Effective Date: May 21, 2026 | Last Updated: May 21, 2026
This Privacy Policy describes how Managed Security Services LLC, doing business as Cyber Security Services (“AILeakShield,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with:
- The website located at https://aileakshield.com (the “Site”);
- AILeakShield software-as-a-service application and secure AI workspace (the “Platform”);
- AILeakShield Browser Extension for Google Chrome and other Chromium-based browsers (the “Extension”); and
- Any related APIs, integrations, support channels, and communications (collectively, the “Services”).
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.
1. Who We Are and How to Contact Us
Controller / Operator: Managed Security Services LLC (DBA Cyber Security Services) – AILeakShield product line. State of formation: Ohio, USA.
Privacy contact: privacy@aileakshield.com
General contact: support@aileakshield.com
Security contact: security@aileakshield.com
Mailing address:
Managed Security Services LLC (DBA Cyber Security Services)
752 N. State Street #172
Westerville, OH 43082
United States
For data subjects in the European Economic Area, United Kingdom, or Switzerland, you may also contact us at the email above for any matter related to your personal data.
2. Scope and Roles
- For visitors to the Site and individual sign-ups, we act as a data controller.
- For business customers (“Customer Organizations”) who deploy the Platform or Extension to their workforce, the Customer Organization is the data controller for prompts, user activity, policy events, and configuration data processed through their tenant. AILeakShield acts as a data processor (or “service provider” under CCPA/CPRA) and processes that data only on the documented instructions of the Customer Organization, consistent with our Data Processing Addendum (DPA).
- Employees and end users with questions about how their employer uses the Services should contact their employer’s privacy or security team in the first instance.
3. Summary of Data We Handle
The table below provides a plain-language summary. Detailed descriptions follow in later sections.
Category | Examples | Where Collected |
Account data | Name, business email, work title, organization, password hash, SSO identifiers | Site, Platform, Extension |
Billing data | Billing contact, address, plan, invoices, last four digits of payment card (full card data handled by Stripe) | Site, Platform |
Configuration data | Policies, rules, custom sensitive-data terms, allow/block lists, admin settings | Platform |
Prompt content (transient) | Text a user submits to an AI model through the Platform or Extension | Platform, Extension |
Detection metadata | Whether a prompt matched a policy, category of match (PII, PHI, PCI, credentials, secrets, source code, financial, custom), action taken (warn, mask, block, allow), timestamp, model targeted | Platform, Extension |
Usage and telemetry | Feature usage, prompt counts, token usage, error logs, performance metrics | Platform, Extension |
Browser/Extension context | Active tab URL or hostname of supported AI sites, Extension version, browser version, OS | Extension |
Site analytics | IP address, device/browser type, referring URL, pages viewed, marketing campaign IDs | Site |
Support data | Messages, attachments, and account context you send to support | All channels |
4. Information We Collect
4.1 Information You Provide
- Account registration: name, work email, organization, role, password (stored only as a salted hash), and (for SSO) the unique identifier returned by your identity provider (e.g., Microsoft Entra ID / Azure AD).
- Billing: company name, billing contact, billing address, tax IDs, and purchase details. Payment card data is collected and stored by our payment processor (Stripe); we receive only tokens and metadata such as the last four digits and card brand.
- Configuration: policies, custom regex/keyword rules, “fingerprinted” sensitive terms you upload, allow/deny lists, integration credentials and API keys you connect (encrypted at rest).
- Communications: content of emails, support tickets, chat messages, and survey responses.
4.2 Information from Prompt Processing (Platform and Extension)
When a user submits a prompt through the Platform or while the Extension is active on a supported AI site, we process the prompt for the limited purpose of applying the Customer Organization’s data-loss-prevention (“DLP”) policy:
- Prompt text is inspected in memory to detect matches against built-in detectors (PII, PHI, PCI, credentials, secrets, source code, financial data) and any custom rules configured by the Customer Organization.
