course of providing our AI security and observability services, the Platform may process data that flows through our Customers' AI systems, including:
- Chat messages, prompts, and AI-generated responses
- Metadata associated with AI interactions (timestamps, session identifiers, model identifiers)
- Content flagged by our security and policy engines
- Personal data that may be present within AI interactions (e.g., names, email addresses, or other identifiers submitted by End Users)
Guardion.AI operates as an AI Security Gateway for AI agents and generative AI systems. The Platform processes information contained within chats and AI agent content that flows through the gateway, including any information users send to AI agents and any information the agents generate in response. This processing is necessary for Guardion.AI to monitor, evaluate, and protect AI systems against security threats, policy violations, and harmful content on behalf of the Customer.
Important: AI Interaction Data is processed on behalf of our Customers in our capacity as a data processor. Our Customers are responsible for ensuring they have appropriate legal bases and notices in place for the collection of this data. We do not use AI Interaction Data for any secondary commercial purpose, internal analytics unrelated to the service, or training of our own AI models.
3.4 Communication Data
- Emails, support tickets, and chat messages you send to us
- Feedback and survey responses
- Information provided during sales or onboarding interactions
3.5 Data We Do Not Intentionally Collect
We do not intentionally collect sensitive personal data (also known as special category data under GDPR or sensitive personal data under LGPD), such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation. However, such data may incidentally appear within AI Interaction Data processed on behalf of our Customers. Customers are responsible for implementing appropriate safeguards for such data.
4. Why We Collect Personal Data (Purposes of Processing)
We process personal data for the following purposes:
| Purpose | Categories of Data |
|---|---|
| Providing and operating the Platform | Account Data, Usage Data, AI Interaction Data |
| Account creation and authentication | Account Data |
| Customer support and communication | Account Data, Communication Data |
| Billing and invoicing | Account Data |
| Security monitoring, fraud prevention, and abuse detection | Account Data, Usage Data |
| Platform performance monitoring and improvement | Usage Data |
| Compliance with legal and regulatory obligations | All categories as necessary |
| Enforcing our Terms of Service | Account Data, Usage Data |
| Responding to data subject rights requests | Account Data, relevant processing records |
We do not use personal data for secondary commercial purposes, sell personal data, or use Customer data for internal metrics unrelated to service delivery.
5. Legal Bases for Processing
5.1 Under the GDPR (Art. 6)
We rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): Processing necessary for the performance of our agreement with Customers, including account management, service delivery, and billing.
- Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including Platform security, fraud prevention, service improvement, and business operations, provided such interests are not overridden by the data subject's rights and freedoms.
- Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or court orders.
We do not rely on consent as our primary legal basis for processing. Where consent is required for specific activities (e.g., marketing communications), we will obtain it separately and clearly.
5.2 Under the LGPD (Art. 7)
We rely on the following legal bases:
- Execution of a contract or preliminary procedures (Art. 7, V): Processing necessary for the execution of a contract to which the data subject is a party.
- Legitimate interests (Art. 7, IX): Processing necessary for our legitimate interests or those of third parties, unless overridden by the fundamental rights and freedoms of the data subject.
- Legal or regulatory obligation (Art. 7, II): Processing necessary for compliance with legal or regulatory obligations.
- Regular exercise of rights (Art. 7, VI): Processing necessary for the regular exercise of rights in judicial, administrative, or arbitral proceedings.
5.3 Under the CCPA
Under the CCPA, we act as a service provider when processing personal information on behalf of our Customers. We process personal information for the business purposes described in Section 4 above. We do not sell or share (as defined by the CCPA) consumers' personal information.
6. Cookie Policy
6.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. We and our service providers use cookies and similar technologies (such as local storage, pixels, and beacons) to operate, secure, and improve the Platform.
