Legal
Last updated: February 10, 2026

Caution Privacy Notice

This Privacy Notice explains how Caution SEZC (“Caution”, “we”, “us”) collects, uses, shares and protects personal data when you use our hosted services, website, and control plane (collectively, the “Services”).

This Notice is part of our Terms of Service. Capitalised terms not defined here have the meaning given in the Terms.

We handle personal data in accordance with the Cayman Islands Data Protection Act (As Revised) (the “DPA”) and other applicable data protection laws. This Notice is intended to give you clear and accessible information about how and why we process personal data, the limited situations in which we share it, and the rights available to you under the DPA and, where applicable, other data protection regimes.

1. Who we are and how to contact us

Caution SEZC is a special economic zone company organised under the laws of the Cayman Islands. Unless otherwise stated, Caution is the Data Controller for the purposes of this policy.

If you have questions about this Notice or how we handle personal data, you can contact us at:

  • Email: legal@caution.co
  • Postal: Caution SEZC, P.O. Box 10008, Willow House, Cricket Square, Grand Cayman, Cayman Islands KY1-1001, Cayman Islands

You also have the right to contact the Cayman Islands Ombudsman, the supervisory authority for the DPA, at https://ombudsman.ky/data-protection, or another relevant data protection authority where applicable, if you are not satisfied with our response.

2. Scope and roles

This Notice covers personal data we handle when:

  • You visit our website or documentation.
  • You create or use an account on the Services.
  • You use the Services as an end user (for example, to deploy or manage workloads).
  • You contact us for support, sales, or security reports.

We handle personal data in different capacities depending on context:

  • For personal data contained in customer workloads that you or your organisation choose to deploy or process through the Services, Caution acts solely as a Data Processor. We process such personal data only on the documented instructions of the relevant customer and do not determine the purposes or means of that processing. For the avoidance of doubt, Caution is not a Data Controller or joint Data Controller in respect of customer workload content.
  • For limited account and operational data that we determine the purposes and means of processing for, such as account identifiers and credentials you provide, optional contact details, service usage/telemetry required to operate and secure the Services, security and audit logs, billing and payment records, and support communications, Caution acts as a Data Controller. Where we act as a Data Processor, our processing is governed by the Caution Data Protection Addendum agreed with the relevant customer and applicable law. The Data Controller remains responsible for determining the lawful basis, providing any required notices to data subjects, and ensuring that we are instructed as necessary to comply with applicable law.

We do not currently use cookies, tracking pixels, or similar technologies on our websites, and we do not collect analytics or profiling data about visitors to our websites. If this changes, we will update this Notice and, where required, obtain consent.

3. Information we collect

We design our Services to operate with minimal personal data. Depending on how you use the Services, we may collect:

3.1 Account and profile information

  • Optional contact information such as email address.
  • Authentication information (for example, public keys or identity provider identifiers) where used.

You may choose to use the Services without providing an email address. In that case, you will not receive email notices or updates and are responsible for checking our website or documentation for changes.

3.2 Service telemetry and logs

As described in our Terms of Service, we collect limited telemetry and logging information to operate and secure the Services, including:

  • Service health signals such as error rates, crash reports, and failed requests.
  • Performance metrics such as latency, CPU or memory usage, and queue depth.
  • Usage signals such as which features are exercised, how often, and in what combinations.
  • Diagnostic context such as stack traces, error codes, and version identifiers.
  • Network-level information such as IP addresses in transient connection state, and in security-related logs (for example, authentication events, intrusion detection, rate limiting, or abuse prevention).

Telemetry is collected and used solely as an operational necessity to provide, protect, and improve the operation and reliability of the Services. It is limited to what is strictly necessary for service operation, security, and reliability. Telemetry is not intended to include your workload content or secrets.

3.3 Support and communications

  • Messages and contact details you send us (for example, support emails, security reports, sales inquiries).
  • Metadata about communications (such as dates and times, and which account they relate to).

3.4 Customer workload data

Customers may send or process data through the Services as part of their workloads. This data is controlled by the relevant customer. We process it on their instructions to provide the Services and do not use it for our own independent purposes.

Customers are responsible for ensuring that they have a lawful basis for processing any personal data in their workloads.

4. How we use personal data

We use personal data only for limited, clearly defined purposes:

  • To provide the Services
    • Creating and managing access to the Services.
    • Operating the control plane and execution environments.
    • Processing workloads according to your configuration.
  • To secure and maintain the Services
    • Monitoring service health and performance.
    • Detecting, investigating, and preventing abuse, fraud, or security incidents.
    • Applying updates and fixes, and ensuring availability and integrity.
  • To support you
    • Responding to support tickets, security reports, and other inquiries.
    • Communicating about incidents, changes, or important service notices.
  • To meet legal and compliance obligations
    • Keeping records required by law.
    • Responding to lawful requests from competent authorities, where applicable.

We do not use customer workloads or data to train models, or to develop unrelated products or services outside the context of operating, securing, and improving the Services.

We do not use telemetry or logs for long-term behavioural profiling or tracking of individual users.

