Privacy Policy
Last updated: 7 April 2026
1. Data controller
Bordair is operated as a sole trader business based in the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is Bordair.
Address: Russellcroft Road, Welwyn Garden City, AL8 6QY, Hertfordshire, United Kingdom
Contact: hello@bordair.io
ICO registration reference: ZC116587
2. Information we collect
Account information
When you create an account we collect your email address and a hashed password. We do not store passwords in plain text.
API usage data
When you use the Bordair API we log: a one-way SHA-256 hash of the input text (we never store the raw input), the scan result (threat level, confidence, detection method), timestamp, and input length. These logs are tied to your API key and are visible in your dashboard.
Payment information
Payments are processed by Stripe, Inc. We do not store credit card numbers or bank details on our systems. Stripe acts as an independent data controller for payment data under their own privacy policy.
Website analytics
We use minimal, privacy-respecting analytics to understand page views and traffic sources. We do not use third-party tracking cookies or advertising pixels.
Bordair's Castle
Anonymous Castle players are tracked via IP address and a browser fingerprint to enforce rate limits and prevent abuse. This data is automatically deleted after 7 days. Anonymous game progress is stored locally in your browser (localStorage) and is not sent to our servers. Authenticated players' Castle progress is linked to their account.
3. Legal basis for processing (UK GDPR Article 6)
We process your personal data under the following lawful bases:
- Contract performance (Article 6(1)(b)) - to provide the API service you signed up for, authenticate requests, and manage your account
- Legitimate interests (Article 6(1)(f)) - to enforce rate limits, prevent abuse, maintain service security, and improve detection accuracy using aggregate anonymised metadata. Our legitimate interest does not override your rights because we only process minimal data and never store raw input text.
- Legal obligation (Article 6(1)(c)) - where we are required to retain data or disclose information by law
4. Data we do NOT collect
To be explicit:
- We never store the raw text, image, document, or audio content submitted to the API
- We do not use your data to train our models on a per-user basis - only aggregate, anonymised scan metadata is used
- We do not sell or rent personal data to any third party
- We do not use advertising cookies or third-party trackers
5. Data sharing and sub-processors
We share data only with the following parties, strictly as needed to provide the Service:
| Party | Purpose | Data shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting | All service data (encrypted) | EU (London) and US (Virginia) |
| Stripe, Inc. | Payment processing | Email, payment details | US (with EU data residency options) |
| Anthropic, PBC | LLM-based prompt analysis (Bordair's Castle) | User-submitted prompts during Castle gameplay | US |
| Resend, Inc. | Transactional email delivery | Email address | US |
If this list changes, we will update this policy and notify registered users.
6. International data transfers
The Bordair API is deployed across two regions: EU (London, UK) and US (Virginia, US). Your API requests are routed to the nearest region based on network latency. This means your scan metadata may be processed in the United States.
For transfers of personal data from the UK to the US, we rely on AWS's compliance with appropriate safeguards under UK GDPR, including Standard Contractual Clauses (SCCs) as incorporated into AWS's Data Processing Addendum.
7. Data retention
| Data type | Retention period |
|---|---|
| Scan logs (hashed) | 90 days, then automatically deleted |
| Account information | Deleted immediately upon account deletion request, along with all associated scan logs and Castle progress |
| Payment records | As required by UK tax law (typically 6 years) |
| Castle progress | Duration of active account, deleted on account deletion |
| Anonymous player data (IP, fingerprint) | 7 days, then automatically deleted |
| Verification/reset codes | 15 minutes (expired codes are automatically cleared) |
8. Data security
We implement appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted with TLS 1.2+
- Passwords are hashed using industry-standard algorithms (never stored in plain text)
- API keys are generated using cryptographically secure random number generators
- Raw user input is never stored - only irreversible SHA-256 hashes
- Infrastructure runs in isolated containers with no persistent storage of user content
9. Your rights under UK GDPR
Under the UK GDPR, you have the following rights:
- Right of access (Article 15) - request a copy of the personal data we hold about you
- Right to rectification (Article 16) - request correction of inaccurate personal data
- Right to erasure (Article 17) - request deletion of your personal data ("right to be forgotten")
- Right to restriction (Article 18) - request that we restrict processing of your data
- Right to data portability (Article 20) - export your data in a structured, machine-readable format via the data export feature in your dashboard or API
- Right to object (Article 21) - object to processing based on legitimate interests
To exercise any of these rights, email hello@bordair.io. We will respond within one month as required by UK GDPR.
10. California residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
- Right to know - what personal information we collect, use, and disclose
- Right to delete - request deletion of your personal information
- Right to opt-out of sale - we do not sell personal information to third parties
- Right to non-discrimination - we will not discriminate against you for exercising your CCPA rights
To make a CCPA request, email hello@bordair.io.
11. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@bordair.io and we will delete it promptly.
12. Cookies
We use strictly necessary cookies only:
- Session authentication - to keep you logged in to the dashboard (SameSite=Lax, Secure attributes)
CSRF protection is provided via SameSite cookie attributes and header-based API authentication rather than a separate cookie. These cookies are essential for the Service to function and do not require consent under UK GDPR. We do not use advertising, analytics, or third-party tracking cookies.
13. Automated decision-making
The Bordair API uses automated processing (machine learning models) to classify inputs as potentially malicious or benign. This processing is performed on the content you submit via the API, not on your personal data. The scan results are informational and the decision to block or allow content is made by your application, not by Bordair.
14. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. The "last updated" date at the top of this page will always reflect the current version.
15. Complaints
Bordair is registered with the UK Information Commissioner's Office (ICO) under registration reference ZC116587.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the ICO:
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. Please email us at hello@bordair.io first.
16. Contact
For any privacy-related questions, data requests, or concerns:
Email: hello@bordair.io