Privacy Policy

1. Introduction

TechED Venture Limited ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales under company number 15830821 and registered with the Information Commissioner's Office (ICO) under registration number ZB915677.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Guardian Pro (app.guardianpro.cloud), visit our website (guardianpro.cloud), or interact with us in any way.

We are committed to protecting your privacy and processing your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

2.1 Account Data

When you register for Guardian Pro, we collect:

• Full name
• Email address
• Organisation name
• Password (stored as a one-way hash via Amazon Cognito)
• AWS account identifiers (account IDs connected to the platform)

2.2 Usage Data

We automatically collect data about how you use Guardian Pro:

• Features accessed and actions taken
• Scan results and finding metadata (not the underlying AWS resource data itself)
• Remediation and rollback actions performed
• AI assistant conversations (for service improvement, not shared with third parties)
• Login timestamps and IP addresses (for security and audit purposes)

2.3 AWS Infrastructure Data

Guardian Pro scans your AWS infrastructure using cross-account IAM roles that you explicitly configure. The data collected includes:

• AWS resource configurations (instance types, security group rules, encryption settings, etc.)
• Cost and Usage Report (CUR) data
• Resource dependency and relationship data
• CloudFormation stack configurations

This data is stored in your tenant-isolated partition in our DynamoDB tables. Every database operation is scoped to your organisation ID and account ID, making cross-tenant data access physically impossible at the key level.

2.4 Contact Form Data

When you contact us via the website, we collect your name, email address, phone number (if provided), company name (if provided), and the content of your message.

2.5 Cookies and Analytics

We use cookies and similar technologies as described in Section 8 below.

3. How We Use Your Data

We use your personal data for the following purposes:

• Service delivery: Operating Guardian Pro, including security scanning, cost analysis, compliance assessment, architecture advisory, and AI assistant functionality.
• Authentication and security: Managing your account, verifying your identity, preventing unauthorised access, and maintaining audit logs.
• Communication: Sending you service notifications (security alerts, scan results, compliance updates), responding to your enquiries, and providing customer support.
• Service improvement: Analysing usage patterns to improve features, fix issues, and develop new capabilities. AI assistant conversations are used to improve response quality but are never shared with third parties.
• Billing and subscription: Managing your subscription through AWS Marketplace, tracking usage against tier limits, and processing payments.
• Legal compliance: Meeting our legal and regulatory obligations.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to deliver the Guardian Pro service as per our Terms of Service, including account management, infrastructure scanning, and feature access.
• Legitimate interests (Article 6(1)(f)): Processing for service improvement, security monitoring, fraud prevention, and analytics. We have assessed that these interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): Where we send marketing communications or use non-essential cookies. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with applicable law, such as financial record-keeping requirements.

5. Data Retention

We retain your data for the following periods:

• Account data: For the duration of your active subscription plus 30 days after cancellation to allow for reactivation.
• Security findings and scan results: Retained while your account is active. Historical data is available for trend analysis.
• Cost data: CUR-derived cost records retained for 13 months for year-over-year analysis.
• Audit logs: 365 days (automatic TTL expiry in DynamoDB).
• AI usage records: 30 days (automatic TTL expiry).
• Cost anomaly records: 90 days (automatic TTL expiry).
• Contact form submissions: 12 months from the date of submission.

When your account is deleted, all associated data is permanently removed from our systems within 30 days.

6. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17): Request deletion of your personal data, subject to our legal retention obligations.
• Right to data portability (Article 20): Request your data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to restrict processing (Article 18): Request restriction of processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@guardianpro.cloud. We will respond within 30 days as required by law.

If you are not satisfied with our handling of your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• All data is encrypted at rest using AWS KMS (AES-256) and in transit using TLS 1.2+.
• Multi-tenant data isolation at the DynamoDB partition key level ensures your data is physically separated from other customers.
• Authentication via Amazon Cognito with rate limiting (5 failed attempts trigger a 15-minute lockout).
• Cross-account AWS access uses IAM roles with external ID verification to prevent confused deputy attacks.
• All API endpoints are protected by Cognito authorisation and CORS policies.
• Audit logging of all authentication events with 365-day retention.
• Input sanitisation and injection detection on all user-facing endpoints.

8. Cookies

We use the following categories of cookies:

• Strictly necessary cookies: Required for authentication, session management, and security (e.g., Cognito session tokens). These cannot be disabled.
• Analytics cookies: Google Analytics (GA4) to understand how visitors use our website. These are only set with your consent. GA4 data is anonymised and no personally identifiable information is sent to Google.
• Security cookies: Cloudflare Turnstile for bot protection on our contact form.

You can manage your cookie preferences using the cookie consent banner displayed on your first visit.

9. Third-Party Services

We use the following third-party services to operate Guardian Pro:

• Amazon Web Services (AWS): Infrastructure hosting (DynamoDB, Lambda, S3, Cognito, CloudFront, etc.). AWS acts as our data processor. Data is processed in the eu-west-2 (London) region unless scanning resources in other regions.
• Amazon Bedrock: AI model hosting for the AI assistant and infrastructure wizard. Conversations are processed but not used to train AI models.
• AWS Marketplace: Subscription management and billing. AWS processes payment data; we do not store credit card information.
• Cloudflare: DNS, CDN, DDoS protection, and Turnstile bot protection. Cloudflare may process IP addresses for security purposes.
• Google Analytics: Website analytics (with consent). We use GA4 with IP anonymisation enabled.

We do not sell your personal data to any third party. We only share data with the third-party services listed above, and only to the extent necessary to operate Guardian Pro.

10. International Data Transfers

Guardian Pro is hosted on AWS in the eu-west-2 (London) region. Your data primarily remains within the United Kingdom.

When Guardian Pro scans your AWS resources in other regions (e.g., us-east-1, eu-central-1), resource configuration data is transferred to our eu-west-2 infrastructure for processing and storage.

Some third-party services (Google Analytics, Cloudflare) may process data outside the UK. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions as applicable.

11. Children's Privacy

Guardian Pro is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that we have collected data from a child, please contact us immediately at privacy@guardianpro.cloud.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting a notice on our website or sending you an email. The "Last updated" date at the top of this page indicates when this policy was last revised.

13. Contact Us

For any privacy-related enquiries or to exercise your data protection rights, contact our Data Protection Officer: