Privacy Policy

1. Introduction

Prompt Shield ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our Data Loss Prevention browser extension and related services ("Service").

2. Information We Collect

2.1 Content Data

When you use our DLP scanning features, we process:

  • Text content submitted for sensitive data detection
  • File content uploaded for analysis
  • Web page content scanned by the browser extension

Important: This content is processed in real-time and is not stored or retained after analysis.

2.2 Account and Usage Information

  • License key and subscription details
  • Account information (name, email, organization)
  • API usage statistics and scan counts
  • Browser extension settings and preferences
  • IP addresses for security and rate limiting

2.3 Security and Analysis Data

  • Cryptographic hashes of submitted text (NOT the actual text content)
  • Threat detection metadata (types of threats detected, confidence scores)
  • Risk assessments and sensitivity classifications
  • Override decisions and business justifications when users bypass warnings
  • IP addresses for license validation and usage tracking
  • Timestamps and scan frequency analytics
  • File metadata (names, sizes, types) for uploaded files - NOT file contents

🔒 Privacy Protection: We never store the actual sensitive text content you submit. Only cryptographic hashes and detection metadata are retained for audit and compliance purposes.

3. How We Use Your Information

3.1 Service Provision

  • Analyzing content in real-time using Google DLP API (content is not stored)
  • Providing immediate threat detection and risk assessment results
  • Maintaining license validation and usage tracking via secure hashes
  • Sending webhook notifications with detection metadata (not original content)
  • Generating audit trails using anonymized identifiers

3.2 Service Improvement

  • Analyzing aggregated, anonymized usage patterns
  • Improving detection accuracy and reducing false positives
  • Optimizing service performance and reliability
  • Developing new features and capabilities

3.3 Communication

  • Sending service updates and security notifications
  • Providing customer support and technical assistance
  • Processing billing and subscription communications

4. Browser Extension Privacy & Data Processing

Our browser extension operates with privacy-first principles:

4.1 Real-Time Processing

  • Content is analyzed in real-time and immediately discarded after analysis
  • No persistent storage of your sensitive text content on our servers
  • Temporary processing by Google DLP API with automatic content deletion
  • Hash-based tracking for duplicate detection without content retention

4.2 What We DO NOT Store

  • ❌ The actual text content you type or paste
  • ❌ Files you upload for scanning
  • ❌ Web page content scanned by the extension
  • ❌ AI prompts or responses
  • ❌ Personal conversations or documents

4.3 What We DO Store

  • ✅ SHA-256 hashes of content (for duplicate detection)
  • ✅ Detection results (e.g., "SSN detected", confidence score)
  • ✅ Risk levels and threat classifications
  • ✅ Override justifications (when you bypass warnings)
  • ✅ Usage statistics and scan counts

4.4 Extension Behavior

  • Local Pre-Processing: Basic content analysis happens locally when possible
  • Minimal Data Transfer: Only content flagged for analysis is sent to our API
  • No Browsing Tracking: We do not track your browsing history or website visits
  • User Control: Users can disable scanning on specific sites or globally
  • Secure Communication: All API communication uses HTTPS encryption
  • No Content Persistence: Content is analyzed and immediately discarded

5. Data Security and Protection

We implement comprehensive security measures:

  • Encryption: All data transmission uses TLS 1.2+ encryption
  • Access Controls: Strict authentication and authorization systems
  • Infrastructure Security: Cloud services with enterprise-grade security
  • Regular Audits: Security assessments and vulnerability testing
  • Data Minimization: We collect only necessary information

6. Data Retention and Deletion

6.1 Content Data

🔒 Zero Content Retention: Your submitted text content, files, and scanned web pages are processed in real-time by Google DLP API and immediately discarded. We never store the actual content of your sensitive data on our servers.

6.2 Metadata and Audit Logs

  • Content hashes (SHA-256): Retained for 12 months for duplicate detection
  • Detection metadata: Threat types and confidence scores retained for 24 months
  • Override logs: Business justifications retained for 12 months for audit compliance
  • Usage statistics: Scan counts and timing data retained for 24 months for billing
  • Account information: Retained while account is active plus 90 days
  • Security logs: IP addresses and access logs retained for 90 days

7. Data Sharing and Third Parties

We do not sell, trade, or rent your personal information. Limited sharing occurs only for:

  • Google Cloud DLP API: For enhanced detection capabilities (processed securely)
  • Payment Processing: Stripe for subscription billing (minimal required data)
  • Email Services: SendGrid for service communications (email addresses only)
  • Legal Requirements: When required by law or to protect our rights

8. International Data Transfers

Our services are hosted on Google Cloud Platform with data processing primarily in the United States. We ensure appropriate safeguards for international data transfers, including:

  • Standard Contractual Clauses for EU data transfers
  • Adequate security measures and encryption
  • Compliance with applicable data protection laws

9. Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access: Request information about data we process
  • Correction: Update or correct your account information
  • Deletion: Request deletion of your account and associated data
  • Portability: Export your account data
  • Objection: Object to certain processing activities
  • Withdrawal: Withdraw consent for optional features

To exercise these rights, contact us at contact@promptshield.cloud

10. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (note: we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Sending an email notification to registered users
  • Providing notice through our browser extension

13. Contact Us

For privacy-related questions, concerns, or requests, please contact us:

Last updated: August 18, 2025