In an example embodiment, a request for data is received from an end-user device, the request including one or more contextual attributes of the end-user device. The request is forwarded to a data provider. Data is then received from the data provider. It is determined if the data includes tagged sensitive data. If so, then the tagged sensitive data and the one or more contextual attributes are sent to a data access platform. Then policy constraints corresponding to the data are received from the data access platform. The sensitive data is encrypted in a manner that a data privacy module on the end-user device only decrypts the sensitive data when one or more contextual attributes of the end-user device meet one or more requirements identified in the policy constraints, and then the encrypted sensitive data and the policy are sent to the data privacy module.