6.2 Types of Cookies We Use
| Category | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Essential for the Platform to function (e.g., authentication, security, load balancing). Cannot be disabled. | Session / Persistent |
| Functional | Remember your preferences and settings (e.g., language, display options). | Persistent (up to 12 months) |
| Analytics | Help us understand how Users interact with the Platform to improve performance and usability. | Persistent (up to 24 months) |
6.3 Third-Party Cookies
Some cookies may be set by our third-party service providers (e.g., analytics and hosting providers). These cookies are subject to the respective providers' privacy policies.
6.4 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling strictly necessary cookies may impair the functionality of the Platform. Where required by law, we will obtain your consent before placing non-essential cookies.
7. Data Sharing and Subprocessors
7.1 General Principles
We do not sell personal data. We share personal data only as necessary to provide and operate the Platform, comply with legal obligations, or protect our legitimate interests. All subprocessors are bound by contractual obligations to protect personal data in accordance with applicable law.
7.2 Subprocessors
The following table lists our current subprocessors:
| Subprocessor | Purpose | Location | Data Processed |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, computing, storage, and AI interaction processing | USA | All categories (Account Data, Usage Data, AI Interaction Data) |
| Cloudflare | Content delivery network (CDN), DDoS protection, web application firewall | USA | Web traffic data, DNS queries, session data |
| PostHog | Product analytics | USA | Usage Data (anonymized event data) |
| Sentry | Error monitoring and application performance | USA | Error logs, stack traces, application diagnostics |
We maintain an up-to-date list of subprocessors available upon request. Customers will be notified of material changes to our subprocessor list in accordance with our Data Processing Agreement.
7.3 Other Disclosures
We may also disclose personal data:
- To comply with applicable laws, regulations, legal processes, or governmental requests;
- To enforce our Terms of Service or other agreements;
- To protect the rights, property, or safety of Metatext AI, our Customers, or the public;
- In connection with a merger, acquisition, reorganization, or sale of assets, subject to applicable data protection requirements;
- With the data subject's explicit consent, where applicable.
8. International Data Transfers
8.1 Location of Processing
Guardion.AI's cloud infrastructure is hosted on Google Cloud Platform in the United States. As a result, personal data processed through the Platform may be transferred to and stored in the United States, regardless of the country from which it originates.
8.2 Safeguards for International Transfers
For transfers of personal data from the European Economic Area (EEA), the United Kingdom, Switzerland, or Brazil to the United States, we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with Customers and our agreements with subprocessors;
- Supplementary measures as necessary, including encryption in transit (TLS 1.2+) and at rest, access controls, and data minimization;
- Transfer Impact Assessments conducted where required to evaluate the legal framework of the destination country;
- Compliance with the LGPD's international transfer requirements (Art. 33), including contractual guarantees and adherence to applicable standards.
8.3 EU-U.S. Data Privacy Framework
Where applicable, we rely on certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework for transfers to the United States.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of the Customer relationship, plus up to 5 years for legal and compliance purposes. |
| Usage Data | Up to 24 months from collection, unless longer retention is required for security or legal purposes. |
| AI Interaction Data | As determined by the Customer and specified in the applicable agreement. Default retention is aligned with the Customer's configuration. |
| Communication Data | Up to 3 years from the date of last communication, unless longer retention is required for legal purposes. |
| Billing Data | As required by applicable tax and financial regulations (typically 5-7 years). |
9.1 Deletion Process
Upon request for data deletion or upon expiration of the retention period:
- Active systems: Data is logically deleted (marked for deletion and rendered inaccessible).
- Backups: Deleted data in backups is overwritten in accordance with our 90-day backup retention cycle. After the 90-day cycle completes, deleted data will no longer exist in any backup.
10. Data Subject Rights
10.1 Your Rights Under the GDPR (Art. 15-22)
If you are located in the EEA or the United Kingdom, you have the following rights:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to applicable exceptions.
- Right to restriction of processing (Art. 18): Request that we limit the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
- Right not to be subject to automated decision-making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
10.2 Your Rights Under the LGPD (Art. 18)
If you are located in Brazil, you have the following rights:
- Confirmation of the existence of processing;
- Access to your personal data;
- Correction of incomplete, inaccurate, or outdated data;
- Anonymization, blocking, or deletion of unnecessary or excessive data;
- Portability of data to another service provider;
- Deletion of personal data processed with consent;
- Information about public and private entities with which your data has been shared;
- Information about the possibility of denying consent and the consequences thereof;
- Revocation of consent.
