Privacy Policy

1. Introduction

Klyra Shield ("we", "our", or "us") is operated by Klyra Labs. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our browser extension and dashboard service (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Full name
• Organisation name
• Password (encrypted)

2.2 Extension User Information

When users connect via the browser extension, we collect:

• Name (as entered by the user)
• Device identifier (randomly generated)
• Connection timestamp
• Last activity timestamp

2.3 Activity Data

When the extension detects a prompt submission to an AI platform, we collect:

• Which AI platform was used (e.g., ChatGPT, Claude)
• Types of sensitive data detected (e.g., "Email Address", "API Key")
• Risk level assigned (low, medium, high, critical)
• Action taken (allowed, warned, blocked)
• Whether the user proceeded after a warning
• Timestamp of the event

2.4 What We Do NOT Collect

We explicitly do not collect:

• The actual content of your prompts or messages
• AI responses or outputs
• Browsing history outside of supported AI platforms
• Personal files or documents
• Keystrokes or screen recordings

3. How We Process Data

Local Processing: All sensitive data scanning occurs locally within your browser. The extension analyses prompt text using pattern matching to identify potential sensitive information. The actual prompt content never leaves your device.

Metadata Only: Only metadata about detected patterns is transmitted to our servers. For example, we record that "1 email address was detected" but not the actual email address itself.

4. How We Use Your Information

We use the information we collect to:

• Provide and maintain the Service
• Generate compliance reports and analytics for your organisation
• Send alerts for high-risk events (if enabled)
• Improve and develop new features
• Communicate with you about your account
• Comply with legal obligations

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

• Your Organisation: Activity data is visible to administrators within your organisation
• Service Providers: We use Supabase for database hosting and Vercel for application hosting
• Legal Requirements: We may disclose information if required by law or to protect our rights

6. Data Retention

We retain your data as follows:

• Account Data: Retained until you request deletion or your organisation terminates service
• Activity Logs: Retained for 180 days to support quarterly compliance reporting
• Audit Logs: Retained for 1 year for security purposes

Upon account deletion, all associated data is permanently removed within 30 days.

7. Data Security

We implement appropriate security measures including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of sensitive data at rest
• Row-level security ensuring organisations can only access their own data
• Regular security assessments
• Access controls and authentication requirements

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request restriction of processing
• Portability: Request transfer of your data
• Objection: Object to processing of your data
• Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at hello@klyralabs.com. We will respond within 30 days.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Third-Party Services

Our Service integrates with the following third-party services:

• Supabase: Database and authentication (PostgreSQL hosted infrastructure)
• Vercel: Application hosting and deployment
• Resend: Email delivery service

Each third-party service has its own privacy policy governing the use of your information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@klyralabs.com
• Website: https://klyralabs.com

14. Limitation of Liability

THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY LAW, KLYRA LABS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES RESULTING FROM:

• Your use or inability to use the Service
• Any unauthorised access to or use of our servers
• Any bugs, viruses, or other harmful code transmitted through the Service
• Any errors or omissions in the detection of sensitive data

The Service is designed to assist with data loss prevention but does not guarantee complete protection against data leaks. Users remain responsible for their own compliance obligations.