Privacy Policy
Last updated: April 19, 2026 | Effective: April 19, 2026
Privacy Contact & Data Controller
PrivacyGuard AI is the data controller for personal data processed through this Service. For all privacy inquiries, data requests, or to exercise your rights, contact our Privacy Team:
1. Introduction and Scope
PrivacyGuard AI ("we," "our," or "us") operates privacyguardai.io and provides AI-powered privacy compliance tools (the "Service"). This Privacy Policy applies to all users of the Service and explains what personal data we collect, why we collect it, how we use and protect it, how long we keep it, and what rights you have.
This policy is designed to comply with the EU General Data Protection Regulation (GDPR 2016/679), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), PIPEDA (Canada), and other applicable privacy laws. If you are located in the EU/EEA or UK, the GDPR provisions in this policy apply to you.
By using PrivacyGuard AI, you acknowledge this policy. If you do not agree, please discontinue use of the Service.
2. Personal Data We Collect
We collect the following specific categories of personal data:
2.1 Data You Provide Directly
| Data Category | Specific Data Elements | When Collected |
|---|---|---|
| Identity Data | Full name, profile photo (from OAuth provider) | Account creation via Google/GitHub OAuth |
| Contact Data | Email address | Account creation; DSAR submissions |
| Business Data | Company name, website URL, industry, country/state, data practices | Policy Generator; Settings; Compliance Scanner |
| Financial Data | Billing name, billing address, last 4 digits of card (tokenized by Stripe — we never see full card numbers) | Subscription checkout |
| Communications Data | AI chat messages, support inquiries, DSAR request content | AI Assistant; DSAR Portal; Support |
2.2 Data Collected Automatically
| Data Category | Specific Data Elements | Source |
|---|---|---|
| Technical Data | IP address, browser type and version, operating system, device type, screen resolution | Server logs; browser |
| Usage Data | Pages visited, features used, scan URLs submitted, session duration, click events, error logs | Application server; Umami Analytics (anonymized) |
| Authentication Data | Session token (JWT, stored in HttpOnly cookie), OAuth provider ID (no passwords stored) | Login flow |
| Cookie Data | Session cookie, preference cookie, optional analytics identifier (Umami — only with consent) | Browser; see our |
3. Why We Collect Data — Purposes and Legal Basis
We process personal data only for the specific purposes listed below. For users in the EU/EEA/UK, we identify the applicable legal basis under GDPR Article 6 for each processing activity.
| Purpose | Data Used | Legal Basis (GDPR Art. 6) | US Basis |
|---|---|---|---|
| Account creation and authentication | Identity, Contact, Authentication Data | Art. 6(1)(b) — Contract performance | Necessary to provide Service |
| Delivering compliance scans, policy generation, and AI assistant responses | Business Data, Communications Data | Art. 6(1)(b) — Contract performance | Necessary to provide Service |
| Processing payments and managing subscriptions | Financial Data, Contact Data | Art. 6(1)(b) — Contract performance | Necessary to provide Service |
| Sending transactional emails (welcome, scan reports, DSAR confirmations) | Contact Data, Communications Data | Art. 6(1)(b) — Contract performance | Necessary to provide Service |
| Improving Service features and AI model accuracy | Usage Data (anonymized/aggregated) | Art. 6(1)(f) — Legitimate interests (product improvement) | Legitimate business interest |
| Fraud prevention and security monitoring | Technical Data, Authentication Data | Art. 6(1)(f) — Legitimate interests (security) | Legitimate business interest |
| Complying with legal obligations (tax records, DSAR responses, court orders) | All relevant data categories | Art. 6(1)(c) — Legal obligation | Legal obligation |
| Optional analytics (aggregate usage statistics) | Anonymized Usage Data (Umami — no personal data) | Art. 6(1)(a) — Consent (via cookie banner) | Consent (cookie banner) |
Marketing communications: We send only transactional emails related to your account and the Service (welcome email, scan reports, DSAR confirmations). We do not send marketing or promotional emails without your explicit opt-in consent. If you wish to receive product updates or newsletters, you may opt in through your account Settings. You may unsubscribe at any time via the link in any email or by contacting [email protected].
