Privacy Policy

Last updated: 3 June 2026

Compresh Ltd (“Compresh”, “we”, “us”, “our”) operates the website compre.sh and the Compresh service — a context-compression and episodic-memory layer for LLM APIs, offered as a hosted proxy, an MCP server, and hooks (the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have.

For the purposes of UK GDPR and EU GDPR, the data controller is Compresh Ltd, a company registered in England & Wales (company no. 17134534). Contact: [email protected].

By using the Service you agree to this Policy. If you do not agree, please do not use the Service.

1. Information we collect

Account data you provide. Email address (required to register and verify your account); any name or details you choose to add; records of your correspondence with us (e.g. support emails).

Provider API keys (BYOK). If you bring your own LLM provider key, we store it encrypted at rest and use it only to forward your requests to the provider you chose. We do not use your keys for any other purpose.

Conversation content (“Inputs”). When you route requests through the hosted proxy or the paid /v1/tul1 endpoint, the conversation content you send is processed so we can compress it. See Section 3 for exactly how this is handled.

Billing data. When you add budget or subscribe, payments are processed by Stripe. We do not store your card details — Stripe handles them under PCI-DSS. We retain billing records (amounts, dates, plan) for accounting and legal compliance.

Usage and technical data, collected automatically. IP address, request metadata, pages visited, referrer, approximate location (derived from IP), browser and device type, and server log data. We also record per-request technical metrics (e.g. token counts and savings) to operate billing and the Service.

2. How we use your data, and our legal bases

We use personal data to:

• Provide and operate the Service (compress your requests, route them to your provider, run your dashboard). Legal basis: performance of a contract.
• Bill you and take payment, and keep accounting records. Legal basis: contract and legal obligation.
• Secure the Service — detect and prevent fraud, abuse, prompt-injection and security threats. Legal basis: legitimate interests and legal obligation.
• Communicate with you about your account, service changes, and (only if you opt in) product updates. Legal basis: contract, and consent for marketing.
• Improve the Service using aggregated, de-identified metrics. Legal basis: legitimate interests.
• Comply with law and enforce our Terms. Legal basis: legal obligation and legitimate interests.

3. Conversation content and provider keys — how we handle them

This is the part that matters most for an LLM tool, so we are specific:

• The open-source core run locally (compresh-mcp / tulbase on your own machine) processes your conversation on your device. In that mode your content and your provider keys never reach our servers.
• The hosted proxy / /v1/tul1 processes your conversation content transiently to perform compression, then forwards the compacted request to the LLM provider you chose, using your key. Processing happens per request in an isolated workspace that is cleaned up after the request completes.
• We do not use your conversation content to train any model, and we do not sell it.
• We retain only the technical metrics needed to operate billing and the Service (e.g. token counts and savings), not the underlying conversation text, except where briefly required to process the request or where you explicitly enable a feature that stores content.
• The LLM provider you choose (e.g. OpenAI, Anthropic, Google, OpenRouter, or a local runtime) receives your request and is an independent controller of how it handles it; please review that provider’s terms.

4. Cookies and analytics

We keep this minimal:

• Strictly necessary storage only — a session/authentication token so you can stay signed in. This is essential and cannot be disabled.
• Analytics via Cloudflare Web Analytics, which is cookieless and does not track you across sites. We do not use Google Analytics, advertising cookies, or behavioural remarketing.

Because we do not use tracking or advertising cookies, no intrusive cookie-consent banner is required; this section is the disclosure.

5. Who we share data with

We do not sell your personal data. We share it only with:

• Service providers (processors) acting on our instructions under contract:
  • Stripe — payment processing.
  • Cloudflare — CDN, edge security, cookieless analytics.
  • Hetzner — server hosting (EU / Germany).
  • Zoho — email ([email protected] correspondence).
  • LLM providers — only when you route a request through us, to fulfil that request with your chosen provider and your key.
• Authorities, where required by law or to protect rights, safety, or our Service.
• A successor, in a merger, acquisition, or sale of assets (you will be notified).
• With your consent, in any other case.

6. Data retention

We keep account and billing data for as long as your account is active and as long as required afterwards for legal, accounting, and dispute-resolution purposes, then delete or anonymise it. Conversation content sent to the hosted proxy is processed transiently and not retained as described in Section 3. Server logs and aggregated metrics are kept for a limited period for security and analysis.

7. International transfers

Our servers are hosted in the EU (Hetzner, Germany). Some processors (e.g. Stripe, Cloudflare) may process data in the United States or other countries. Where data leaves the UK / EEA, we rely on appropriate safeguards — UK/EU adequacy decisions or Standard Contractual Clauses — to protect it.

8. Your rights

Under UK GDPR / EU GDPR you have the right to: access your data; correct it; delete it; restrict or object to processing; data portability; and withdraw consent at any time (without affecting prior processing). You can exercise most of these from your account or by emailing [email protected]; we may verify your identity first.

You also have the right to complain to the UK Information Commissioner’s Office (ICO, ico.org.uk) or your local EEA data protection authority.

9. Security

We use technical and organisational measures to protect your data, including encryption of provider keys at rest, restricted access, and an origin firewall. No method of transmission or storage is completely secure; you are responsible for keeping your account credentials confidential.

10. Children

The Service is not intended for anyone under 13, and we do not knowingly collect data from children. If you believe a child has provided us data, contact [email protected].

11. Changes to this Policy

We may update this Policy. We will post the revised version here with a new date and, for material changes affecting registered users, notify you by email. Continued use after changes means you accept the revised Policy.

12. Contact

Questions or requests: [email protected]

Compresh Ltd — Unit 501 Leroy House, 434–436 Essex Road, London, N1 3FY, United Kingdom. Registered in England & Wales, company no. 17134534.