Cattle Grid Ltd - Privacy Policy
Version 1.0 – March 2026 – cattlegrid.uk
Who This Applies To
This policy covers anyone whose personal data CattleGrid Ltd processes: website visitors, prospective and current customers, and authorised service users. The content of AI prompts inspected by the gateway is subject to our zero-retention architecture and is never stored — it falls outside this policy's scope.
1. Who We Are
CattleGrid Ltd is the data controller for the personal data described in this policy.
- Registered name: CattleGrid Ltd
- Company number: 17020793 (England and Wales)
- Address: 32 Salisbury Avenue, Cheltenham, GL51 3BS
- General enquiries: support@cattlegrid.uk
- Data protection contact: compliance@cattlegrid.uk
- Website: cattlegrid.uk
No Data Protection Officer has been appointed. Direct data protection questions to compliance@cattlegrid.uk.
2. Personal Data We Collect
2.1 Website Visitors
- Contact form submissions (name, business email, company name, message content)
- Technical data (IP address, browser type, device type, pages visited, timestamps via cookies and server logs)
Legal basis: Legitimate interests (UK GDPR Article 6(1)(f)) in operating our website securely and responding to enquiries.
2.2 Customers and Account Holders
- Account data (name, job title, business email, company name)
- Billing data (billing address, VAT number; payment cards processed by external provider)
- Subscription data (plan type, dates, usage tier)
- Correspondence (support requests, emails, communications)
Legal bases: Contract performance, legal obligation for tax/billing records, and legitimate interests for security and fraud prevention.
2.3 Authorised Users of the CattleGrid Service
- Identity data (name, business email)
- Audit log metadata (user identifier, interaction timestamp, triggered policy rules, action taken)
We do not log the content of AI prompts. Legal bases include contract performance and legal obligation under ISO 42001 and EU AI Act compliance.
2.4 Marketing Communications
Where opted-in, CattleGrid sends product information and regulatory updates using consent as the legal basis. Withdrawal is available via unsubscribe links or compliance@cattlegrid.uk.
3. Zero-Retention Architecture
Customer Data — the substantive content of what your employees send to AI services — exists only in memory for the milliseconds required to inspect it against your policy rules. It is never written to disk, database, or log.
We log only metadata (who, when, which rules, outcome), never content. If a data subject asks what we hold about them, the honest answer is: account and audit metadata, not the substance of their AI interactions.
4. How We Use Personal Data
| Purpose | Legal Basis |
|---|---|
| Website enquiry responses | Legitimate interests |
| Account creation/management | Contract performance |
| Service delivery/operation | Contract performance |
| Payment processing/invoices | Contract / Legal obligation |
| Audit logs (ISO 42001, EU AI Act) | Legal obligation |
| Technical support/incidents | Contract / Legitimate interests |
| Security/fraud prevention | Legitimate interests / Legal obligation |
| Service notifications | Contract performance |
| Marketing (with consent) | Consent |
| Legal/regulatory compliance | Legal obligation |
| Aggregated analytics | Legitimate interests |
We do not employ automated decision-making that produces legal or significant effects.
5. Who We Share Personal Data With
We do not sell personal data. Sharing occurs only for service delivery or legal compliance.
5.1 Sub-processors
| Sub-processor | Purpose and Data |
|---|---|
| Infrastructure provider (EU) | Cloud hosting; account and audit metadata only |
| Payment processor | Payment card processing (cards not transmitted to CattleGrid) |
| Email delivery provider | Transactional and marketing emails |
CattleGrid is hosted on European infrastructure. We do not use US-domiciled cloud providers for data storage or application hosting. Current sub-processor details are maintained at cattlegrid.uk/sub-processors.
5.2 Legal and Regulatory Disclosure
Disclosure occurs when required by law, court order, or regulatory authority (including the ICO), with notification provided unless legally prohibited.
5.3 Business Transfer
In merger, acquisition, or sale scenarios, personal data may transfer to successor entities with advance notification and equivalent protections maintained.
