Privacy Policy
VetoShield LLC ("VetoShield," "we," "us," or "our") operates the VetoShield browser extension and the vetoshield.ai website. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
We built VetoShield to protect your privacy when using AI tools. We take that mission seriously and apply it to our own practices: we collect as little data as possible, process as much as we can on your device, and never sell your data.
1. Who We Are
VetoShield LLC is a company registered in Delaware, United States. For privacy-related questions, contact us at contact@vetoshield.ai.
2. What We Collect
2.1 Browser Extension (Local-Only Mode)
By default, the VetoShield extension operates entirely on your device. In this mode, we collect and transmit nothing. All data stays in your browser's local storage:
- AI tool visit metadata — which AI domains you visit, timestamps, and session duration. Used to show your personal usage dashboard.
- Policy settings — your allow/warn/block rules for AI services.
- Alert history — generic labels when sensitive data is detected in a chat input (e.g., "Email address detected"). The actual sensitive content is never stored.
- Preferences — your detection rule configuration, default policy, and notification settings.
Chat input text is scanned in memory for sensitive data patterns (emails, phone numbers, API keys, etc.) and immediately discarded. It is never stored, logged, or transmitted by the extension.
2.2 Browser Extension (Team Sync Mode)
When your organization's IT administrator connects the extension to a VetoShield account, the following data is sent to our servers:
- Usage metadata — AI domain names, timestamps, session duration, and policy actions (allow/warn/block). No chat content, prompts, or responses.
- Heartbeat signals — periodic check-ins so the administrator can verify the extension is active.
- Policy sync — organization-wide policies are downloaded to the extension. No personal data is uploaded in this process.
2.3 Website and Admin Dashboard
When an administrator creates a VetoShield account, we collect:
- Account information — email address and password (hashed, never stored in plain text).
- Organization data — company name, seats, and policy configurations.
- Synced extension data — the usage metadata described in Section 2.2, aggregated across the organization's seats.
2.4 What We Never Collect
- Chat prompts, AI responses, or conversation content
- Browsing activity outside of recognized AI tool domains
- Keystroke data, form inputs on non-AI websites, or screen content
- Device identifiers, IP-based geolocation, or advertising identifiers
- Data from third-party analytics, tracking pixels, or cookies
3. How We Use Your Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Local usage metadata | Your personal usage dashboard | Not transmitted — no legal basis needed |
| Synced usage metadata | Organizational AI governance visibility | Legitimate interest (Art. 6(1)(f)) / contract performance (Art. 6(1)(b)) |
| Account information | Authentication, account management | Contract performance (Art. 6(1)(b)) |
| Organization policies | Policy enforcement across the team | Legitimate interest (Art. 6(1)(f)) / contract performance (Art. 6(1)(b)) |
We do not use your data for advertising, profiling, automated decision-making, or any purpose other than providing the VetoShield service.
4. Data Sharing
We do not sell, rent, or trade your personal data. We share data only with:
- Your organization's administrator — if Team Sync is enabled, your administrator can see aggregated usage metadata for their organization's seats.
- Infrastructure providers — our hosting provider (Railway) processes data on our behalf to operate the service. They act as a data processor under our instructions and do not use your data for their own purposes.
- Legal obligations — we may disclose data if required by law, court order, or governmental authority.
5. Data Retention
- Local extension data — stored on your device until you clear it. Alerts auto-expire after 4 hours. Events are capped at 10,000 entries.
- Synced usage data — retained according to your organization's configured retention policy. When an administrator removes a seat, the associated data is deleted.
- Account data — retained while the account is active. Upon account deletion, all associated data (seats, events, policies) is permanently deleted within 30 days.
6. Data Security
All data transmitted between the extension and our servers is encrypted in transit using TLS. Server-side data is stored in an encrypted database. API keys are generated using cryptographically secure random values. Administrative access is protected by JWT-based authentication.
7. Cookies and Tracking
The VetoShield website and extension do not use cookies, tracking pixels, or third-party analytics. Authentication is handled via HTTP headers (API keys and JWT tokens), not cookies.
8. Your Rights
Under the EU General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — request that we limit how we process your data.
- Data portability — receive your data in a structured, machine-readable format. The extension's dashboard includes a built-in data export feature.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at contact@vetoshield.ai. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority if you believe your data is being processed unlawfully.
9. International Data Transfers
Our servers are hosted in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your synced data may be transferred to and processed in the United States. We rely on standard contractual clauses and our infrastructure provider's data processing agreements to ensure adequate protection of your data.
In local-only mode, no data leaves your device, so no international transfer occurs.
10. Children's Privacy
VetoShield is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will provide notice through the extension or our website.
12. Contact
If you have questions about this Privacy Policy or how we handle your data:
VetoShield LLC
Email: contact@vetoshield.ai