Privacy Policy

SafePrompt acts as a Processor within the meaning of Article 4(8) of the GDPR for the processing of your end users' data. Your organization (the Customer) is the Controller.

For the data of your own employees using SafePrompt, SafePrompt acts as joint controller or processor as described in the DPA (Data Processing Agreement).

Contact: [email protected]

SafePrompt collects only anonymized usage metadata :

• Detection event type (e.g., SECRET_DETECTED, PII_TOKENIZED)
• Number of tokens detected per session
• Extension version and subscription plan
• Event timestamps
• Pseudonymized session identifier

SafePrompt never collects the content of your prompts, your API secrets, your redacted personal data, or the content of your LLM conversations. All processing takes place entirely within your browser.

• Article 6.1.b GDPR — Contract performance: processing necessary for providing the SafePrompt service (usage statistics for billing and support).
• Article 6.1.f GDPR — Legitimate interest: service improvement, technical anomaly detection, platform security.

Usage metadata is retained for 12 months from collection, then automatically deleted. Account data (email, plan) is retained for the duration of the subscription and 3 years after termination for accounting purposes.

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

• Right of access (Art. 15): obtain a copy of your data
• Right to rectification (Art. 16): correct inaccurate data
• Right to erasure (Art. 17): delete your data
• Right to data portability (Art. 20): receive your data in a structured format
• Right to object (Art. 21): object to processing based on legitimate interest

To exercise your rights: Send an email to [email protected] with the subject "GDPR Rights Request" and your account identifier. We respond within 30 days.

All our subprocessors are hosted in the European Union and bound by GDPR-compliant DPAs:

• Supabase (database & auth) — Frankfurt/Amsterdam
• Vercel (hosting) — EU
• Stripe (payment) — Dublin
• Resend (emails) — EU
• Sentry (monitoring) — EU opt-in

Business customers have access to a standard GDPR-compliant Data Processing Agreement (DPA). This document formalizes the respective obligations of the Controller (your organization) and the Processor (SafePrompt). Contact us at [email protected] for the DPA.

SafePrompt is in the process of appointing an external DPO (specialized GDPR consultant, planned M+3). In the meantime, all data protection requests are handled directly by the founder at: [email protected]

For companies deploying SafePrompt to their employees:

• A LLM tools usage policy incorporating SafePrompt must be established and communicated to employees (CNIL recommendation on AI in the workplace).
• Consultation of the Works Council (CSE) is recommended before any large-scale deployment (Art. L. 2312-8 of the French Labour Code — surveillance systems).
• SafePrompt is not an employee monitoring tool: only anonymized statistics are collected. This clarification should be included in the usage policy.
• Employee transparency (French Labor Code, Art. L.1222-4): any personal-data collection involving employees (including via a browser-side protection tool) must be subject to prior individual and fair information by any written means (IT charter, onboarding handbook, internal note). SafePrompt provides a downloadable notice template from our Business deployment guides.

We may update this policy. In the event of a material change, we will notify you by email (customers) or via the dashboard. The date of the last update appears at the top of this page.