Privacy Policy

This Privacy Policy applies to:

• Visitors to LangProtect’s websites
• Users who create accounts or authenticate into the LangProtect platform
• Customers and authorized users accessing dashboards, APIs, or extensions
• Individuals interacting with LangProtect in a business or professional capacity

This policy does not apply to third-party websites, services, or platforms that may be linked from LangProtect’s Services, which are governed by their own privacy policies.

For the purposes of applicable data protection laws, LangProtect acts as a data controller with respect to personal information related to account creation, access management, and platform administration.

LangProtect’s role is limited to providing security controls and visibility for AI interactions. We do not operate consumer-facing AI models, nor do we independently determine the content or purpose of customer-generated AI prompts.

This Privacy Policy governs:

• Personal information provided directly by users
• Information processed in connection with account access and platform usage
• Technical and operational data required to secure and operate the Services

It does not govern the underlying data processed by customers’ AI models outside the LangProtect platform.

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our Services. When we make material changes, we will update the “Last updated” date and, where required by law, provide additional notice.

When individuals or organizations create an account or interact with the LangProtect platform, we may process the following information:

• Account and Identity Information
• Full name
• Work email address
• Company or organization name
• Job role or functional title (optional, where provided)

This information is used solely for account creation, authentication, access control, and customer communication.

To secure access to the LangProtect platform and APIs, we process technical credentials and identifiers, including:

• User authentication credentials (hashed and secured)
• API keys associated with projects or environments
• Access tokens and role-based permissions
• Password reset and account verification data

LangProtect does not store plaintext passwords. Authentication information is processed using industry-standard security practices.

When users access dashboards, configure scanners, define policies, or review analytics, LangProtect processes:

• Project identifiers
• Policy configurations and scanner selections
• Role assignments within an organization
• High-level usage metrics required for operational visibility

This data is used to provide functionality, enforce security policies, and ensure system integrity.

LangProtect operates as a security layer between users and AI systems. In doing so, it may process AI interaction data transiently, including:

• Inputs submitted to AI systems
• Outputs generated by AI systems
• Detection signals related to security risks (e.g., policy violations, threats)

Important clarification:

LangProtect processes this data in real time for security analysis only. We do not:

• Store prompt or response content
• Use AI interaction data to train models
• Retain customer data beyond what is required for immediate security enforcement

To operate and secure the Services, we may collect limited technical information, such as:

• IP addresses (used for security, abuse prevention, and access control)
• Device and browser type
• Timestamps of access events
• Performance and latency metrics

This information helps maintain reliability, detect misuse, and improve platform stability.

LangProtect does not intentionally collect:

• Personal data unrelated to business use
• Sensitive personal information beyond what is necessary for account access
• Consumer behavioral profiles
• Data for advertising or marketing networks

We also do not deploy cookies or tracking technologies for advertising purposes.

LangProtect processes basic account and organizational information in order to provide access to the platform and administer user accounts. This includes enabling account creation, authenticating users, managing organizational workspaces, and maintaining secure access to dashboards, APIs, and configuration interfaces.

Information such as names, work email addresses, company names, job roles, passwords, and API keys is processed to ensure that only authorized users can access the Services and that actions taken within the platform can be accurately attributed to the correct user or organization. This processing is essential to delivering the Services in a secure and reliable manner.

Without processing this information, LangProtect would be unable to establish user identity, enforce role-based access controls, or apply organization-specific security policies. All such processing is limited to what is necessary to support normal platform functionality.

A core function of LangProtect is to protect AI systems from misuse, unauthorized access, and unintended data exposure. To achieve this, LangProtect processes AI interaction data in real time to apply scanners, policies, and security guardrails.

This processing allows LangProtect to identify and respond to risks such as prompt injection attempts, sensitive data leakage, policy violations, unsafe outputs, and other forms of AI misuse. The analysis is performed transiently and contextually, meaning inputs and outputs are examined only for the duration required to apply the relevant security controls.

LangProtect does not persist, store, or reuse AI interaction content beyond what is necessary to enforce security policies and provide immediate protection. Processed AI data is not retained for training, analytics unrelated to security, or any secondary purpose.

