Privacy Policy
Last updated: February 2026
Privengy is a privacy-first AI governance platform. We are committed to protecting your personal data and being transparent about how we use it. This policy explains our data practices in compliance with GDPR and other applicable regulations.
1. Data Controller and Data Processor
1.1 Privengy as Data Controller
For personal data we collect about users who directly access or register accounts on our platform (account information, usage data, billing), Privengy acts as the data controller:
- Company: Privengy
- Email: privacy@privengy.com
- Website: https://privengy.com
1.2 Privengy as Data Processor
When your organization deploys the AI Radar browser extension to monitor AI tool usage, Privengy processes employee data (AI service visits, prompt metadata, DLP violations) on behalf of and at the direction of your organization. In this context, your organization is the data controller and Privengy is the data processor.
This Customer Data is governed by our Terms of Service and our Data Processing Agreement (DPA).
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Password (securely hashed)
- Organization name and details (for business accounts)
- SSO/OAuth data (if using Google Sign-In or enterprise SSO)
2.2 AI Governance Data (AI Radar Module)
When your organization uses AI Radar to monitor AI tool usage, we collect:
- AI service visit metadata (service name, timestamp, duration)
- Prompt analytics metadata ONLY (word count, character count, code detection) - we do NOT store prompt content
- DLP policy violation alerts (pattern type matched, not the sensitive data itself)
- Device information (browser type, OS, extension version)
- User identity within your organization (for compliance reporting)
Privacy by Design: AI Radar analyzes prompts locally in the browser and only transmits metadata. We NEVER store the actual content of prompts or AI conversations. Your employees' communications remain private.
2.3 Usage Data
We automatically collect certain information when you use our service:
- IP address
- Browser type and version
- Pages visited within Privengy dashboard
- Date and time of access
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing and improving our AI governance platform
- Processing AI usage analytics and generating compliance reports
- Sending service notifications, alerts, and security warnings
- Managing your subscription and billing
- Complying with legal obligations
- Improving our service through aggregated, anonymized analytics
4. Legal Basis
We process your data based on:
- Contract performance: To provide the service you subscribed to
- Legitimate interest: To improve our service, ensure security, and prevent fraud
- Legal obligation: To comply with applicable laws and regulations
- Consent: For optional marketing communications (you can withdraw anytime)
5. Subprocessors
We use the following third-party service providers (subprocessors) to help deliver our services. Each subprocessor has been carefully selected and is bound by data processing agreements that ensure GDPR compliance:
| Provider | Purpose | Location |
|---|---|---|
| MongoDB Atlas | Database hosting and data storage | EU (Ireland) |
| Hetzner | Cloud infrastructure and server hosting | EU (Germany) |
| Cloudflare | CDN, DDoS protection, and DNS services | Global (EU compliant) |
| Stripe | Payment processing and subscription billing | EU (Ireland) |
| Resend | Transactional email delivery (notifications, alerts) | USA (SOC 2) |
We will notify customers of any changes to this subprocessor list at least 30 days in advance.
6. How We Share Your Data
We share information about you only in limited circumstances and with appropriate safeguards:
- Third-party subprocessors: As listed in Section 5, we share data with service providers who help us deliver our services (infrastructure, email delivery, payment processing).
- Customer-configured integrations: When your organization configures integrations (Slack, Teams, SIEM systems), data such as DLP alerts and compliance summaries is shared with those platforms at your organization's direction.
- Legal and regulatory requirements: We may disclose information in response to a subpoena, court order, or other governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business transfers: In connection with any merger, acquisition, or sale of company assets, your information may be transferred. This Privacy Policy would continue to apply to your data, and any acquiring entity would be required to honor it.
- Aggregated or de-identified data: We may share information that has been aggregated or de-identified so that it can no longer reasonably be used to identify you. Aggregated data is derived from personal data but does not directly or indirectly reveal your identity (e.g., aggregate statistics about AI tool adoption trends).
We do not sell your personal data. We are not ad-funded, do not show ads in our services, and never will.
Third-party links: Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policy of every website you visit.
7. International Data Transfers
Some of our subprocessors are located outside the European Economic Area (EEA). For these transfers, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework certification (where applicable)
- Additional technical and organizational measures
8. Data Retention
We retain your data for as long as your account is active or as needed to provide our services:
- Account data: Until account deletion + 30 days
- AI usage events: According to your plan (90 days - 2 years)
- Audit logs: 2 years (for compliance)
- Billing records: 7 years (legal requirement)
9. Children's Privacy
Our services are designed for businesses and are not intended for children under 16 years old. We do not knowingly collect personal information from children. If you believe we might have any information from or about a child under 16, please contact us at privacy@privengy.com
10. Your Rights and Choices
10.1 GDPR Rights
Under GDPR and other applicable laws, you have the following rights:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ('right to be forgotten')
- Restriction: Limit how we process your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time for consent-based processing
To exercise these rights, contact us at: privacy@privengy.com
We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10.2 Your Choices
You have several choices available when it comes to your information:
- Limit information provided: You can choose not to provide optional account or profile information.
- Opt out of marketing: You may opt out of promotional communications at any time by following the unsubscribe instructions in those messages. We will still send you essential service notifications.
- Manage cookies: You can manage your cookie preferences through our cookie consent banner or your browser settings. See our Cookie Policy.
- Close your account: You can request account closure by contacting us. Some information may be retained as described in Section 8 (Data Retention).
11. Security
We implement robust technical and organizational measures to protect your data:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication (MFA) support
- Regular security audits and penetration testing
- SOC 2 Type II compliant infrastructure
- Role-based access controls (RBAC)
12. Do Not Track
At this time, Privengy does not respond to 'Do Not Track' browser signals. However, we do not use third-party tracking cookies, advertising pixels, or behavioral tracking technologies. You can manage your cookie preferences through our consent banner as described in our Cookie Policy.
13. Contact Us
For any questions about this Privacy Policy or our data practices:
- Privacy inquiries: privacy@privengy.com
- General support: support@privengy.com
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by email and by posting a notice on our website at least 30 days before the changes take effect.
Change Log
- February 2026: Added Data Controller/Processor distinction, Data Sharing section, Children's Privacy, User Choices, Do Not Track disclosure.
- January 2026: Initial version.