Privacy Notice — AI Control Plane
Last updated: 2026-04-22. Applies to controller.intelxview.com.
This notice explains what personal data we collect when you use the IntelXview AI Control Plane ("ACP"), why we process it, who else sees it, and the rights you have over it. It covers ACP only; the public marketing site limitedview.co.uk has its own notice, and portal.intelxview.com has its own.
1. Who we are
IntelXview Limited(England & Wales, registered company). Data controller for ACP. Contact: [email protected].
If you access ACP because your employer is the tenant customer, your employer is the controller of your ACP account data; IntelXview acts as processor on their behalf. Your employer's own privacy policy governs that relationship — contact them first for subject-access or erasure requests.
2. What we collect and why
| Data | Source | Purpose | Lawful basis (UK GDPR Art.6) |
|---|---|---|---|
| Email address | You, on sign-up via Keycloak | Account identity, security notifications | Contract (Art.6(1)(b)) |
| Display name | You, in account settings | UI personalisation | Contract |
| Keycloak user identifier (sub) | Keycloak, on sign-in | Linking identity to ACP audit rows | Contract |
| Realm roles and tenant assignment | You / your OrgAdmin | Authorisation (RBAC) | Contract |
| Service-account / agent identifiers | You, via the mgmt API | Operating your automations | Contract |
| Tenant identifier (tenant_id) | Us, on tenant creation | Tenant isolation | Contract |
| IP address of every request | You, automatically | Account-takeover detection, rate limits | Legitimate interest (Art.6(1)(f)) |
| User-agent header | You, automatically | Debugging, session integrity | Legitimate interest |
| LLM request audit rows (acp_llm_audit_log) | Us, on every /execute call | Demonstrating what left the system and to which provider | Legitimate interest + legal obligation |
| General audit events (acp_audit_events) | Us, on every sensitive action | Security, compliance, incident response | Legal obligation (Art.6(1)(c)) + legitimate interest |
| Billing identifiers (Stripe customer id, subscription state) | Stripe, on purchase | Fulfilling the paid contract | Contract |
A note about LLM prompt content
When you or your agents submit a prompt to an LLM through ACP, the prompt is forwarded to an upstream provider (OpenAI, Anthropic, DeepSeek, or Cloudflare — see §5 below). ACP does not retain the raw text of your prompts or the responses. We keep only a SHA-256 hash of the scrubbed prompt and response, plus metadata (provider, model, size, redaction counts, status, timestamp) for 30 days.
Before forwarding a prompt upstream, ACP applies a regex-based PII scrubber that redacts email addresses, phone numbers, payment card numbers (Luhn-validated), UK National Insurance numbers, and IBANs. The scrubber is a defence-in-depth layer, not a substitute for your own data governance — please do not include regulated personal data in prompts if you lack a lawful basis to share it with our upstream providers.
3. Cookies
ACP uses strictly necessary session cookies issued by Keycloak for authentication. No analytics, advertising, or consent-requiring cookies are set.
4. Automated decision-making
ACP does not make automated decisions with legal or similarly significant effects about you (UK GDPR Art.22). LLM responses returned through ACP are the output of third-party AI systems; we do not use them to make decisions about you autonomously.
5. Who receives your data — subprocessors
- DigitalOcean, LLC — hosting, Kubernetes, managed PostgreSQL. DPA.
- GitHub, Inc. — source hosting and CI/CD. Does not receive runtime tenant data.
- Stripe, Inc. — billing and payment processing. Privacy centre.
- Google LLC (Gmail / Workspace) — transactional email delivery.
- OpenAI, L.L.C. — LLM completion provider when routed.
- Anthropic PBC — LLM completion provider when routed.
- Hangzhou DeepSeek AI — LLM completion provider when routed. Prompts transit CN infrastructure. Tenant admins can opt out by contacting [email protected]. A formal DPA is pending; until then we recommend not submitting regulated personal data if DeepSeek is the routed provider.
- Cloudflare, Inc. — Workers AI LLM backend and edge security.
Material changes to this list are notified to tenant admins at least 15 days in advance.
6. Retention
| Data | Retention |
|---|---|
| Account profile while active | Until account closure |
| Account after closure | PII removed immediately; pseudonymous record kept 30 days for restore, then permanently deleted |
| General audit events (acp_audit_events) | 7 years from creation |
| LLM audit log (acp_llm_audit_log) | 30 days, enforced by daily purge |
| Routing telemetry | 12 months |
| Billing records | 7 years (UK tax law) |
7. International transfers
ACP is hosted in the UK (DigitalOcean). Transfers outside the UK / EEA happen when we use subprocessors that operate internationally (e.g. LLM providers). All such transfers are covered by one of: adequacy decisions, UK IDTA, or EU SCCs with UK Addendum.
8. Your rights (UK GDPR Articles 15–22)
- Access / portability (Art.15 / Art.20) — request a copy of your personal data in a machine-readable format.
- Rectification (Art.16) — correct inaccurate data.
- Erasure (Art.17) — request deletion subject to legal retention obligations.
- Restriction / objection (Art.18 / Art.21) — pause or object to processing based on legitimate interest.
- Not subject to automated decision-making (Art.22) — does not apply (see §4).
Exercise any of these by emailing [email protected] with the subject Privacy request. We respond within one calendar month (extendable by two further months for complex requests, with notice).
If you're unhappy with how we respond, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
9. Security
ACP operates with role-based access control, tenant isolation enforced at three independent layers (application, policy engine, and database Row-Level Security), default-deny authorization, TLS everywhere, secrets held in HashiCorp Vault with AppRole auth, and a continuous SOC2 readiness programme. Our internal posture summary is available under NDA.
10. Changes to this notice
We publish changes to this notice here. Material changes are communicated to tenant admins by email at least 15 days before they take effect.
11. Contact
- General privacy: [email protected]
- Security disclosure: [email protected]
This notice is maintained in docs/compliance/customer-facing/privacy-notice.md in the ACP repository. Change log is in version control.