Privacy Policy

Last updated: May 2026

SafePrompt is committed to protecting the privacy of its users and customers. This privacy policy describes how we collect, use, and protect your personal data, in accordance with the General Data Protection Regulation (GDPR, EU 2016/679). For professions bound by French professional secrecy (lawyers, notaries, bailiffs), see our dedicated note.

1. Identity of the data controller

SafePrompt acts as a Processor within the meaning of Article 4(8) of the GDPR for the processing of your end users' data. Your organization (the Customer) is the Controller.

For the data of your own employees using SafePrompt, SafePrompt acts as joint controller or processor as described in the DPA (Data Processing Agreement).

Contact: [email protected]

The data controller is M-KIS SAS, a French simplified joint-stock company with share capital of €1,000, registered with the Nancy Trade and Companies Register under SIRET 942 515 446 00014, whose registered office is on Avenue du Général Patton, 54320 Maxéville, France.

2. Categories of data processed

SafePrompt collects only anonymized usage metadata :

  • Detection event type (e.g., SECRET_DETECTED, PII_TOKENIZED)
  • Number of tokens detected per session
  • Extension version and subscription plan
  • Event timestamps
  • Pseudonymized session identifier

SafePrompt never collects the content of your prompts, your API secrets, your redacted personal data, or the content of your LLM conversations. All processing takes place entirely within your browser.

  • Article 6.1.b GDPR — Contract performance: processing necessary for providing the SafePrompt service (usage statistics for billing and support).
  • Article 6.1.f GDPR — Legitimate interest: service improvement, technical anomaly detection, platform security.

For B2B prospection toward firms of legal officers (notaries, lawyers, judicial commissioners), M-KIS SAS relies on legitimate interest (Art. 6.1.f GDPR) after collecting professional contact details from the public directories of the relevant chambers and bars. You can exercise your right to object at any time by replying 'UNSUBSCRIBE' to an email, or by writing to [email protected]. Your contact details are retained for a maximum of 24 months after the last contact, then purged.

4. Retention period

Usage metadata is retained for 12 months from collection, then automatically deleted. Account data (email, plan) is retained for the duration of the subscription and 3 years after termination for accounting purposes.

5. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access (Art. 15): obtain a copy of your data
  • Right to rectification (Art. 16): correct inaccurate data
  • Right to erasure (Art. 17): delete your data
  • Right to data portability (Art. 20): receive your data in a structured format
  • Right to object (Art. 21): object to processing based on legitimate interest

To exercise your rights: Send an email to [email protected] with the subject "GDPR Rights Request" and your account identifier. We respond within 30 days.

6. Subprocessors

All our subprocessors are hosted in the European Union and bound by GDPR-compliant DPAs:

  • Supabase (database & auth) — Frankfurt/Amsterdam
  • M-KIS (auto-hébergement) (dashboard & site hosting) — Lorraine, France
  • Stripe (payment) — Dublin
  • Resend (emails) — EU
  • Sentry (monitoring) — EU opt-in

7. DPA & Agreements

Business customers have access to a standard GDPR-compliant Data Processing Agreement (DPA). This document formalizes the respective obligations of the Controller (your organization) and the Processor (SafePrompt). Contact us at [email protected] for the DPA.

8. Data Protection Officer (DPO)

SafePrompt is in the process of appointing an external DPO (specialized GDPR consultant, planned M+3). In the meantime, all data protection requests are handled directly by the founder at: [email protected]

9. Workplace deployment information

For companies deploying SafePrompt to their employees:

  • A LLM tools usage policy incorporating SafePrompt must be established and communicated to employees (CNIL recommendation on AI in the workplace).
  • Consultation of the Works Council (CSE) is recommended before any large-scale deployment (Art. L. 2312-8 of the French Labour Code — surveillance systems).
  • SafePrompt is not an employee monitoring tool: only anonymized statistics are collected. This clarification should be included in the usage policy.
  • Employee transparency (French Labor Code, Art. L.1222-4): any personal-data collection involving employees (including via a browser-side protection tool) must be subject to prior individual and fair information by any written means (IT charter, onboarding handbook, internal note). SafePrompt provides a downloadable notice template from our Business deployment guides.

10. Changes to this policy

We may update this policy. In the event of a material change, we will notify you by email (customers) or via the dashboard. The date of the last update appears at the top of this page.

Cookies & local storage

SafePrompt uses a minimal number of cookies and local-storage entries, all strictly required for the service to work (CNIL strictly-necessary exemption — no consent banner required): (1) a Supabase session cookie to keep you signed in on the dashboard, (2) a language cookie (NEXT_LOCALE) that remembers your FR/EN choice, (3) browser local storage for the extension's signed license cache. Our analytics tool (Plausible, self-hosted in France) runs without cookies and does not fingerprint. No third-party cookies, no advertising cookies, no cross-site trackers.