LangProtect processes security-related metadata to detect threats, surface incidents, and provide visibility into AI security events. This includes information about when security rules are triggered, what types of risks are detected, and how the system responds.

This information enables organizations to understand how their AI systems are being used, where potential vulnerabilities exist, and how security posture evolves over time. Security logs and analytics are designed to support accountability, auditing, and informed decision-making.

Processing in this context is strictly focused on security outcomes. It is not used to infer user behavior beyond what is necessary to identify threats, nor is it used to evaluate individual performance or productivity.

LangProtect processes technical and operational data to ensure the Services function reliably and efficiently. This includes monitoring system performance, request volumes, response times, error rates, and infrastructure health.

Processing this information allows us to diagnose issues, optimize performance, prevent service degradation, and ensure high availability. It also helps us detect abnormal usage patterns that may indicate misuse or attempted abuse of the platform.

This type of processing is essential for maintaining enterprise-grade reliability and does not involve the inspection or storage of customer content beyond what is required for operational integrity.

LangProtect may process aggregated and de-identified usage information to understand how the Services are used and to inform product improvements. This helps us identify feature adoption trends, performance bottlenecks, and areas where security controls can be strengthened.

Any such analysis is conducted using information that cannot reasonably be used to identify individuals or organizations. We do not analyze customer data at an individual level for product development purposes, and we do not use processed information to train AI models.

In certain circumstances, LangProtect may process information to comply with applicable laws, regulations, legal processes, or lawful requests from government authorities. We may also process information to enforce our terms of service, prevent fraud or abuse, protect the security of our users, and defend against legal claims.

Such processing is conducted only when legally required or legitimately necessary, and always in accordance with applicable data protection laws.

For clarity and transparency, LangProtect explicitly does not use processed information to:

• Train, fine-tune, or evaluate artificial intelligence or machine learning models
• Build behavioral profiles of users or employees
• Deliver targeted advertising or marketing
• Sell, rent, or trade personal data
• Share customer data with third parties for independent use

Our use of information is purpose-bound, security-focused, and aligned with enterprise and regulatory expectations.

The primary legal basis for processing personal data is the performance of a contract between LangProtect and the organization or individual using the Services.

When users create an account, access dashboards, configure security policies, generate API keys, or interact with the platform in any way, LangProtect processes certain personal data in order to:

• Provide access to the Services
• Authenticate users and secure accounts
• Apply organization-specific configurations and policies
• Deliver the functionality explicitly requested by the user

Without processing this information, LangProtect would be unable to fulfill its contractual obligations. This includes processing identifiers such as names, work email addresses, company information, job roles, passwords, and API credentials.

LangProtect processes certain personal data based on its legitimate interests, provided those interests are not overridden by the rights and freedoms of individuals.

Our legitimate interests include:

• Securing the platform against misuse, abuse, and unauthorized access
• Detecting, preventing, and responding to AI-related security threats
• Maintaining the integrity, availability, and reliability of the Services
• Improving platform performance and operational stability
• Ensuring accountability through audit logs and security monitoring

When relying on legitimate interests, LangProtect carefully evaluates the necessity and proportionality of the processing and implements safeguards to minimize impact on individuals. Processing under this basis is strictly limited to what is required to achieve security and operational objectives.

LangProtect may process personal data where such processing is necessary to comply with legal or regulatory obligations.

This includes obligations under applicable laws relating to:

• Data protection and privacy
• Cybersecurity and information security
• Financial, accounting, and tax requirements
• Lawful requests from public authorities

In these cases, processing is limited to what the law requires and is conducted in accordance with applicable legal standards.

In limited circumstances, LangProtect may rely on consent as a legal basis for processing personal data.

Where consent is required, it will be:

• Freely given
• Specific and informed
• Unambiguous
• Revocable at any time

Users may withdraw consent without affecting the lawfulness of processing carried out prior to withdrawal. LangProtect does not rely on consent for core platform functionality or security-related processing.

LangProtect does not typically process personal data based on vital interests or public interest grounds. However, these bases may apply in exceptional circumstances where processing is necessary to protect individuals from serious harm or where required by law.