- Depending on the policy, the prompt may be allowed, warned, masked/redacted, or blocked before it reaches the AI model.
- Daily deletion: By default, prompt text is deleted on a rolling daily basis. Detection metadata is retained for audit and reporting purposes, but the underlying prompt text is not retained.
- Where the Customer Organization brings its own AI provider or API keys (“BYO Model”), the (potentially redacted) prompt is transmitted directly from our infrastructure to that provider under the Customer Organization’s account; AILeakShield does not retain the model response beyond what is necessary to return it to the user.
4.3 Information Collected Automatically
- Usage telemetry: which features are used, prompt counts, action counts (warn/mask/block/allow), token usage, latency, and error logs.
- Device and connection data: IP address, user agent, browser version, operating system, language, and approximate location derived from IP.
- Cookies and similar technologies: see Section 12.
4.4 Information from Third Parties
- Identity providers (Microsoft Entra ID / Azure AD and other SSO providers) for authentication.
- Payment processor (Stripe) for billing status.
- AI providers (OpenAI, Anthropic, Google, and others) for model responses returned to the user.
- Analytics and marketing tools (e.g., Google Analytics, Google Search Console) for Site performance.
5. AILeakShield Browser Extension – Specific Disclosures
This section addresses the Chrome Web Store User Data Policy, including the Limited Use requirements. It applies to the AILeakShield Browser Extension for Chrome and other Chromium-based browsers.
5.1 Single Purpose of the Extension
The Extension has a single purpose: to inspect text a user is about to submit to an approved generative-AI web application (such as ChatGPT, Claude, or Gemini) and, based on the policy configured by the user’s organization, to warn, mask/redact, or block that submission when it contains sensitive data.
5.2 Data the Extension Handles
Data Type | What | Why |
Website content (prompt text on supported AI sites) | The text the user types or pastes into the prompt input of a supported AI site | To detect sensitive data and apply the configured policy (warn/mask/block) |
User activity (events on supported AI sites) | Submit/send actions, detection results, action taken (warn/mask/block/allow), model targeted, timestamp | To enforce policy and produce audit/compliance reports for the user’s organization |
Authentication information | Token issued by the AILeakShield Platform after the user signs in (typically via Microsoft SSO) | To associate the Extension with the user’s organization tenant and apply the correct policy |
Personally identifiable information | The signed-in user’s email/identifier returned from SSO; any PII the user includes in a prompt (subject of detection) | To bind the session to an account and to detect/protect PII before it leaves the browser |
Web history (limited) | The hostname/URL of the active tab only when it matches a supported AI site (e.g., chat.openai.com, claude.ai, gemini.google.com) | To know when the Extension should activate; the Extension does not collect general browsing history |
The Extension does not collect:
- Browsing history on non-AI sites;
- Form data, passwords, or content on any site other than supported AI sites;
- Health information unrelated to a user-submitted prompt;
- Financial or payment account credentials unrelated to a user-submitted prompt;
- Personal communications outside of prompts the user voluntarily submits to a supported AI tool;
- Precise geolocation;
- Keystrokes on sites outside the supported AI sites.
5.3 Permissions and Why We Request Them
The Extension requests only the minimum permissions necessary:
- activeTab / host permissions for supported AI sites (e.g., chat.openai.com, chatgpt.com, claude.ai, gemini.google.com, and other AI sites we explicitly support): to read and modify the prompt input before submission so we can apply policy.
- storage: to cache the user’s session token and the most recent policy locally so the Extension can operate quickly and offline-tolerant.
- scripting: to inject the content script that performs in-browser detection and applies warn/mask/block actions on the prompt input.
- Network access to the AILeakShield Platform API: to authenticate the user, retrieve policy, and send detection metadata.
We do not request broad <all_urls> host permissions, do not use webRequest to read arbitrary network traffic, and do not use remote code execution.
