Legal

Privacy Policy

How Privent handles your data and protects your privacy.

Last updated31 March 2026

Overview

Privent is developed by SHIFTBASE LABS LTD (71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom). This policy applies to the Privent browser extension, detection backend, semantic analysis service, and related admin surfaces. For customer employee prompt analysis, customers act as Controller and Privent acts as Processor.

What Data We Process

–Prompt submission data: prompt text, supported tool identifier, source URL path, timestamp, and request identifier.

–File-intercept data: in debug mode, file metadata and sampled file payload data may be processed for detection.

–Detection metadata: decision (allow/warn/block), risk score, category, processing status, reason code, and event timestamps.

–Activation and auth data: activation token hash in extension storage, browser identifier, organization API key usage metadata, activation token use metadata (including IP address and user agent on backend activation records).

What We Don't Store

–The extension does not persist raw prompt text to browser storage.

–The extension does not persist raw file contents to browser storage.

–Raw activation tokens are not persisted in extension storage (only a token hash is stored).

Accuracy note: Backend code persists detection event metadata, and does not persist raw prompt text in detection tables. Semantic embeddings may be returned from semantic analysis and can be persisted by downstream services.

How Data Is Processed

01.The extension captures submit-time prompt events on supported GenAI domains and sends sanitized payloads to the Privent service worker.

02.The service worker validates sender origin and message shape, resolves auth context, and sends POST /detect to the backend over HTTPS.

03.The backend combines regex/rule signals and semantic-engine outputs to calculate risk and produce allow/warn/block decisions.

04.The semantic engine processes request text in memory for NER and embedding-based scoring, then returns analysis output to backend.

Security Measures

–HTTPS-only endpoint validation in extension transport layers.

–Manifest V3 architecture with extension page CSP and module service worker.

–Sender-origin allowlist and strict runtime message shape validation.

–Payload sanitization, tool allowlists, URL normalization, and size limits.

–Diagnostic logging is disabled by default outside explicit debug mode.

Privent is pursuing SOC 2 Type II certification. Our current security posture, controls, and policies are available at trust.privent.ai.

Data Retention

–Detection metadata (including risk outcomes and source URL fields) is stored in backend event tables for audit and reporting.

–Activation token usage records, API key usage metadata, and activation state are stored in backend systems.

–Automated retention/deletion schedules are not found in current backend code. Operational retention controls may be managed outside application code.

Third-party Services

The semantic engine in this codebase uses local model inference components (spaCy and SentenceTransformers). Direct runtime calls from semantic-engine code to third-party LLM APIs were not found in code. This statement does not cover infrastructure-level providers used to host services.

User Control and Transparency

–Activation tokens are removed from activation page URLs after ingestion.

–Managed enterprise configuration can override local extension auth settings.

–Requests for access, correction, or deletion should be sent to hello@privent.ai.

Contact

For privacy-related enquiries, contact hello@privent.ai.