4. Data Sharing and Third-Party Processors
We do not sell your personal data. We do not share your personal data with third parties for cross-context behavioral advertising. We share data only with the following named service providers, each acting as a data processor under our instructions and bound by data processing agreements:
| Processor | Purpose | Data Transferred | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | Name, email, billing address, tokenized payment method | USA | PCI-DSS Level 1; SCCs for EU transfers. Privacy Policy |
| Resend, Inc. | Transactional email delivery (welcome, reports, notifications) | Recipient name, email address, email content | USA | SOC 2 Type II. Privacy Policy |
| Umami Analytics | Anonymous, cookieless usage analytics (only with your consent) | Anonymized page views and events — no IP address, no personal identifiers | USA | No personal data transferred. Privacy Policy |
| Manus AI Platform | Cloud hosting, managed database (TiDB), OAuth authentication infrastructure, and AI model inference (LLM API) | Account data, scan data, chat messages — processed in encrypted, access-controlled environments | USA | SOC 2 compliant infrastructure. Privacy Policy |
| Law Enforcement / Courts | Legal compliance — responding to lawful requests | Minimum data required by the specific legal obligation, court order, or governmental authority | Varies | We will notify you where legally permitted before disclosing |
All processors are contractually required to: (a) process data only on our documented instructions; (b) implement appropriate technical and organizational security measures; (c) assist us in fulfilling data subject rights requests; and (d) delete or return data upon termination of the relationship.
5. Cookies and Tracking Technologies
We use cookies and similar technologies. You can manage your preferences via the cookie consent banner shown on first visit. For full details, see our .
| Category | Examples | Consent Required |
|---|---|---|
| Strictly Necessary | Session authentication cookie, cookie consent preference cookie | No — essential for Service operation |
| Functional / Preference | Sidebar width preference | No — enhances usability |
| Analytics | Umami anonymous visitor identifier (no personal data, no cross-site tracking) | Yes — requires consent |
We do not use advertising cookies, social media tracking pixels, or behavioral profiling technologies. You may withdraw analytics consent at any time by clearing cookies and selecting "Essential Only" on the banner.
6. Data Retention Periods
We retain personal data only for as long as necessary to fulfill the specific purpose for which it was collected, or as required by law. The following specific retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, profile) | Duration of active account + 30 days after deletion request | Contract performance; account recovery window |
| Compliance scan results and generated policies | Duration of active subscription + 90 days after cancellation | Service delivery; data portability window |
| AI chat history | 90 days from last message, then automatically purged | Conversational context; privacy minimization |
| DSAR records (requests and responses) | 3 years from request date | GDPR/CCPA audit trail and legal defense requirements |
| Payment and billing records | 7 years from transaction date | IRS / financial regulation requirements (26 U.S.C. § 6001) |
| Server and access logs | 90 days | Security monitoring and incident investigation |
| Analytics data (Umami — anonymized) | 13 months rolling window | Year-over-year product analysis; no personal data retained |
Upon expiry of the applicable retention period, data is securely deleted or anonymized. You may request early deletion at any time (see Section 7).
7. Your Privacy Rights
Depending on your jurisdiction, you have the following rights. We honor all rights requests regardless of location as a matter of policy.
7.1 Rights Under GDPR (EU/EEA/UK Users)
- Right of Access (Art. 15): Obtain a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
- Right to Erasure / "Right to Be Forgotten" (Art. 17): Request deletion of your personal data where there is no overriding legal basis to retain it.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV) and transfer it to another controller.
- Right to Restrict Processing (Art. 18): Request that we pause processing while a dispute is resolved.
- Right to Object (Art. 21): Object to processing based on legitimate interests (including profiling). We will stop unless we have compelling legitimate grounds.
- Rights Related to Automated Decision-Making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects.
- Right to Lodge a Complaint: You may file a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany).
7.2 Rights Under CCPA/CPRA (California Residents)
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected, used, disclosed, or sold about you.
- Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond providing the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.
7.3 Rights Under VCDPA, CPA, CTDPA (Virginia, Colorado, Connecticut Residents)
Residents of Virginia, Colorado, and Connecticut have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising and profiling. We do not engage in targeted advertising or profiling. To exercise rights, use the DSAR portal below.
How to Exercise Your Rights
Submit a request via our or email [email protected]. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA/CPRA, extendable to 90 days with notice). There is no fee for submitting a request.
8. International Data Transfers
PrivacyGuard AI is operated from the United States. All data is stored and processed in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
We rely on the following safeguards for international transfers:
- Standard Contractual Clauses (SCCs): We incorporate the EU Commission's approved Standard Contractual Clauses (2021/914/EU) into our data processing agreements with all EU-facing processors.
- Adequacy Decisions: Where the European Commission has issued an adequacy decision for the destination country, we rely on that decision.
- Processor Commitments: All processors listed in Section 4 have committed to GDPR-compliant data transfer mechanisms in their terms of service.
You may request a copy of the applicable transfer safeguards by contacting [email protected].
9. Children's Privacy
The Service is a B2B compliance tool intended for business users. It is not directed to individuals under the age of 16 (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect, solicit, or process personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it within 72 hours of discovery.
If you believe a child under 16 has provided us with personal data, please contact [email protected] immediately.