Where applicable data protection laws require a legal basis (for example, under the Cayman DPA or similar regimes), we rely on one or more of the following:

  • Performance of a contract (providing the Services under our Terms or an order form).
  • Legitimate interests (for example, securing and operating the Services, preventing abuse), balanced against your interests and rights.
  • Compliance with legal obligations (for example, maintaining certain records, responding to lawful requests).
  • Your consent, where required and explicitly obtained (for example, for certain communications).

When we process personal data on behalf of a customer as Data Processor, the customer is responsible for identifying the appropriate legal basis. Where we act solely as a Data Processor, we will respond to data subject requests in accordance with the customer’s instructions and applicable law.

6. Sharing and subprocessors

We do not sell personal data.

We may share personal data with:

  • Service providers (subprocessors)
    • Cloud and infrastructure providers.
    • Email and communication providers.
    • Payment processors.
    • Code hosting and continuous integration services.

These providers only process personal data on our instructions and under contracts that require appropriate confidentiality and security. We maintain an up-to-date list of subprocessors and make it available through our website or upon request.

  • Customers and their users. When we process data on behalf of a customer, personal data may be accessible to that customer and its authorised users according to their configuration.

  • Corporate transactions and reorganisation. We may share or transfer personal data in connection with, or in anticipation of, a corporate transaction, including a merger, acquisition, reorganisation, restructuring, change of control, or sale of all or part of our business or assets. Any such disclosure will be limited to what is reasonably necessary for the purposes of the transaction and will be subject to appropriate confidentiality and data protection safeguards. Any recipient will be required to protect personal data in a manner consistent with this Notice or provide materially equivalent protections.

  • Authorities and others where required by law. Where we are legally required to do so, or where necessary to protect our rights, users, or the Services, we may disclose limited information to competent authorities or other third parties.

7. International transfers

Caution operates from the Cayman Islands and may use service providers located in other countries. Where personal data is transferred across borders, we take appropriate steps to ensure an adequate level of protection, consistent with applicable data protection laws. Such steps may include contractual protections, inter-company arrangements, and transfer risk assessments appropriate to the nature of the data and destination.

If required by law, we will use appropriate transfer mechanisms (for example, contractual clauses) for personal data moving from certain jurisdictions.

8. Retention

We keep personal data only for as long as needed for the purposes described in this Notice or as required by law. We determine retention periods based on factors such as the type of data, the nature of our relationship with you, legal and regulatory requirements, and the need to investigate or defend potential claims. In particular:

  • Account and profile data: Kept while your access to the Services is active and for a reasonable period afterwards (for example, to handle queries or disputes), then deleted or irreversibly anonymised.
  • Routine telemetry (service health and performance): Kept only for the minimum period reasonably necessary to monitor service operation, investigate issues, and meet applicable legal or compliance requirements, after which it is deleted or irreversibly anonymised.
  • Security and audit logs: May be retained for longer periods where needed to detect, investigate, and respond to security incidents or to comply with legal and regulatory obligations.
  • Support communications: Kept for as long as needed to address your request and maintain a record of interactions, then deleted or anonymised in line with our retention practices.

When data is no longer needed, we either delete it or anonymise it so it can no longer be linked to an identified individual.

9. Your rights

Depending on where you live and the laws that apply, you may have some or all of the following rights in relation to personal data we control:

  • Access: To request a copy of personal data we hold about you.
  • Correction: To request that inaccurate or incomplete data be corrected.
  • Deletion: To request that certain data be deleted, subject to our legal and contractual obligations to retain certain records.
  • Restriction: To request that we temporarily limit how we use certain data.
  • Objection: To object to certain types of processing, including where based on legitimate interests.
  • Portability: To receive certain data in a structured, commonly used format and to request that we transfer it to another controller where technically feasible.
  • Withdrawal of consent: Where we rely on consent, to withdraw that consent at any time (without affecting processing already carried out).

To exercise your rights, contact us at legal@caution.co. We will respond within the timeframes required by law (subject to any permitted extensions) and may request information necessary to verify your identity and locate data. Certain requests may be limited by law (for example, where disclosure would adversely affect the rights of others).

Where we process personal data on behalf of a customer as Data Processor, you should direct your request to that customer, and we will assist them as required.

You also have the right to lodge a complaint with the Cayman Islands Ombudsman (See https://ombudsman.ky/data-protection), or, where applicable, another competent data protection authority.

10. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures align with the security responsibilities described in our Terms of Service and may include:

  • Access controls and authentication.
  • Network and infrastructure security measures.
  • Encryption in transit and at rest where appropriate.
  • Logging and monitoring for security-relevant events.
  • Regular updates and patching of platform components.

No system can be perfectly secure, but we work to maintain a level of security appropriate to the risks associated with our Services.

11. Children

The Services are not directed to children and are intended for use by adults in a business or professional context. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

12. Changes to this Notice

We may update this Privacy Notice from time to time to reflect changes to our practices or legal requirements.

When we make changes, we will:

  • Update the “Last updated” date at the top of this Notice; and
  • Where changes are material, take reasonable steps to notify you (for example, through the Services or our website).

Your continued use of the Services after an updated Notice takes effect means you acknowledge the updated Notice.