Privacy Policy

1. Who we are and scope

Privent is an AI GenAI leakage prevention engine developed by SHIFTBASE LABS LTD, a company registered in England and Wales with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. This Privacy Policy applies to: (a) your use of privent.ai and our web application; (b) the Privent Chrome extension that employees install in their browsers; and (c) the Privent detection APIs and admin dashboard used by our customers to configure policies and monitor risk.

2. Data Controller vs Processor

Under the UK GDPR and EU GDPR, we act in two distinct roles:

• Data Controller: For personal data we collect and process in relation to privent.ai and our dashboard (account registration, billing, contact forms, support, organisation and policy configuration). We determine the purposes and means of such processing.
• Data Processor: For personal data processed on behalf of our customers when they deploy the Privent Chrome extension and detection APIs to protect prompts sent by their employees to GenAI tools (e.g. ChatGPT, Claude, Gemini). The customer is the Data Controller; we act as their processor under Article 28 GDPR and process data only on their documented instructions.

3. Data we collect and process

privent.ai and dashboard users (we are Controller)

• Account data: email address, name, organisation, authentication details
• Billing data: payment information via our payment provider (e.g. Stripe); subscription status and invoices
• Contact form: name, email, subject, and message content
• Product configuration data: policy thresholds, category sensitivities, custom keyword lists, and organisation settings
• Usage data: login activity, dashboard interactions, and technical telemetry necessary to keep the service secure and reliable

Employees using GenAI tools protected by Privent (we are Processor)

When employees use GenAI tools that are protected by the Privent Chrome extension and backend, we process the following ephemerally—in memory only for the duration of the request:

• Prompt text entered by the user into supported GenAI tools (e.g. ChatGPT, Claude, Gemini) so that Privent can analyse the risk of potential data leakage
• Technical metadata such as the domain of the GenAI tool, timestamp, organisation identifier, decision outcome (allow / warn / block), risk score, and risk categories (e.g. PII, financial, source code)

Important: This page content and user queries are not stored as raw prompts at rest, not indexed, and not used for model training. Prompt text is processed only in-memory for real-time risk assessment and then discarded. We may store limited, pseudonymised metadata about each event (such as risk scores, categories, decision outcome, and timestamps) to power the admin dashboard, tuning of policies, and security monitoring.

4. How we use data

• To provide, operate, and improve our service
• To process billing and manage subscriptions
• To respond to contact requests and support enquiries
• To send service-related communications (e.g. account or billing updates)
• AI processing: Prompt text and related technical metadata may be sent to Privent's backend detection engine and, where necessary, to third-party AI model providers acting as our sub-processors. This is solely to assess the risk of data leakage and return an allow / warn / block decision to the user in real time.
• To comply with legal obligations

5. Ephemeral processing

Prompt text and page context processed by the Privent Chrome extension and backend are held in-memory only for the duration of the request. We do not log, cache, or persist raw prompt content. No database writes occur for the raw text; only high-level, pseudonymised metadata may be stored as described above.

6. Legal basis (GDPR)

• Contract: Processing necessary to provide the service you have requested
• Legitimate interest: Security, fraud prevention, service improvement, and analytics (where applicable)
• Consent: Where we rely on consent, you may withdraw it at any time

7. Data retention

• Account data: Retained while your account is active and for a reasonable period after closure for legal and accounting purposes
• Ephemeral prompt content: No retention—not stored at rest
• Event metadata: Retained as long as necessary for the customer relationship to provide audit history, risk dashboards, and security monitoring, and thereafter as required by applicable law
• Contact messages: Up to 24 months or as needed to respond to your enquiry
• Billing records: As required by applicable law (typically 7 years for tax purposes)

8. Your rights (UK GDPR / EU GDPR)

You have the right to:

• Access your personal data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at hi@privent.ai. You may also lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local data protection authority.

9. International transfers

Your data may be processed in the United Kingdom, European Economic Area, and the United States (e.g. via OpenAI, Stripe, and cloud infrastructure). We ensure appropriate safeguards, including adequacy decisions and Standard Contractual Clauses (SCCs) where required.

10. Security

We implement technical and organisational measures to protect your data, including encryption in transit and at rest where appropriate, access controls, and secure development practices.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes may be communicated via email or a prominent notice on our website.

Contact

For privacy-related enquiries or to exercise your rights, contact:

SHIFTBASE LABS LTD
71-75 Shelton Street
Covent Garden
London, United Kingdom, WC2H 9JQ
Email: hi@privent.ai