10. Security Measures
We implement the following specific technical and organizational security measures (TOMs) to protect your personal data:
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ (HTTPS) enforced on all connections; HSTS enabled with 1-year max-age |
| Encryption at rest | AES-256 encryption for all database storage; encrypted backups |
| Authentication | JWT session tokens in HttpOnly, Secure, SameSite=Strict cookies; OAuth 2.0 (no passwords stored); session expiry enforced |
| Access controls | Role-based access control (RBAC); principle of least privilege; no shared credentials |
| Payment security | We never receive or store full card numbers or CVV codes; all payment data is tokenized by Stripe (PCI-DSS Level 1 certified) |
| Infrastructure | Hosted on SOC 2 Type II compliant cloud infrastructure; regular vulnerability scanning; dependency audits |
| Security headers | X-Content-Type-Options: nosniff; X-Frame-Options: DENY; Referrer-Policy: strict-origin-when-cross-origin; Strict-Transport-Security enforced |
| Incident response | Documented breach response plan; affected users notified within 72 hours as required by GDPR Art. 33/34; supervisory authority notification within 72 hours of discovery |
Despite these measures, no internet transmission is 100% secure. Report suspected security vulnerabilities to [email protected].
11. Do Not Sell or Share My Personal Information (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to opt out of the sale or sharing of their personal information for cross-context behavioral advertising.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. The third-party service providers listed in Section 4 (Stripe, Resend, Umami, Manus AI Platform) are data processors acting under our instructions — they are not data brokers, and data is not shared with them for advertising purposes.
Because we do not sell or share personal data, no opt-out action is required. However, if you are a California resident and wish to exercise any CCPA/CPRA right — including the right to know, delete, correct, or limit use of sensitive personal information — please submit a request at or email [email protected]. We will respond within 45 days.
11a. CCPA 2026 Data Category Disclosure Chart
As required by Cal. Civ. Code §1798.130(a)(5)(A) and CPPA Regulations (effective Jan 1, 2026), the following chart discloses the categories of personal information collected, disclosed for a business purpose, and sold or shared in the preceding 12 months. We do not sell or share personal information.
| Category (Cal. Civ. Code §1798.140) | Collected | Disclosed for Business Purpose | Sold / Shared |
|---|---|---|---|
| Identifiers (name, email, account ID) | Yes | Yes — Stripe (payment), Resend (email) | No |
| Commercial information (subscription plan, payment history) | Yes | Yes — Stripe (payment processing) | No |
| Internet/network activity (scan history, page views) | Yes | Yes — Umami Analytics (anonymous) | No |
| Inferences drawn from above (usage patterns) | Yes | No | No |
| Sensitive personal information (passwords — hashed) | Yes | No | No |
| Geolocation data | No | N/A | No |
| Biometric data | No | N/A | No |
| Health/medical information | No | N/A | No |
11b. Automated Decision-Making Technology (ADMT) Disclosure
As required by CPPA Regulations §7025 (effective Jan 1, 2026) and GDPR Art. 22, we disclose our use of automated decision-making technology:
Compliance Scan Scoring
Our compliance scanner uses AI (Large Language Model) to analyze website content and generate a compliance score (0–100) and gap report. This is an informational tool only — it does not make legally binding determinations, does not affect your legal rights, and does not constitute legal advice. No significant decisions about individuals are made based solely on this automated process. You may request a human review of any scan result by contacting [email protected].
Policy Generation
Our policy generator uses AI to draft privacy policies and terms of service based on your inputs. Generated documents are drafts for review — they do not constitute legal advice and should be reviewed by a qualified attorney before use. No consequential decisions about individuals are made by this system.
Your ADMT rights (California residents): You have the right to opt out of the use of ADMT for decisions that produce legal or similarly significant effects concerning you. To exercise this right, contact [email protected]. As noted above, our ADMT tools are informational only and do not produce such effects.
11c. Global Privacy Control (GPC) Signal Support
We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out of the sale and sharing of personal information, as required by CPPA Regulations §7025 (Cal.) and Colorado Privacy Act §6-1-1306(1)(a) (Colo.).
Because we do not sell or share personal information for advertising purposes, no opt-out action is needed. However, if your browser sends a GPC signal, we treat it as a confirmed opt-out preference and will not initiate any sale or sharing of your personal data. A visible confirmation notice is displayed in our cookie consent interface when a GPC signal is detected.
To enable GPC in your browser, visit globalprivacycontrol.org.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users for significant changes
- Display a notice in the dashboard for 30 days following a material update
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you must stop using the Service and may request deletion of your account.
13. Contact Us
For any questions about this Privacy Policy, to exercise your rights, or to report a privacy concern:
PrivacyGuard AI — Privacy Team
Email: [email protected]
Security issues: [email protected]
DSAR Portal:
Website: privacyguardai.io
EU/EEA users may also lodge a complaint with their national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
Questions about your privacy? We respond within 24 hours.