Privacy Policy

Last updated: 26 May 2026

1. Introduction

AI Shield (operated by Koller Group, "we", "our", or "us") provides a Chrome extension and web platform that helps companies prevent accidental data leaks when employees use AI chat tools.

This Privacy Policy explains how we collect, process, store, and share information when you use:

• The AI Shield Chrome extension
• The AI Shield web dashboard at getaishield.co
• Any related services we provide

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and applicable data protection laws.

2. Information We Collect

We collect the following categories of information:

2.1. Account Information

When you sign up for AI Shield, we collect:

• Email address — used for account access, security notifications, and compliance reports
• Name (optional) — used for personalization in emails and dashboards
• Company name — used to group team members under a single subscription
• Password (hashed) — stored using industry-standard bcrypt encryption; we cannot recover or read your password
• Role (manager or employee) — determines dashboard access level

2.2. Subscription and Billing Information

For paid plans:

• Stripe Customer ID — to manage your subscription
• Subscription tier (Essentials, Compliance, Business) and billing cycle
• Payment details are processed and stored by Stripe — we do NOT store credit card numbers, CVV, or full payment information on our servers

2.3. Detection Events (Generated by Extension)

When the AI Shield Chrome extension detects sensitive data patterns in your AI tool inputs, we log:

• Type of data detected (e.g., "IBAN", "credit card", "API key") — but NOT the actual content
• Timestamp of the detection
• AI platform where detection occurred (e.g., "chatgpt.com")
• Action taken (data removed, sent anyway, ignored)
• User identifier (anonymized within company scope)

2.4. Technical Information

Automatically collected when you use our services:

• IP address — for security, fraud prevention, and rate limiting
• Browser type and version — for compatibility
• Operating system — for support
• Extension version — for debugging and update notifications
• Session tokens — for authentication (stored locally in browser)

2.5. Communication Data

If you contact us:

• Email correspondence content
• Support ticket details
• Feedback and feature requests you provide

3. How We Use Your Information

We use your information for the following purposes:

Purpose	Legal Basis (GDPR)
Provide and maintain the AI Shield service	Contract performance (Art. 6(1)(b))
Process payments and manage subscriptions	Contract performance (Art. 6(1)(b))
Send compliance reports and product updates	Contract performance (Art. 6(1)(b))
Detect and prevent fraud or abuse	Legitimate interest (Art. 6(1)(f))
Improve our services and develop new features	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a)) — opt-in only

4. How We Process Your Data

Our data processing follows these principles:

4.1. Client-Side Detection

The AI Shield Chrome extension performs all sensitive data detection locally in your browser. This means:

• Your AI tool prompts are analyzed in real-time within the browser
• No prompt content is transmitted to our servers
• Only detection events (metadata) are sent to our backend for logging
• Detection patterns (regex, Luhn validation, entropy analysis) run entirely client-side

4.2. Server-Side Processing

Our backend processes:

• Account creation and authentication
• Subscription management (via Stripe)
• Detection event aggregation for compliance dashboards
• Email delivery (via Resend)
• Audit log generation for GDPR Article 30 records

4.3. Automated Decision-Making

AI Shield uses automated pattern matching to detect sensitive data, but does NOT make automated decisions that produce legal effects or similarly significant effects on you (GDPR Article 22). The detection alerts allow YOU to decide whether to remove data, proceed, or ignore the warning.

5. How We Store Your Data

5.1. Storage Location

All data is stored on servers located in the European Union (specifically Railway infrastructure in the EU region) and in the United States (Stripe payment processing). We have implemented Standard Contractual Clauses (SCCs) for any data transfers outside the EU.

