Introduction
This Privacy Policy explains how SecureAIFlow ("we", "us", "our") collects, uses, discloses, and protects personal data when you interact with:
- Our website at secureaiflow.com
- The SecureAIFlow VS Code extension
- The SecureAIFlow browser extension (Chrome, Edge)
- The SecureAIFlow platform, dashboard, and API
We act as a data controller for account and website information, and as a data processor for content you submit through our extensions on behalf of your organization. The terms governing our processor role are set out in our Data Processing Agreement.
Data We Collect
Account and Contact Data
When you create an account, request a demo, or contact us, we collect:
- Name and work email address
- Company name and team size
- Job title (optional)
- Authentication tokens used to log you into the extensions and dashboard
Prompt Content (Processed, Not Stored)
When you use the browser extension or VS Code extension, prompts you submit to AI chat interfaces (ChatGPT, Claude, Gemini) or to the in-IDE assistant are transmitted to the SecureAIFlow redaction engine for real-time sanitization. This prompt content may contain:
- Personally identifiable information (names, emails, phone numbers, national IDs)
- Authentication credentials (API keys, tokens, passwords) present in the text
- Proprietary source code or business data
- The website content of the page where the prompt was submitted
Usage and Activity Data
We record metadata about how our services are used, including:
- Redaction events (number of detections, categories, timestamps)
- Source of the prompt (VS Code extension, browser, web dashboard)
- Token usage by LLM provider for billing and analytics
- Technical telemetry (errors, latency, extension version)
Technical and Device Data
- IP address, browser type, operating system
- Session identifiers and cookies required for authentication
How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide real-time redaction of prompts before they reach third-party LLMs | Performance of a contract |
| Authenticate you into the extensions and dashboard | Performance of a contract |
| Provide audit logs and usage analytics to your organization | Performance of a contract |
| Respond to support requests and communicate product updates | Legitimate interest |
| Detect abuse, fraud, and ensure service security | Legitimate interest |
| Comply with legal obligations (GDPR, DORA, loi 09-08) | Legal obligation |
| Marketing communications (only with opt-in) | Consent |
Data Retention
- Prompt content: processed in-memory only, never stored (0 days retention)
- Redaction metadata (audit logs): retained for the duration of your contract, plus a regulatory buffer where applicable
- Account data: retained while your account is active, deleted within 30 days of account closure
- Support correspondence: retained for 24 months
- Billing records: retained for 10 years as required by applicable tax law
- Website analytics: retained for 14 months
Data Hosting and International Transfers
SecureAIFlow hosts its production infrastructure in the European Union (primary region: Germany). On-premise deployment is available for customers who require data to remain entirely within their own infrastructure.
Where personal data is transferred outside the European Economic Area, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Technical safeguards including pseudonymization before data leaves the EEA
- Contractual confidentiality obligations with all subprocessors
A current list of subprocessors is maintained at secureaiflow.com/legal-subprocessors.
Security Measures
We implement technical and organizational measures appropriate to the risk, including:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for all stored data
- HMAC-SHA256 pseudonymization of detected sensitive values
- Role-based access control (RBAC) across all platform surfaces
- Audit logging of administrative actions
- Principle of least privilege for internal access to customer data
- Regular security reviews and dependency scanning
Additional security documentation is available under NDA on request.
Your Rights
If you are located in the European Economic Area, United Kingdom, or Morocco, you have the following rights regarding your personal data:
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data
- Right to restriction — limit how we process your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — at any time, where consent is the legal basis
- Right to lodge a complaint — with your national data protection authority (for Morocco: CNDP)
To exercise any of these rights, contact us at [email protected]. We respond within 30 days.
Browser Extension — Specific Disclosures
The SecureAIFlow browser extension operates on the following domains only:
- chatgpt.com and chat.openai.com
- claude.ai
- gemini.google.com
- api.secureaiflow.com (our own backend)
On these domains, the extension reads the outgoing prompt text, sends it to the SecureAIFlow redaction API, and substitutes the sanitized version before it reaches the provider. The extension does not:
- Read or transmit data from any other website
- Collect browsing history, bookmarks, or tab data
- Execute remote code — all JavaScript ships within the extension package
- Sell, rent, or transfer user data to third parties
- Use data for purposes unrelated to the extension's single purpose of prompt redaction
- Use data to determine creditworthiness or for lending purposes
VS Code Extension — Specific Disclosures
The SecureAIFlow VS Code extension communicates only with api.secureaiflow.com over HTTPS. Code you select or include in prompts is transmitted to the redaction engine, sanitized, then forwarded to the LLM provider you have configured. Code content is processed in-memory and never stored. The extension does not upload your repositories, open files, or telemetry beyond anonymous error reporting.
Cookies and Tracking
Our website uses only essential cookies required for:
- Session authentication on the dashboard
- Security (CSRF protection)
- Aggregate, privacy-preserving analytics (Cloudflare Web Analytics — no cookies, no cross-site tracking)
We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers.
Children
SecureAIFlow is a business-to-business product. Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we update the "Effective" date at the top of this page. For material changes, we will notify customers by email or through an in-product notice at least 30 days before the changes take effect.
Contact
For privacy questions, data subject requests, or to contact our Data Protection point of contact: