Privacy Policy

Summary

PII Guardrail detects and tokenizes personally identifiable information entirely on your device. Your prompts, documents, and the PII within them never leave your browser and are never sent to any server — not ours, not anyone else's. GEO Audit and AI Exposure Report work differently: you submit a domain or answer a questionnaire, and that input is processed server-side (including by Anthropic's API, see "Third-party services") to generate your report. Neither product ever receives your AI chat prompts or PII Guardrail data — they are entirely separate data flows.

What data we collect

We collect the minimum necessary to operate our products. This policy covers all of Trustevo's services: PII Guardrail, GEO Audit, and AI Exposure Report.

• Account information — email address and name you provide when signing in via Clerk.
• Subscription status — your plan tier and billing dates, stored in our database to issue entitlement tokens or unlock Pro features.
• Aggregate counts — the PII Guardrail extension may send anonymous totals (e.g. number of fields protected in a session) for product analytics. These counts contain no PII values, no token surrogates, and no prompt content.
• GEO Audit and AI Exposure Report leads — when you request a free report, we store the email address you provide, the domain or company name, and your resulting score. For AI Exposure, we also store your questionnaire answers (the risk and compliance questions you answer — not any of your own customer or business data) so Pro users can track posture over time.
• Site analytics — we use PostHog to understand how visitors use this website (pages viewed, clicks, general usage patterns). See "Third-party services" below.

What we never collect

• The content of your prompts or AI responses.
• The original PII values detected (names, card numbers, SSNs, etc.).
• The surrogate/token values that replace PII in your prompts.
• Browsing history or any data from pages you visit.

All detection and tokenization runs inside your browser using an on-device model. The detection path makes zero outbound network requests — this is enforced structurally by the extension's Content Security Policy (connect-src 'self'), not just policy.

Browser permissions

The extension requests the following Chrome permissions:

• storage — saves your policy configuration (which entity types to protect) and your encrypted entitlement token locally in chrome.storage. Nothing here is synced to our servers.
• offscreen — creates an offscreen document to run the on-device GLiNER PII detection model (WebAssembly) under the extension's Content Security Policy, which is required because host pages (ChatGPT, Claude) block WebAssembly execution.
• tabs — used only when you click "Connect account" in the options page, to open the Trustevo sign-in tab. Not used to read or monitor other tabs.

Host permissions (https://claude.ai/*, https://chatgpt.com/*, https://chat.openai.com/*) are required to inject the content script that intercepts the prompt before submission and re-injects de-tokenized text in responses.

externally_connectable

The extension declares externally_connectable for https://app.trustevo.ai/*. This allows the Trustevo web app to send a signed entitlement token directly to the extension via chrome.runtime.sendMessage when you click "Connect account." No other website can send messages to the extension. The token contains only your plan tier and expiry — no PII.

Third-party services

• Clerk — authentication. Your login email is processed by Clerk under their privacy policy.
• Stripe — payment processing. Card details go directly to Stripe; we never see or store them.
• Supabase — database hosting for subscription records (plan, user ID, billing dates). No PII from your prompts is stored here.
• Vercel — hosting for app.trustevo.ai.
• PostHog — website analytics. PostHog may set cookies and records general usage events (pages viewed, clicks). You can decline analytics via the consent banner shown on your first visit; we do not load PostHog until you accept.
• Anthropic — GEO Audit and AI Exposure Report use Anthropic's API to generate the written summary and prioritized recommendations in your report. The scan results or questionnaire answers you submit are sent to Anthropic solely to generate that report and are not used to train models.

Data retention and deletion

We retain your account and subscription data for as long as your account is active. To delete your account and all associated data, email us at [email protected]. We will process deletion requests within 30 days.

Changes to this policy

We may update this policy as the product evolves. Material changes will be announced via email to registered users. Continued use of the extension or service after changes constitutes acceptance.