5.4 Limited Use Compliance (Chrome Web Store)
The Extension’s use of information received from Google APIs and from a user’s browsing activity will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:
- We use the data only to provide and improve the user-facing features of the Extension (sensitive-data detection and DLP enforcement on prompts submitted to supported AI sites).
- We do not transfer user data to third parties except (a) as necessary to provide or improve the user-facing features of the Extension; (b) to comply with applicable laws; or (c) as part of a merger, acquisition, or sale of assets, with notice to users.
- We do not use or transfer user data for serving advertising, including personalized or retargeted advertising.
- We do not use or transfer user data to determine creditworthiness or for lending purposes.
- We do not sell user data, and we do not share user data with data brokers.
- We do not allow humans to read user data (including prompt content captured by the Extension) except: (a) with the user’s or Customer Organization’s explicit consent; (b) when necessary for security purposes (e.g., investigating abuse or a specific security incident); (c) when required by law; or (d) when data has been aggregated and anonymized and is used for internal operations.
5.5 On-Device Processing and Data Minimization
Wherever practical, detection runs locally inside the browser so that prompt text is evaluated on the user’s device before any network call. When a Customer Organization enables features that require server-side analysis (for example, fingerprinted custom-term matching or advanced classifiers), the prompt text is transmitted over TLS to the AILeakShield Platform solely for that purpose, evaluated, and then handled according to the daily-deletion rule described in Section 4.2.
5.6 Prominent Disclosure and Consent in the Extension
On first run, the Extension displays an in-product disclosure that summarizes (a) the data it accesses, (b) why, and (c) where to read this Privacy Policy. The user (or the Customer Organization’s administrator at deployment time) must affirmatively accept this disclosure before the Extension begins inspecting prompt content.
5.7 Uninstalling and Local Data
Uninstalling the Extension removes the session token and locally cached policy from the browser. To request deletion of associated server-side records, see Section 10.
6. How We Use Information
We use the information described above for the following purposes:
- Provide the Services, including authenticating users, enforcing DLP policies, returning AI model responses, billing, and customer support.
- Secure the Services, including detecting abuse, fraud, account takeover, and policy circumvention.
- Maintain audit and compliance records for Customer Organizations (e.g., who triggered which policy, what action was taken).
- Improve product quality, including diagnosing errors, measuring performance, and developing new features. We do not train AI models on Customer Organization prompt content without express written authorization from that Customer Organization.
- Communicate with you about service updates, security advisories, billing, and (where permitted) marketing. You can opt out of marketing at any time.
- Comply with legal obligations and enforce our terms.
We rely on the following GDPR legal bases where applicable: performance of a contract (Art. 6(1)(b)), legitimate interests in operating and securing the Services (Art. 6(1)(f)), compliance with legal obligations (Art. 6(1)(c)), and consent where required (Art. 6(1)(a)).
7. How We Share Information
We share information only as described below. We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under California law.
- Customer Organizations: Activity, policy events, and configuration data generated by an end user are made available to that user’s Customer Organization administrators.
- Sub-processors and service providers that help us operate the Services, including Microsoft Azure (cloud hosting, U.S. regions), Stripe (payment processing), OpenAI, Anthropic, Google, and other AI providers (model inference for prompts the user chooses to submit, subject to redaction/masking applied by policy), email and support tools, and analytics and monitoring tools (e.g., Google Analytics on the Site). A current list of sub-processors is available on request.
- Authentication providers chosen by the Customer Organization (e.g., Microsoft Entra ID).
- Legal and safety: to comply with law, respond to lawful requests, or protect the rights, property, or safety of AILeakShield, our users, or others.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, with notice as required by law.
8. SOC 2 Type 2 Privacy and Security Commitments
AILeakShield maintains an information-security and privacy program designed to meet the AICPA Trust Services Criteria (“TSC”) applicable to a SOC 2 Type 2 examination, covering the Security, Confidentiality, and Privacy categories. This section summarizes how the controls behind that program implement the commitments in this Privacy Policy. These commitments apply to the operation of the Platform and the Extension; the Site is in scope for Security commitments where it processes personal data (e.g., trial sign-ups and billing).
