Privacy Policy

Last updated: 2 May 2026

This policy describes what the Guard bot-protection service processes about visitors when g.js runs on a site that embeds it or when a request is evaluated by Guard. It explains what is collected, why it is collected, who it is shared with, and the choices and rights that may apply to you.

The Guard service — including the client script, the request- evaluation backend, and the operator control panel — is operated as a centrally hosted service by PRISM.GG Limited (“PRISM.GG”). The site you were visiting uses that central instance under contract with PRISM.GG; it does not self-host the service.

1. Purpose

The script exists to distinguish automated traffic (bots, scrapers, abuse tooling, credential-stuffing systems, spam, fraud, and other misuse) from human visitors. Guard is used for network and information security, fraud prevention, service integrity, abuse investigation, and security tuning. It does not serve advertising, marketing analytics, A/B testing, or behavioural advertising.

2. Categories of data processed

To make a reliable human-versus-automation decision, Guard processes technical and security signals exposed by your browser or transmitted with the protected request. These signals are generally pseudonymous technical identifiers. They are not intended to identify you by name, but they can be personal data where privacy law treats device, network, cookie, or online identifiers as personal data. The categories are:

Device and browser characteristics exposed by standard web APIs, such as display, rendering, platform, language, timezone, input, and similar environment attributes.
Interaction and page-integrity signals relating to the request being evaluated, such as coarse pointer activity, viewport state, browser integrity checks, and signals that help identify automated, modified, or blocked page execution.
Challenge-response data generated by your browser when a security challenge is required, including challenge results and any token returned by a third-party challenge provider (see Section 6).
Request and network metadata associated with the protected request, including IP address, user-agent string, referrer, cookies, request headers, connection and protocol metadata, timestamps, and coarse network routing or location information derived from the request.
Site-provided request context included in the Guard token or forwarded by the protected endpoint, such as site, product, action, account, session, or limited request context needed to evaluate the request.
Security outcomes generated by Guard, including request IDs, pseudonymous Guard identifiers, risk decisions, challenge status, abuse history, and related security signals.

For security and integrity reasons the exact scoring rules, thresholds, and relative weighting of these signals are not published.

2.1 What is not processed

Guard does not intentionally collect names, email addresses, phone numbers, government identifiers, payment details, or account credentials through g.js. A site operator should not include those values in Guard tokens or forwarded request bodies unless needed for its own security use case and disclosed in its own privacy notice.
Guard does not read page contents, form field values, keystroke text, or clipboard contents through g.js.
Guard does not request precise geolocation, microphone audio, or camera imagery.
Guard does not set cross-site advertising identifiers and does not use the data for targeted advertising.

3. Legal basis

Where the GDPR or UK GDPR applies, visitor processing is performed under legitimate interests (Art. 6(1)(f)) for network and information security, fraud prevention, service integrity, and abuse prevention, as recognised in Recital 49. Where Guard processes data on behalf of the site operator, the site operator determines the applicable legal basis for its own use of Guard.

Where local law requires prior consent or another condition for device fingerprinting, cookies, local terminal equipment access, or similar technologies — including the ePrivacy Directive as implemented in the EU/EEA, PECR in the United Kingdom, or equivalent laws elsewhere — the site operator embedding Guard is responsible for satisfying that requirement before Guard runs.

4. Cookies and browser storage

Guard requests may include cookies scoped to the site or Guard endpoint where browser rules allow. Guard may also set a site-scoped security cookie to recognise repeated visits and detect account or session misuse. That cookie is HttpOnly, Secure, SameSite=None, and may remain for up to one year unless deleted earlier by the browser, the site operator, or PRISM.GG.

The visitor script does not use browser local storage for Guard visitor data. Temporary in-memory values may exist while the page is open to complete security checks.

5. Retention

Guard retains visitor records only as long as necessary for security decisions, abuse investigation, fraud prevention, debugging, service integrity, legal compliance, and detection tuning. Some short-lived security data expires automatically. Other request, cookie, risk, and operational records may be retained for a longer operational period because they are used to detect repeat abuse and cross-request patterns.

Unless a site operator's contract, an active security investigation, legal obligation, backup lifecycle, or service-integrity need requires a different period, Guard visitor request records are retained for no longer than 90 days. Site-scoped Guard cookie records may be retained for the life of the cookie and a reasonable period after last use where needed to detect misuse. Aggregated, de-identified, or statistical security data may be kept longer where it no longer identifies a visitor.

