Legal

Privacy Policy

Last updated: 2026-04-23

⚠️ Placeholder copy. This page is a legally-structured skeleton. Replace with counsel-reviewed text before collecting payments or EU traffic.Stripe won't fully verify a business without a functional privacy policy, and GDPR requires specifics not present in this template.

1. What We Collect

  • Account information — email, password (hashed by Supabase Auth), organization name, role.
  • Workspace metadata — when you connect Google Workspace or Microsoft 365, we read OAuth grant logs, user directory, and audit-log events. We do not read email content, file content, or calendar content.
  • AgentGuard activity — when activity is submitted for classification, we analyze prompt and response content in memory and store only the classification result and content length. The raw content is not persisted.
  • Billing information — handled by Stripe; we store a customer ID and subscription ID, not card details.
  • Operational logs — timestamps, IP addresses, user agents, and request IDs for security and debugging. Retained 30 days.

2. How We Use Data

  • To provide the Service (scanning, classification, alerting).
  • To send transactional email (confirmation, password reset, alerts).
  • To detect and prevent abuse of the Service.
  • To comply with legal obligations.

We do not sell Customer Data. We do not use it to train models.

3. Sub-processors

We share data with the following sub-processors:

  • Supabase — primary database + authentication (US)
  • Vercel — application hosting (US)
  • Stripe — billing (US)
  • Cloudflare — DNS, CDN, bot protection (global)
  • Google — Workspace API calls on Customer's behalf
  • Microsoft — Graph API calls on Customer's behalf

4. Security

  • OAuth tokens encrypted at rest with AES-256-GCM.
  • Row-Level Security isolates tenants at the database level.
  • All traffic over TLS 1.2+.
  • Audit logs retained for admin actions.

5. Your Rights

Depending on your jurisdiction (GDPR/UK-GDPR, CCPA/CPRA, LGPD, etc.) you may have rights to access, correct, delete, or export your data, and to object to processing. Email privacy@shadowguard.ai to exercise any of these rights.

6. Data Retention

  • Account data — retained for the life of the subscription + 90 days after termination.
  • Operational logs — 30 days.
  • Billing records — 7 years (tax compliance).

7. International Transfers

Customer Data is processed in the United States. If you are in the EU/UK, we rely on Standard Contractual Clauses for international transfers. A Data Processing Addendum is available on request.

8. Cookies

We use strictly necessary cookies for authentication (Supabase session) and functional cookies for preferences. We do not use advertising cookies. See the cookie banner on first visit to confirm.

9. Changes

Material changes will be notified via email at least 30 days in advance.

10. Contact

privacy@shadowguard.ai

Terms of Service →← Back home