8.1 Trust Services Criteria In Scope
- Security (Common Criteria CC1-CC9): control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management, and risk mitigation.
- Confidentiality (C1): identification, protection, and disposal of confidential information, including Customer Organization configuration, prompts, and detection metadata.
- Privacy (P1-P8): notice and communication of objectives (P1), choice and consent (P2), collection (P3), use, retention, and disposal (P4), access (P5), disclosure and notification (P6), quality (P7), and monitoring and enforcement (P8).
The Availability and Processing Integrity categories may be added to the scope of future examinations; we will update this Policy when changes occur.
8.2 Mapping of Privacy Commitments to SOC 2 Privacy Criteria (P1-P8)
Criterion | Commitment | Where Implemented |
P1 – Notice and Communication of Objectives | We publish this Privacy Policy, a Cookie Notice, a Sub-processor List, and a Data Processing Addendum. Material changes are communicated in advance to account administrators by email or in-product banner. | Section 1, 11, 12, 17 |
P2 – Choice and Consent | Where required, we obtain consent before collecting or using personal information, including the Extension first-run disclosure and the cookie banner on the Site. Users may withdraw consent at any time. | Section 5.6, 12, 10 |
P3 – Collection | We collect only the personal information necessary to deliver the Services. Detection runs in-browser when possible. Custom rules and fingerprints are configured by the Customer Organization, not us. | Section 4, 5.2, 5.5 |
P4 – Use, Retention, and Disposal | Personal information is used only for the purposes described in Section 6. Prompt text is deleted on a rolling daily basis. Detection metadata, account data, and billing data are retained per the schedule in Section 9 and then deleted or de-identified. | Section 6, 9 |
P5 – Access | Authorized users may access, correct, port, or delete their personal information by contacting privacy@aileakshield.com. End users employed by a Customer Organization should direct prompt and policy data requests to their employer; we support those requests as a processor. | Section 10 |
P6 – Disclosure and Notification | We share personal information only as described in Section 7, under written contracts that bind sub-processors to equivalent protections. We notify Customer Organizations of confirmed security incidents involving their data without undue delay and in any case within 72 hours of confirmation, in line with our DPA. | Section 7, 8.7 |
P7 – Quality | We provide self-service tools for users and administrators to update their information and tenant configuration. Source systems of record are documented, and integrity checks are run on detection rule updates. | Section 10, 8.5 |
P8 – Monitoring and Enforcement | We operate a privacy and security incident-response program, conduct internal control testing throughout the audit period, engage an independent CPA firm for the SOC 2 Type 2 examination, and document corrective actions for any exceptions. | Section 8.6, 8.7 |
8.3 Governance and Roles
- Executive ownership of the privacy and security program sits with the AILeakShield leadership team, with day-to-day operation led by an information-security function holding industry credentials including CISSP.
- Written policies cover acceptable use, access control, change management, vendor management, secure development, vulnerability management, incident response, business continuity / disaster recovery, data classification, data retention, and privacy.
- Policies are reviewed at least annually and after material changes; personnel acknowledge them at hire and annually thereafter.
8.4 Access Control and Personnel Security
- Role-based access control (RBAC), least-privilege provisioning, and quarterly access reviews for production systems.
- Mandatory single sign-on (SSO) and multi-factor authentication (MFA) for personnel accessing production environments, code repositories, cloud consoles, and administrative tooling.
- Background checks where permitted by law, confidentiality agreements, and security awareness and privacy training at hire and at least annually thereafter, with role-based training for engineers handling Customer Organization data.
- Documented joiner/mover/leaver process with same-day access revocation on termination.
8.5 Data Protection, Confidentiality, and Secure Development
- Encryption in transit using TLS 1.2 or higher and encryption at rest using AES-256 for Customer Organization data, configuration, detection metadata, and backups.
