# Privacy Policy — Veillum Guard **Last updated:** April 8, 2026 **Applies to:** Veillum Guard v1.0.2 and later Veillum Guard ("the Extension") is developed and maintained by Veillum. This policy explains what data the Extension collects, how it is used, and your rights as a user. --- ## 1. What the Extension Does Veillum Guard is a browser extension that scans text you type into AI services (ChatGPT, Claude) before it is sent. Its purpose is to detect and alert you to sensitive data — such as passwords, API keys, credentials, and personally identifiable information (PII) — to prevent accidental exposure. An account is required to use the Extension. Scanning is not available without authentication. --- ## 2. Data Handling ### Unauthenticated (no account) No scanning is performed and no data of any kind is transmitted to external servers. ### Authenticated (account required for all scanning) #### Standard Scanning (regex engine — always on when logged in) - Prompt text is scanned **locally on your device** using built-in regex rules. - Prompt text is **never transmitted** to any external server during regex scanning. - After each scan, the following metadata is sent to `https://api.veillum.com.br/api/v1/scans` to enforce usage quotas: | Field | Example | |---|---| | `findings_count` | `3` | | `has_critical` | `true` | | `scan_ms` | `45` | No prompt content, no text fragments, and no identifying information about the scanned content are included. #### Advanced Features — Presidio AI (optional, off by default) When you enable the **Advanced Features** toggle in the extension popup, prompt text is sent to `https://presidio.veillum.com.br/analyze` for AI-powered PII entity extraction. - This feature is **disabled by default**. You must explicitly turn it on. - The full prompt text is transmitted to Veillum's Presidio service on each scan. - Veillum does not store, log, or share the prompt text. It is used solely for real-time analysis and the response is discarded immediately after the scan result is returned. - You can disable this feature at any time by turning off the Advanced Features toggle. --- ## 3. Data Stored Locally All of the following is stored only in `chrome.storage.local` on your device and is never synced to external servers unless explicitly described above. | Data | Purpose | |---|---| | OAuth2 access token | Authenticate requests to Veillum services | | OAuth2 refresh token | Renew the access token silently | | OpenID token | Session identity | | Token expiry timestamp | Determine when to refresh | | User email address | Extracted from the JWT on login; displayed in the popup | | Extension settings (enabled rules, engine, thresholds) | Remember your preferences | | Last scan result (metadata) | Display badge and scan summary in popup | | Last prompt snippet (first 120 characters) | Display context in the popup warning UI | | Mask history (last 20 entries) | Display history of masked prompts in popup | | Presidio entities from last scan | Display AI-detected entities in popup | --- ## 4. Data We Do Not Collect - We do not collect, store, or log the full content of your prompts (except transiently during Presidio analysis, which is discarded immediately). - We do not track your browsing history or activity on AI platforms. - We do not use analytics, tracking pixels, or third-party SDKs. - We do not sell, rent, or share any data with third parties. - We do not collect financial information, health information, or precise location data. --- ## 5. Permissions Explained | Permission | Why it is needed | |---|---| | `storage` | Save your settings and authentication tokens locally | | `tabs` | Send scan control messages from the popup to the content script in the active AI chat tab; open the Veillum website | | `identity` | Authenticate users via OAuth2 PKCE flow (Google / Microsoft login) | | Host permissions (chatgpt.com, claude.ai, chat.openai.com) | Inject the content script into supported AI chat interfaces to intercept and scan prompts | | Host permission (api.veillum.com.br) | Send scan metadata and fetch custom organization rules | | Host permission (auth.veillum.com.br) | Exchange OAuth2 authorization codes for tokens and perform logout | | Host permission (presidio.veillum.com.br) | Send prompt text for AI-powered PII analysis when Advanced Features is enabled | --- ## 6. Third-Party Services The Extension communicates with the following Veillum-operated services: | Service | When used | Purpose | |---|---|---| | `api.veillum.com.br` | Every scan (when logged in) | Report scan metadata; fetch custom rules | | `auth.veillum.com.br` | On login and logout | OAuth2 token exchange (Keycloak) | | `presidio.veillum.com.br` | When Advanced Features is enabled | AI-powered PII entity extraction | No third-party advertising, analytics, or data broker services are used. --- ## 7. Children's Privacy The Extension is not directed at children under the age of 13 and does not knowingly collect data from minors. --- ## 8. Changes to This Policy We may update this policy to reflect changes in the Extension's functionality. The "Last updated" date at the top of this document will always reflect the most recent revision. Continued use of the Extension after changes constitutes acceptance of the updated policy. --- ## 9. Contact If you have questions or concerns about this privacy policy, please contact us: **Email:** contact@veillum.com.br **Website:** https://veillum.com.br