5.2. Encryption

• In transit: All data transmissions are encrypted using TLS 1.2 or higher
• At rest: Database storage uses AES-256 encryption
• Passwords: Hashed using bcrypt with cost factor 12
• Session tokens: JWT-signed and time-limited

5.3. Retention Periods

Data Type	Retention Period
Account information	Active account + 30 days after deletion
Detection events	2 years (for GDPR audit compliance)
Payment records	7 years (legal/tax requirements)
Email logs	1 year
Server logs	90 days
Marketing data	Until consent withdrawn

5.4. Data Deletion

You can request deletion of your account and associated data at any time by emailing privacy@getaishield.co. We will process deletion requests within 30 days.

6. How We Share Your Data

We do NOT sell your personal data. We share data only with the following categories of third parties, all under data processing agreements (DPAs) compliant with GDPR Article 28:

6.1. Service Providers (Sub-Processors)

Provider	Purpose	Location
Railway	Backend hosting and database	EU / US
Stripe	Payment processing	US (SCC + DPA in place)
Resend	Transactional email delivery	EU
Cloudflare	CDN, DNS, security	Global
Google Workspace	Business email and support	EU / US (SCC in place)

6.2. Legal Requirements

We may disclose your data if required by law, court order, or government authority. We will notify you of such requests when legally permitted.

6.3. Business Transfers

If AI Shield is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and provide options regarding your data.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• HTTPS/TLS encryption for all data transmissions
• Encrypted storage of sensitive data
• Access control with role-based permissions
• Regular security audits and code reviews
• Secure password hashing (bcrypt)
• Rate limiting and brute-force protection
• Incident response procedures
• Regular backups with encryption

Data breach notification: In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

8. Your Rights Under GDPR

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to restrict processing (Art. 18): Limit how we use your data
• Right to data portability (Art. 20): Receive your data in a machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent (Art. 7): Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with your national data protection authority

8.1. How to Exercise Your Rights

To exercise any of these rights, email us at privacy@getaishield.co. We will respond within 30 days (extendable to 60 days for complex requests).

8.2. Supervisory Authorities

You can lodge complaints with your national data protection authority. For UK users: ICO (Information Commissioner's Office). For EU users: find your national authority.

9. Browser Extension Specific Disclosures

The AI Shield Chrome extension requires the following permissions and has the following data practices:

9.1. Permissions Used

Permission	Purpose
storage	Store your authentication token and company code locally in the browser
Host permissions (AI platforms)	Inject content scripts to detect sensitive data patterns on supported AI chat platforms

9.2. Supported AI Platforms

The extension activates ONLY on the following platforms:

• chatgpt.com / chat.openai.com
• claude.ai
• gemini.google.com
• copilot.microsoft.com
• www.perplexity.ai
• chat.mistral.ai
• huggingface.co
• groq.com

9.3. What the Extension Does NOT Do

• Does NOT read or transmit the content of your AI prompts
• Does NOT activate on any website outside the listed AI platforms
• Does NOT access your browsing history, bookmarks, or other extensions
• Does NOT collect biometric or location data
• Does NOT share data with advertisers or data brokers

9.4. Local Storage

The extension stores the following locally in your browser (Chrome's chrome.storage.local):

• Authentication token (JWT)
• Company code (to link to your team's account)
• User preferences and settings

This data is NOT shared with any server unless required for authentication.

10. Children's Privacy

AI Shield is a business-to-business product intended for use by adults (18 years or older) in professional settings. We do NOT knowingly collect data from children under 16 years of age. If you believe we have collected such data, please contact us immediately at privacy@getaishield.co and we will delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the "Last updated" date at the top
• For material changes, we will notify you via email at least 30 days before changes take effect
• For minor changes, the updated policy will take effect immediately upon publication

You can review the version history of this policy by contacting us.

12. Contact Us

For any privacy-related questions, requests, or concerns:

• Email: privacy@getaishield.co
• General inquiries: hello@getaishield.co
• Data Protection Officer (DPO): dpo@getaishield.co
• Website: getaishield.co

Company: AI Shield is a product of Koller Group. Company registration details will be updated once formal incorporation is complete.