Skip to content
AI-Guardian
Book a demo
Compliance

GDPR compliance, enforced at the browser

Most GDPR incidents we see in 2026 don't start in a database — they start in a text box. AI-Guardian applies the GDPR's core principles at the exact moment an employee is about to press Enter.

The shadow-AI problem

Traditional DLP tools protect files at rest, email in transit, and databases behind a firewall. They were not designed for the moment a sales rep pastes a customer list into ChatGPT to summarise it. That paste is a disclosure, and under the GDPR it requires a lawful basis, a purpose, and often a contract with the recipient. AI-Guardian is built for that moment.

Mapping to the GDPR

  • Art. 5(1)(c) — Data minimisation. On-device detection strips direct identifiers (email, phone, national ID, IBAN, credit card) before the prompt is sent, so only the minimum necessary data reaches the model.
  • Art. 17 — Right to erasure. The most reliable way to guarantee that a third-party model can respect an erasure request is to ensure the data never arrived in the first place. Every prevented leak is a deletion you don't have to beg a vendor to perform.
  • Art. 25 — Data protection by design and by default. Detection and redaction are on by default, run without sending content to a server, and apply equally across ChatGPT, Claude, Gemini, and other supported platforms.
  • Art. 30 — Records of processing. The Admin Dashboard and audit log give your DPO a canonical record of which categories of personal data were detected, when, and on which platform — without ever storing the underlying content.
  • Art. 32 — Security of processing. Encrypted storage, role-based access, and tamper-evident audit logs are part of the service, not a bolt-on.

Lawful basis, respected by default

A common audit finding is that employees process personal data through AI assistants without a documented lawful basis. AI-Guardian forces the conversation: when the extension detects a category that maps to personal data under the GDPR, the user sees the legal framework that applies and is given a clear choice — redact, rewrite, or cancel. Every decision is logged and attributable.

Cross-border transfers

When an employee sends a prompt to a US-hosted model, a data transfer occurs. AI-Guardian drastically reduces the volume of personal data crossing that boundary, which in turn reduces the scope of your Transfer Impact Assessment and the frequency of SCC invocations.

This page is informational and is not legal advice. Please work with qualified counsel on your specific obligations.

Request a GDPR workshopRead our Privacy Policy