6. International Data Transfers
Our primary infrastructure resides in the European Economic Area. In the ordinary course of service delivery, we do not transfer personal data outside the UK or EEA. Where sub-processors operate outside these regions, safeguards include UK adequacy regulations, Standard Contractual Clauses, or other approved mechanisms under UK GDPR Article 46.
7. How Long We Keep Your Data
| Data Category | Retention Period |
|---|---|
| Website enquiry / contact data | 2 years from last contact, or until deletion request |
| Customer account data | Duration plus 6 years after termination (UK Limitation Act 1980) |
| Billing / financial records | 6 years from financial year end (HMRC requirement) |
| Audit log metadata | Customer-configured; default 12 months (no prompt content) |
| Marketing preferences | Until consent withdrawal |
| Support correspondence | 3 years from resolution |
Data is securely deleted or anonymised at the end of its retention period.
8. Cookies
| Cookie Type | Purpose and Basis |
|---|---|
| Strictly necessary | Website / portal function; no consent required |
| Performance / analytics | Usage understanding (aggregated, anonymised); requires consent |
| Marketing | Engagement tracking and relevant communications; requires consent |
A banner requests consent for non-essential cookies; preferences can be adjusted via footer cookie settings at any time. Prior processing remains lawful following consent withdrawal.
9. Your Rights
Under UK GDPR, you have the following rights:
| Right | Meaning |
|---|---|
| Access | Receive a copy of the personal data we hold about you and how we use it |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Have personal data deleted where there is no legitimate reason to continue processing |
| Restriction | Pause processing in certain circumstances (e.g., disputed accuracy) |
| Portability | Receive data in a structured, machine-readable format or have it transferred directly |
| Object | Object to legitimate interest processing; we must stop unless we have compelling grounds |
| Withdraw consent | End marketing / cookie consent at any time without affecting prior processing |
| Automated decision-making | Not be subject to solely automated decisions with legal or significant effects |
Exercise your rights by emailing compliance@cattlegrid.uk. We will respond within one calendar month. We may request identity verification. No charges apply unless requests are manifestly unfounded or excessive.
10. Subject Access Requests
Submit SARs to compliance@cattlegrid.uk with clear identification and specification of the data you require.
Given our zero-retention architecture, SARs relating to AI prompt content will be straightforward: we hold no such content. Account data, audit metadata, and correspondence requests will be fulfilled within one calendar month. The Data (Use and Access) Act 2025 permits a pause if identity verification or data location requires additional information.
11. Complaints
Please contact compliance@cattlegrid.uk in the first instance so we can attempt to resolve your concern.
If you remain unsatisfied, you may escalate to the Information Commissioner's Office:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
EU residents with concerns about EU data may contact their country's supervisory authority.
12. Security
Our technical and organisational measures include:
- Encryption in transit (TLS) and at rest
- Role-based access controls restricting internal data access
- European server infrastructure outside US CLOUD Act scope
- Zero-retention processing of prompt content
- Regular sub-processor security review
No method of transmission over the internet is entirely secure. Personal data breaches likely to risk your rights or freedoms will be notified to the ICO within 72 hours and to affected individuals without undue delay.
13. Changes to This Policy
We update this policy when our practices change or legislation requires. Material changes will be notified to customers by email at least 14 days before taking effect. The current version is always available at cattlegrid.uk/privacy.
14. Contact Us
| Query Type | Contact |
|---|---|
| General enquiries | support@cattlegrid.uk |
| Data protection / privacy | compliance@cattlegrid.uk |
| Subject access requests | compliance@cattlegrid.uk |
| Post | CattleGrid Ltd, 32 Salisbury Avenue, Cheltenham, GL51 3BS |
CattleGrid Ltd is registered in England and Wales (Company No. 17020793). Registered Office: 32 Salisbury Avenue, Cheltenham, England, GL51 3BS. This policy complies with UK GDPR, the Data (Use and Access) Act 2025, and ICO guidance. It does not constitute legal advice. Version 1.0 – March 2026. ICO Registered No. ZC098407.