- Tenant isolation in the Platform with logical separation of Customer Organization data; cryptographic key management via the cloud provider key-management service.
- Confidentiality classification of data with handling rules for “Customer Confidential” and “Restricted” categories; secure disposal of media and timely deletion at end of retention.
- Secure software development lifecycle (SDLC) including peer code review, automated static analysis (SAST), software composition analysis (SCA) for third-party libraries, and pre-deployment security testing.
- Change-management process requiring documented approval, tested rollback, and segregation of duties between development and production deployment.
- Annual third-party penetration testing of the Platform and the Extension; recurring internal vulnerability scanning and remediation tracked to SLA by severity.
8.6 Logging, Monitoring, and Risk Management
- Centralized logging of authentication events, administrative actions, policy changes, detection events, and infrastructure events, retained per Section 9.
- Continuous monitoring with alerting for anomalous behavior, failed authentications, configuration drift, and suspected data exfiltration attempts.
- Annual enterprise risk assessment covering threats to confidentiality, integrity, availability, and privacy; quarterly review of the risk register and treatment plans.
- Vendor-risk management program: every sub-processor is reviewed before onboarding (security posture, SOC 2 or equivalent attestation where available, DPA) and re-reviewed at least annually.
- Independent SOC 2 Type 2 examination conducted by a licensed CPA firm covering a defined audit period; the resulting report is available to current and prospective Customer Organizations under NDA.
8.7 Incident Response and Breach Notification
- A documented incident-response plan defines severity levels, roles, communication channels, and timelines. The plan is exercised at least annually through tabletop or live drills.
- Personnel are required to report suspected incidents immediately to security@aileakshield.com or via internal channels.
- For confirmed security incidents affecting Customer Organization personal data, we notify the affected Customer Organization without undue delay and in any case within 72 hours of confirmation, providing the information required by our DPA and by applicable law (e.g., GDPR Art. 33-34, U.S. state breach-notification laws, and HIPAA where a Business Associate Agreement is in place).
- Where AILeakShield is the controller (e.g., Site visitors), we notify affected individuals and regulators as required by applicable law.
- Post-incident reviews capture root cause, customer impact, and corrective actions, which are tracked to closure.
8.8 Business Continuity and Resilience
- The Platform is hosted on Microsoft Azure in continental U.S. regions; backups are encrypted and stored with geographic redundancy.
- Documented Business Continuity and Disaster Recovery (BC/DR) plans with target recovery objectives (RTO/RPO) appropriate to the criticality of each system; plans are tested at least annually.
- Capacity, availability, and performance are monitored; status communications are issued for incidents affecting Service availability.
8.9 Customer Responsibilities (Complementary User Entity Controls)
SOC 2 examinations recognize that certain controls must be operated by the Customer Organization for the overall control objectives to be met. Customer Organizations are responsible for:
- Configuring their identity provider, MFA, and SSO appropriately and managing user lifecycle in that identity provider.
- Designing DLP policies, custom rules, and fingerprinted terms appropriate to their data classification and regulatory requirements.
- Managing administrator roles within the Platform, including periodic review of administrators and end users.
- Reviewing audit logs and detection events; investigating internal alerts within their own incident-response process.
- Protecting their own AI provider API keys when using “Bring Your Own Model” features.
- Informing their employees and other authorized users about deployment of the Extension and obtaining any consents required by local law.
8.10 Availability of Attestations
Once issued, the SOC 2 Type 2 report and an executive summary may be requested by emailing security@aileakshield.com under a mutual non-disclosure agreement. Bridge letters are issued between examination periods to confirm continued operation of controls.
9. Data Retention
- Prompt text: deleted on a rolling daily basis by default. Customer Organizations on enterprise plans may configure shorter retention.
- Detection metadata and audit logs: retained for the duration of the Customer Organization’s subscription plus up to 12 months, unless a different period is specified in the customer’s order form or DPA.