10.3 Your Rights Under the CCPA
If you are a California resident, you have the following rights:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information, subject to applicable exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale/sharing: We do not sell or share personal information. No opt-out is necessary.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
10.4 How to Exercise Your Rights
You may exercise your data subject rights by:
- Emailing our DPO: privacy@guardion.ai
- Through your organization: If you are an End User whose data is processed through a Customer's AI system, please direct your request to that organization (the data controller). They will coordinate with us as necessary.
We will respond to verified requests within the timeframes required by applicable law (generally 15 days under LGPD, 30 days under GDPR, and 45 days under CCPA). We may request additional information to verify your identity before processing your request.
10.5 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority, including:
| Country/Region | Privacy Authority |
|---|---|
| Brazil | Autoridade Nacional de Protecao de Dados (ANPD) |
| United States (Federal) | Federal Trade Commission (FTC) |
| United States (California) | California Privacy Protection Agency (CPPA) |
| European Union | European Data Protection Board (EDPB) and national supervisory authorities |
| Germany | Bundesbeauftragter fur den Datenschutz und die Informationsfreiheit (BfDI) |
| France | Commission Nationale de l'Informatique et des Libertes (CNIL) |
| United Kingdom | Information Commissioner's Office (ICO) |
| Canada | Office of the Privacy Commissioner of Canada (OPC) |
| Australia | Office of the Australian Information Commissioner (OAIC) |
| Japan | Personal Information Protection Commission (PPC) |
| India | Data Protection Board of India (DPBI) |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) |
11. Data Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption in transit: All data transmitted to and from the Platform is encrypted using TLS 1.2 or higher (HTTPS).
- Encryption at rest: Personal data stored in our systems is encrypted at rest using industry-standard encryption algorithms.
- Access controls: Role-based access controls (RBAC) limit access to personal data to authorized personnel on a need-to-know basis.
- Authentication: Multi-factor authentication (MFA) is supported and encouraged for all Platform accounts.
- Infrastructure security: Our cloud infrastructure on Google Cloud Platform benefits from GCP's comprehensive security controls, certifications, and compliance programs.
- Monitoring and logging: We maintain security monitoring and audit logging to detect and respond to potential security incidents.
- Incident response: We maintain a documented incident response plan. In the event of a personal data breach, we will notify affected Customers and relevant supervisory authorities within 2 days (48 hours) of becoming aware of the breach, in accordance with applicable legal requirements.
- Vendor security: Subprocessors are evaluated for their security practices and bound by contractual obligations to maintain appropriate safeguards.
- Employee training: Personnel with access to personal data receive data protection and security training.
12. Links to Other Websites
Our Platform may contain links to third-party websites or services that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
13. Children's Privacy
The Guardion.AI Platform is a business-to-business service and is not directed at individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children under the age of 16 (GDPR), 13 (CCPA/COPPA), or 18 (LGPD, where applicable).
If we become aware that we have inadvertently collected personal data from a child below the applicable age threshold, we will take reasonable steps to delete such data promptly. If you believe that a child has provided personal data to us, please contact our DPO at privacy@guardion.ai.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this Policy.
- We will notify Customers via email or through the Platform console for significant changes.
- We encourage you to review this Policy periodically.
Your continued use of the Platform after the effective date of any changes constitutes your acknowledgment of the updated Policy. If you do not agree with the changes, you should discontinue use of the Platform and contact us to discuss your options.
15. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact our Data Protection Officer:
Data Protection Officer (DPO) Metatext AI LLC Email: privacy@guardion.ai
For general inquiries about the Platform, please visit guardion.ai.
This Privacy Policy is effective as of March 2026.
Metatext AI LLC, a Delaware limited liability company.