Legal

Privacy Policy

Effective date: 1 May 2025  ·  Last updated: 28 May 2026

SecureGPT is built on a privacy-first, local-first principle. Sensitive data you type is detected and masked entirely inside your browser — raw PII, credentials, or confidential text never leaves your device and never reaches our servers.

1. Who We Are

SecureGPT is a product developed and operated by Rivedix ("we", "us", "our"). We provide a browser-native Data Loss Prevention (DLP) extension and an accompanying dashboard to help individuals and enterprise teams prevent sensitive data from being shared with external AI language model providers.

For privacy enquiries, contact us at: info@rivedix.com

2. What Data We Collect

We collect the minimum data necessary to operate the service. Here is a precise breakdown:

Account information

Work email address, display name, and organisation name provided during sign-up. Used solely for authentication and account management.

Collected

Detection metadata

Anonymised event logs: the type of sensitive data detected (e.g. 'API Key'), the platform where it was detected (e.g. 'ChatGPT'), and the policy action taken (e.g. 'Masked'). This data never includes the actual sensitive value.

Collected

Extension usage telemetry

Aggregate, anonymised signals such as whether the extension is active or paused. No prompt content or page content is ever captured.

Collected

Raw prompt content

We do not collect, transmit, or store the text of any message you type. All prompt inspection happens locally in your browser tab.

NOT collected

Sensitive data values

We do not collect the actual PII, credentials, financial data, or any other sensitive entities detected. Only the category and count are logged.

NOT collected

3. How We Use Your Data

  • To authenticate your account and provide access to the dashboard.
  • To generate compliance audit logs visible to your organisation's administrator.
  • To improve detection accuracy using fully anonymised, aggregated pattern data — never linked to individuals.
  • To send service-critical communications (e.g. security alerts, policy changes). We do not send marketing emails without explicit consent.
  • To analyse product usage at an aggregate level to improve the extension's performance.

4. Data Storage and Retention

Account data and detection metadata are stored on secure servers within the European Union (EU). We retain detection logs for up to 90 days on paid plans and 7 days on the free tier, after which they are automatically deleted. Account data is retained for the duration of your subscription and deleted within 30 days of account closure upon request.

We implement AES-256 encryption at rest and TLS 1.3 in transit for all data we do store.

5. Data Sharing and Third Parties

We do not sell your data. We do not share your data with third parties for advertising purposes. Limited sharing occurs only in these circumstances:

  • Your organisation's designated administrator can view detection event logs for audit and compliance purposes.
  • We use trusted sub-processors (cloud infrastructure, authentication providers) who are bound by data processing agreements under GDPR Article 28.
  • We may disclose data if required by law, court order, or to protect the rights and safety of our users.

6. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

Access

Request a copy of all personal data we hold about you.

Correction

Ask us to correct inaccurate or incomplete data.

Erasure

Request deletion of your personal data ("right to be forgotten").

Portability

Receive your data in a structured, machine-readable format.

Objection

Object to processing based on legitimate interests.

Restriction

Ask us to limit processing in certain circumstances.

To exercise any of these rights, email info@rivedix.com. We will respond within 30 days.

7. Cookies

The SecureGPT dashboard uses strictly necessary session cookies for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as we use only essential cookies.

8. Security

Security is our core product, and we apply the same rigour to our own infrastructure. Measures include: TLS 1.3 for data in transit, AES-256 encryption at rest, strict access controls and audit logging on our systems, and regular security reviews. We operate a responsible disclosure policy — if you discover a vulnerability, please report it to info@rivedix.com.

9. Changes to This Policy

We may update this Privacy Policy as the service evolves. Material changes will be communicated via the dashboard and, where required, via email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

10. Contact

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please reach out to:

Rivedix — Data Privacy

info@rivedix.com