6. Controllers, processors, and third parties

For the data processed through this script:

The site operator (the publisher of the site you were visiting) is the controller in the sense of Article 4(7) GDPR. They decide that this protection is applied to their site and on what basis.
PRISM.GG Limited operates the Guard service on the site operator's behalf and acts as a processor under a written contract that satisfies Article 28 GDPR. PRISM.GG additionally acts as an independent controller for the limited purpose of maintaining the security and integrity of the Guard service itself (for example, aggregate abuse intelligence across its customer base), as permitted for network and information security under GDPR Recital 49.
hCaptcha, provided by Intuition Machines, Inc., is engaged as a sub-processor when a human-verification challenge is required. Guard may load the hCaptcha browser script, receive an hCaptcha response token, and verify that token server-side with hCaptcha. The verification request may include your IP address where needed for the challenge check. hCaptcha processes data under its own privacy policy.
BunnyWay d.o.o. (trading as bunny.net), a company incorporated in Slovenia, is engaged as a sub-processor for content-delivery, edge network, and related infrastructure services. BunnyWay processes data under its own privacy policy and on contractual terms that satisfy Article 28 GDPR.
Other conventional infrastructure providers used by PRISM.GG to host, store, secure, route, log, monitor, and analyse the service (including database, cloud hosting, DDoS mitigation, logging, monitoring, and network intelligence providers) act as further sub-processors under equivalent contractual terms where required.

Data processed through Guard is not sold, is not shared for cross-context behavioural advertising or targeted advertising, is not used to build advertising or marketing profiles, and is not shared with advertising networks or data brokers.

7. International transfers

PRISM.GG Limited is established in the United Kingdom. Data processed through the Guard service, and through hCaptcha, may be processed in the United Kingdom, the European Economic Area, the United States, and other jurisdictions where the relevant sub-processors operate. Transfers out of the UK/EEA rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or equivalent safeguards under Article 46 GDPR, together with any supplementary measures assessed as appropriate.

8. US state privacy disclosures

Depending on the law that applies to you, including California and other US state privacy laws, the categories of personal information processed by Guard may include identifiers, internet or other electronic network activity information, approximate location inferred from IP address, and inferences used only for security, fraud-prevention, and abuse-prevention purposes. Guard does not intentionally process sensitive personal information for the purpose of inferring characteristics about you.

PRISM.GG does not sell Guard visitor data and does not share it for cross-context behavioural advertising. Guard visitor data is disclosed only to the site operator, PRISM.GG service providers and sub-processors, and where required for security, legal compliance, or protection of rights.

9. Your rights

Depending on your jurisdiction you may have rights of access, rectification, erasure, restriction, portability, and objection, and the right not to be discriminated against for exercising privacy rights. You may also have the right to opt out of sale, sharing, or targeted advertising; Guard does not sell visitor data or share it for targeted advertising. You may have the right to lodge a complaint with a supervisory authority (in the United Kingdom, the Information Commissioner's Office). As the controller, the site operator is the primary point of contact for exercising rights about its use of Guard. PRISM.GG Limited will support the site operator in responding, and will handle requests directed to it in its own controller capacity (see Section 6).

To request erasure of data held about you in the Guard service, email [email protected]. Because the service does not hold direct identifiers such as your name or email address, your request must include an identifier that allows your records to be located, for example:

the domain of the site on which the script ran;
the approximate date and time of the request;
the IP address used for the request, if you are comfortable providing it;
the value of the Guard cookie set in your browser for that site (if present), or any other cookie the site operator has correlated with your session; and/or
your account identifier on that site (for example user ID or username), provided you are able to demonstrate that the account is yours.

Requests without a sufficient identifier cannot be actioned, because PRISM.GG cannot otherwise link records to you without disproportionate effort (Article 11 GDPR). PRISM.GG may ask for reasonable additional information to verify the request before acting on it.

10. Children

The script is not directed at children and does not knowingly collect data from children for advertising or profiling. Guard may still process technical security data from a request if a child visits a site protected by Guard, because the processing is tied to site security rather than to the visitor's age.

11. Changes

Material changes to this policy will be reflected in the “Last updated” date above. Continued operation of the script after a change constitutes notice of the updated terms.

12. Contact

For requests concerning your personal data in the first instance, contact the operator of the site you were visiting when this script ran; they are the controller for their use of Guard (Section 6).

For matters concerning the Guard service itself, contact:

PRISM.GG Limited
Privacy enquiries: [email protected]
Data access / erasure requests: [email protected]