LangProtect does not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts on individuals, as defined under GDPR Article 22.

While the platform applies automated security controls to AI interactions, these controls operate at a system level and are designed to protect organizations, not to make determinations about individuals.

For users located outside the EU and UK, LangProtect processes personal data in accordance with applicable local laws and principles that align with the same core standards: lawfulness, fairness, transparency, purpose limitation, data minimization, and security.

Where local laws require additional disclosures or rights, LangProtect honors those requirements as applicable.

LangProtect processes data only for the purpose of providing real-time security controls.

When users or systems interact with AI models through LangProtect, the content of those interactions may be analyzed transiently to detect security risks such as prompt injection, sensitive data exposure, policy violations, or other forms of misuse. This processing occurs in-memory and in transit, strictly to evaluate the request or response against configured security scanners and policies.

LangProtect does not ingest, store, or persist full AI prompts, responses, or contextual content beyond what is operationally required to enforce security decisions.

LangProtect does not store AI prompts, AI responses, or customer data for long-term use.

Once a security decision is made, such as allowing, modifying, or blocking an interaction, the content is immediately discarded. The platform is architected to avoid creating repositories of user-generated or AI-generated content.

This design ensures that:

• Customer data does not accumulate over time
• Sensitive information is not retained beyond necessity
• Exposure risk is minimized by default

LangProtect’s role is to mediate, not to collect.

While LangProtect does not store AI content, limited operational metadata may be processed and retained for security, audit, and reliability purposes.

This metadata may include:

• Timestamps of requests
• Scanner or policy identifiers triggered
• Severity levels or classification outcomes
• System performance metrics such as latency

This information is used solely to provide dashboards, analytics, threat visibility, and operational insight to customers. It does not include full prompt content, AI responses, or sensitive business data.

Retention of this metadata is limited to what is necessary to support platform functionality and compliance obligations.

LangProtect does not use customer data, AI interactions, prompts, responses, or metadata to train machine learning models.

LangProtect does not build, fine-tune, or improve any AI models using customer data. The platform operates independently of foundation model training workflows and does not contribute data to third-party model providers for training or improvement purposes.

This applies to:

• User-generated content
• AI-generated content
• Security detections
• Platform telemetry

Customer data remains customer data, in all cases.

LangProtect acts as a security layer between customers and AI systems but does not assume ownership or control over the underlying AI models used by customers.

LangProtect does not:

• Store customer data on behalf of AI model providers
• Share customer data with model providers for training
• Retain prompts or responses beyond real-time processing

Any interaction between a customer and a third-party AI provider remains governed by the customer’s direct relationship with that provider.

LangProtect follows a strict data minimization principle.

Only the minimum amount of data required to:

• Detect security risks
• Enforce policies
• Provide visibility and auditability

is processed at any point. No data is collected “just in case,” and no content is retained for secondary or future use.

This approach reduces exposure, limits liability, and aligns with global data protection principles.

Because LangProtect does not store AI content, there are no retention periods for prompts or responses.

Operational metadata and security-related logs are retained only for as long as necessary to support:

• Customer dashboards and analytics
• Security investigations
• Compliance and audit requirements

Retention durations may vary depending on contractual obligations, regulatory requirements, or customer configurations.

LangProtect may share limited personal information with trusted third-party service providers (“subprocessors”) who perform services on our behalf and under our instructions.

These providers support functions such as infrastructure hosting, authentication services, monitoring, logging, customer support tooling, and security operations. Access to personal information is strictly limited to what is necessary for the provider to perform its specific function, and all subprocessors are contractually obligated to:

• Process data only in accordance with LangProtect’s instructions
• Maintain appropriate technical and organizational security measures
• Not use personal data for their own purposes

LangProtect remains responsible for the handling of personal data by its subprocessors.

LangProtect may disclose personal information if required to do so by law or in response to valid legal processes.

This includes responding to lawful requests from courts, regulators, law enforcement agencies, or other public authorities where disclosure is legally required or permitted. In such cases, LangProtect limits disclosures to the minimum amount of information necessary and, where legally allowed, takes steps to notify affected customers.

