Privacy Policy

1. Who we are

AI-Guardian (“AI-Guardian,” “we,” “us”) provides a browser extension and web dashboard that detect sensitive data in generative-AI prompts before they are sent to third-party services such as ChatGPT, Claude, or Gemini. This policy applies to the extension, our marketing site, and every product surface we operate.

2. The one thing we don't collect

We do not store the content of your prompts, responses, or any other text you type into a generative-AI tool. Detection happens locally in your browser. When you block or redact a prompt, the original text stays on your device; only anonymised metadata (the category of finding, its severity, the platform name) leaves the device, and only so we can maintain audit logs and product counters.

3. Personal data we do process

• Account data: email, name, and company (for Enterprise accounts), plus the hashed password you set at signup.
• Usage metadata: anonymised detection events (category, severity, framework tags, platform) — never the underlying text.
• Referral data: the opaque referral code you share and the email of friends you invite (used only to attribute unlocks, never marketed to).
• Lead data: if you submit a Book-a-Demo or Contact form, we store your name, work email, and company. No phone, no location, no tracking pixels.
• Technical logs: IP address, user-agent, and timestamps retained for up to 30 days to protect the service.

4. How we use it

We only process personal data for one of the following purposes:

• Provide and maintain the service you signed up for.
• Produce anonymised product analytics (e.g. weekly Privacy Score, live leak counter).
• Respond to your inquiries, book demos, and manage Enterprise onboarding.
• Comply with legal obligations, including responding to data-subject requests.

5. Lawful bases (GDPR Art. 6)

• Contract — when processing is necessary to deliver the service you requested.
• Legitimate interests — running product analytics, keeping the platform secure, and protecting against fraud.
• Consent — for any optional feature where we'll always ask you first.
• Legal obligation — where local law compels retention or disclosure.

6. Sub-processors

We use a small number of trusted vendors to run the service. Each is bound by a written Data Processing Agreement aligned with GDPR Art. 28. Current list:

• Supabase — authentication, Postgres database, edge functions. EU region for EU tenants.
• Vercel — web hosting and CDN.
• Cloudflare — DNS and edge security.

7. Your rights

Under the GDPR

You can request access, rectification, erasure, restriction, portability, or object to processing. Email privacy@ai-guardian.app and we will respond within 30 days.

Under the CCPA/CPRA

California residents additionally have the right to know, delete, and opt out of the sale or sharing of their personal information. We do not sell or share personal information.

8. Retention

We keep account data for as long as your account is active, plus 180 days after deletion for billing, dispute resolution, and backup hygiene. Anonymised metadata (which cannot be re-linked to a person) is retained indefinitely.

9. International transfers

Data originating in the EEA is primarily processed in EU regions. Any transfer outside the EEA is protected by Standard Contractual Clauses (SCCs) and supplementary technical measures, including end-to-end TLS and encryption-at-rest.

10. Security

All network traffic is TLS 1.2+. Database encryption is managed by Supabase (AES-256 at rest). Access to production systems is limited to named engineers, two-factor authenticated, and audit-logged.

11. Changes to this policy

We may update this policy from time to time. Material changes will be flagged on this page and, where legally required, via email.

12. Contact

Privacy questions: privacy@ai-guardian.app.
Data Protection Officer: dpo@ai-guardian.app.