- Account and billing records: retained for the life of the account and for up to 7 years after termination to meet tax, accounting, and legal obligations.
- Site analytics: retained according to the configured retention in Google Analytics (typically 14 months).
- Support communications: retained for up to 3 years after the ticket is closed.
When retention periods expire, data is deleted or de-identified.
10. Your Rights and Choices
Depending on where you live, you may have the following rights:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete personal information, subject to legal and contractual exceptions.
- Portability of personal information you provided to us.
- Object to or restrict certain processing.
- Withdraw consent where processing is based on consent.
- Opt out of “sale” or “sharing” of personal information (we do not engage in either).
- Non-discrimination for exercising your rights.
- Lodge a complaint with your local data-protection authority.
To exercise these rights, email privacy@aileakshield.com. We will verify your request and respond within the time required by applicable law (typically 30-45 days). If you are an employee of a Customer Organization, please direct requests concerning prompt or policy data to your employer; we will support them as a processor.
California residents: the categories of personal information we collect, use, and disclose in the past 12 months correspond to the categories in Section 3 above. We do not sell or share personal information for cross-context behavioral advertising, and we do not knowingly process the sensitive personal information of California residents for purposes other than those permitted by the CPRA without notice.
11. International Data Transfers
The Services are hosted in the United States on Microsoft Azure. If you access the Services from outside the United States, your information will be transferred to and processed in the United States and potentially other countries where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
12. Cookies and Tracking on the Site
The Site uses cookies and similar technologies for essential operation, analytics, and limited marketing measurement. We use Google Analytics and Google Search Console to understand Site performance. You can control cookies through your browser settings and, where shown, through our cookie banner. The Extension itself does not set or read website cookies for tracking purposes; it uses browser-local storage solely for session and policy caching.
13. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
- TLS 1.2+ encryption in transit and AES-256 encryption at rest;
- Tenant isolation in the Platform;
- Role-based access control and least-privilege access for personnel;
- Single sign-on, MFA, and audit logging for administrative actions;
- Hosting on Microsoft Azure in continental U.S. regions;
- Vulnerability management, annual third-party penetration testing, and secure-development practices led by an in-house team holding industry certifications including CISSP;
- An information-security and privacy program aligned to SOC 2 Type 2 Trust Services Criteria for Security, Confidentiality, and Privacy (see Section 8).
No method of transmission or storage is 100% secure. If you believe your account or data has been compromised, contact security@aileakshield.com immediately.
14. Children’s Privacy
The Services are intended for business use by adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.
15. Automated Decision-Making
The Services use automated detection (regex, classifiers, and fingerprinting) to determine whether a prompt matches a configured policy and to apply a warn/mask/block action. These decisions are limited to enforcing the Customer Organization’s DLP policy and do not produce legal or similarly significant effects on the user. Customer Organizations can configure overrides and review procedures.
16. Third-Party AI Providers
When a user submits a prompt that is permitted by policy, the (potentially redacted) prompt is transmitted to the AI provider the user selected (e.g., OpenAI, Anthropic, Google). Those providers process the prompt under their own terms and privacy policies. AILeakShield is not responsible for the practices of those providers. Customer Organizations on enterprise plans may bring their own AI provider accounts and API keys to apply their direct contractual terms with those providers.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated version at this URL and update the “Last Updated” date. For material changes, we will provide additional notice (for example, by email to account administrators or an in-product banner) before the changes take effect.
18. Contact
Questions, requests, or complaints about this Privacy Policy or our data practices:
AILeakShield – Privacy Team
Managed Security Services LLC (DBA Cyber Security Services)
752 N. State Street #172
Westerville, OH 43082
United States
Email: privacy@aileakshield.com
Support: support@aileakshield.com
Security: security@aileakshield.com
This Privacy Policy is provided as a template and should be reviewed by qualified legal counsel before publication. It is not legal advice.
