Sign inBook a demo

Privacy Policy

Last updated: March 2026 · In accordance with GDPR Art. 13 and 14

1. Data Controller

The controller within the meaning of the GDPR is:

ENKL Net GmbH

Borromäusstr. 59, 66663 Merzig, Germany

Email: datenschutz@ai-privacy-shield.com

2. Hosting and Infrastructure

Our services are operated exclusively on servers in the European Union:

  • Vercel (Frankfurt, Germany) — hosting of the web application and API. Serverless Functions are executed in the fra1 region. Vercel Inc. is certified under the EU-US Data Privacy Framework. Vercel DPA.
  • Supabase (Frankfurt, eu-central-1) — database (PostgreSQL) and file storage. SOC 2 Type II certified. Supabase privacy information.
  • Clerk (Authentication) — authentication and user management. SOC 2 Type II certified and GDPR-compliant. Clerk privacy information.

Personal data is not transferred to third countries outside the EU/EEA. All data is processed and stored exclusively in the EU.

3. Processed Data and Purposes

We process the following categories of personal data:

Account Data

Name, email address, and organization affiliation (provided via Clerk during registration).

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

AI Usage Events

When employees use AI tools (ChatGPT, Claude, Gemini, etc.) with the browser extension active, the following metadata may be collected: AI tool name, timestamp, number of masked fields, data categories (e.g. "email", "name"), risk level, and page URL. Prompt content itself is not stored.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) / Art. 6(1)(f) GDPR (legitimate interest in company GDPR compliance)

Employee Data

Name and email address of employees using the extension (entered by the administrator or self-provided), and optional department assignment.

Legal basis: Art. 6(1)(b) GDPR / Art. 88 GDPR in conjunction with § 26 BDSG

Uploaded Documents

Documents (PDF, DOCX, PPTX) uploaded by administrators for compliance purposes. These files are stored encrypted in Supabase Storage.

Legal basis: Art. 6(1)(b) GDPR

4. Browser Extension

The AI Privacy Shield browser extension runs locally in the user's browser. It analyzes text in input fields on AI websites and masks detected personal data before it is sent to AI services.

PII detection is partially performed using a machine learning model running locally in the browser (via Hugging Face Transformers.js). No data is sent to external servers for this step — processing occurs exclusively on the user's device.

Only usage-event metadata (no prompt content) is transmitted to the AI Privacy Shield dashboard.

5. Data Sharing

Personal data is not sold to third parties and is not shared for advertising purposes.

Data is only shared with technical service providers (processors under Art. 28 GDPR) with whom data processing agreements are in place: Vercel, Supabase, Clerk (see Section 2).

6. Storage Duration

Personal data is stored only as long as necessary for the respective purpose:

  • Account data: for the duration of the contractual relationship + statutory retention periods
  • AI usage events: for the duration of the contractual relationship
  • Employee data: until deletion by the administrator or contract end
  • Uploaded documents: until deletion by the administrator or contract end

After contract termination, all organization data is deleted within 30 days.

7. Data Subject Rights

As a data subject, you have the following rights under the GDPR:

  • Access (Art. 15 GDPR): Right to information about processed data
  • Rectification (Art. 16 GDPR): Right to correct inaccurate data
  • Erasure (Art. 17 GDPR): Right to deletion ("right to be forgotten")
  • Restriction (Art. 18 GDPR): Right to restrict processing
  • Data Portability (Art. 20 GDPR): Right to receive your data in a machine-readable format
  • Objection (Art. 21 GDPR): Right to object to processing

To exercise your rights, contact us at: datenschutz@ai-privacy-shield.com

You also have the right to lodge a complaint with a supervisory data protection authority. The competent authority is: Independent Data Protection Center Saarland (UDZ).

8. Cookies and Tracking

Our website uses only technically necessary cookies required for dashboard operation (session cookies from Clerk). No tracking or analytics cookies are used.

No data is collected or shared for advertising purposes.

9. Changes to this Privacy Policy

We reserve the right to update this privacy policy as needed to reflect legal changes or changes to our service. The current version is always available at /datenschutz. For material changes, we will inform registered users by email.