We do not voluntarily provide personal data to authorities without a lawful basis.

In the event of a corporate transaction, such as a merger, acquisition, reorganization, or sale of assets, personal information may be disclosed as part of that transaction.

Any such disclosure would be subject to confidentiality obligations, and personal data would continue to be protected in accordance with this Privacy Policy. If control of personal data were to change materially, LangProtect would provide appropriate notice.

Outside of the circumstances described above, LangProtect does not share personal information with third parties.

In particular, we do not share personal data with advertisers, data brokers, analytics companies for independent use, or AI model providers for training or improvement purposes. Customer data remains under customer control and is not used to benefit third parties.

LangProtect’s Services are designed to support customers worldwide. Personal data may be processed in regions where LangProtect, its affiliates, or its subprocessors operate infrastructure or provide support services.

These locations may include the United States, the European Union, and other countries where LangProtect maintains operational presence or relies on third-party service providers. Transfers occur only where necessary to operate the Services, provide support, or ensure platform security and reliability.

When personal data originating from the European Economic Area, the United Kingdom, or other jurisdictions with transfer restrictions is transferred internationally, LangProtect implements appropriate safeguards as required by applicable law.

These safeguards may include:

• Standard Contractual Clauses approved by the European Commission
• Equivalent contractual protections recognized under UK data protection law
• Technical and organizational measures designed to protect data during transfer and processing

These measures are intended to ensure that personal data remains protected regardless of where it is processed.

LangProtect applies the same core data protection principles across all regions, including lawfulness, fairness, transparency, purpose limitation, data minimization, and security.

International transfers do not change how personal data is handled. Data is processed under the same restrictive conditions described throughout this Privacy Policy, including limitations on storage, use, and sharing.

LangProtect continuously evaluates its international data transfer practices to ensure compliance with evolving legal requirements, regulatory guidance, and court decisions.

Where local laws impose additional obligations or restrictions, LangProtect adapts its practices accordingly to maintain compliance.

LangProtect operates on secure, production-grade infrastructure designed to support high availability and resilience. Systems are architected with isolation controls, network segmentation, and restricted access layers to reduce exposure to unauthorized activity.

Security monitoring tools are used to observe system behavior, detect anomalies, and identify potential threats. Logs and telemetry are maintained to support operational oversight, troubleshooting, and security investigations.

Data processed through LangProtect is protected using encryption in transit. Secure communication protocols are used to prevent interception or tampering while data moves between customer systems, LangProtect services, and integrated components.

LangProtect processes AI prompts and responses transiently for security inspection and policy enforcement. Prompt content is not stored or retained beyond the duration required to perform scanning and enforcement. LangProtect does not use customer data to train machine learning models.

Access to LangProtect systems is restricted to authorized personnel who require access to perform their job responsibilities. Role-based access controls are used to limit system privileges based on function and responsibility.

Internal access rights are reviewed periodically and adjusted as needed. Employees and contractors with access to systems are subject to confidentiality obligations and internal security policies.

LangProtect maintains internal procedures covering areas such as access management, system maintenance, incident response, and vulnerability handling. These procedures are designed to reduce the risk of accidental exposure, misuse, or operational errors.

Security updates, patches, and configuration changes are applied in accordance with internal change management practices. Systems are evaluated regularly to identify potential weaknesses and improve overall security posture.

LangProtect maintains processes to detect, assess, and respond to security incidents. If an incident affecting personal information is identified, LangProtect will take appropriate steps to investigate, contain, and remediate the issue.

Where required by applicable law, LangProtect will notify affected customers or individuals within legally mandated timeframes and provide information reasonably necessary to support their response obligations.

While LangProtect implements safeguards to protect its Services, customers are responsible for securing their own accounts and environments. This includes protecting login credentials, API keys, passwords, and ensuring that access is limited to authorized users.

Customers are encouraged to use strong authentication practices and to monitor usage of their accounts and integrations.

No security system is completely immune from risk. While LangProtect continuously works to strengthen its safeguards, it cannot guarantee absolute security. Customers acknowledge that data transmission over the internet and cloud-based systems involves inherent risks.