This Privacy Policy explains how Bastionsoft UAB ("Bastion", "we", "us" or "our") collects, uses and protects personal data when you visit bastionsoft.com and its subdomains (the "Website"), contact us, or otherwise interact with us.
We are the data controller for the personal data described in this policy within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
A note on our product. Bastion's prompt-injection protection software is self-hosted. When you run it, it executes entirely inside your own infrastructure: it makes no outbound connections, transmits no prompts, tokens or transactions to us, and we never receive or process the data you screen with it. This Privacy Policy therefore concerns only data we collect through the Website and our sales and support communications — not data processed by the software in your environment.
1. Who we are and how to contact us
| Controller | Bastionsoft UAB |
|---|---|
| Registered in | Republic of Lithuania, company no. 307761630 |
| Registered address | Č. Sugiharos g. 2-30, LT-05115 Vilnius |
| info@bastionsoft.com | |
| Data protection contact | info@bastionsoft.com |
We are not legally required to appoint a Data Protection Officer, and therefore we have not done so.
2. The personal data we collect
We collect only what we need. Depending on how you use the Website, this may include:
Information you give us directly
- "Contact Sales" form — your first name, last name (optional), email address, company name (optional) and the contents of your message.
- Email and other correspondence — anything you choose to send us when you contact
info@bastionsoft.comor otherwise communicate with us.
Information collected automatically
- Technical and usage data — IP address, browser type, device and operating system information, referring URLs, pages viewed and timestamps. This is collected through our hosting platform and through cookies and similar technologies (see our Cookie Policy). By default we use cookieless analytics, which do not set cookies or collect personal data.
- Analytics and advertising data — information about how you interact with the Website, and identifiers set by product analytics and advertising partners (e.g. Microsoft, Google, LinkedIn), where you have consented to non-essential cookies.
We do not intentionally collect special categories of personal data through the Website, and we ask that you not include sensitive personal data in form submissions or messages.
3. Why we use your data and our legal bases
| Purpose | Personal data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Respond to your "Contact Sales" enquiry and communicate with you | Name, email, company, message | Art. 6(1)(b) (steps prior to a contract) and/or Art. 6(1)(f) (our legitimate interest in responding to enquiries) |
| Operate, secure and maintain the Website | Technical and usage data | Art. 6(1)(f) (legitimate interest in a secure, functioning website) |
| Measure and improve the Website (analytics) | Analytics data, cookie identifiers | Art. 6(1)(a) (your consent) |
| Marketing and advertising, including measuring ad campaigns | Advertising identifiers, cookie data | Art. 6(1)(a) (your consent) |
| Send business communications to existing or prospective customers | Name, email, company | Art. 6(1)(f) (legitimate interest in B2B marketing) and/or Art. 6(1)(a) where consent is required |
| Comply with legal obligations and establish, exercise or defend legal claims | As relevant | Art. 6(1)(c) and Art. 6(1)(f) |
Where we rely on consent, you can withdraw it at any time (see Section 8). Where we rely on legitimate interests, you can object at any time, and we have balanced our interests against your rights.
4. Cookies and tracking
By default the Website uses strictly necessary cookies together with privacy-friendly, cookieless analytics that do not require consent. We also use product analytics and advertising cookies (set by third parties such as Microsoft, Google and LinkedIn), which are only set after you consent via our cookie banner. Full details — including categories, named providers and how to change your choices — are in our separate Cookie Policy.
5. Who we share your data with
We do not sell your personal data. We share it only with:
- Service providers (processors) acting on our instructions, including:
- Google (Firebase Hosting) — our website hosting and content-delivery platform;
- our email and CRM provider(s) - Google Workspace and Hubspot CRM;
- product analytics and advertising providers you have consented to (e.g. Microsoft, Google, LinkedIn).
- Professional advisers (lawyers, accountants, auditors) where necessary.
- Authorities or third parties where required by law, or to protect our rights, safety or property.
Each processor is bound by a data processing agreement requiring appropriate safeguards.
6. International transfers
Some of our providers (for example certain analytics and advertising platforms) may process data outside the European Economic Area, including in the United States. Where this happens, we rely on appropriate safeguards under GDPR Chapter V — typically the European Commission's Standard Contractual Clauses and/or, for certified US recipients, the EU–US Data Privacy Framework. You can request more information using the contact details above.
7. How long we keep your data
- Sales enquiries and correspondence: kept for as long as needed to handle your request and our relationship, and thereafter for up to 24 months unless a longer period is required.
- Server logs: typically retained for up to 12 months.
- Cookie data: for the lifetimes set out in the Cookie Policy.
We delete or anonymise personal data once it is no longer needed for the purposes above or required by law.
8. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure ("right to be forgotten");
- restrict or object to our processing, including objecting to direct marketing at any time;
- request data portability;
- withdraw consent at any time, without affecting processing carried out before withdrawal.
To exercise any of these rights, email info@bastionsoft.com. We will respond within one month, as required by the GDPR. There is normally no charge.
You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) (https://vdai.lrv.lt/en/). You may also complain to the authority in your own country of residence.
9. How we protect your data
We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse, including encryption in transit, access controls and use of reputable processors. No method of transmission over the internet is completely secure, but we work to protect your data and review our measures regularly.
10. Children
The Website is intended for businesses and professional users. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 16.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it last changed. Material changes will be highlighted on the Website where appropriate.
12. Contact
Questions about this policy or our data practices? Email info@bastionsoft.com.