Port Cipher — Privacy Policy

For the canonical, formatted version of this policy see:
https://portcipher.com/privacy

WHO WE ARE
Port Cipher provides a browser extension and management console that help organisations monitor and control the use of AI tools across their browsers. This policy explains what data we collect through the extension
and the console, why we collect it, how long we keep it, and your rights over it.
WHAT DATA WE COLLECT
1. Browser activity data
When the extension is active on a recognised AI tool, we record events containing: - The AI tool visited (e.g. "chatgpt", "claude")
- The event type (visit, prompt, blocked navigation, paste blocked, etc.) - The URL with query string and fragment stripped when not required - A timestamp
- A user identifier (verified email after SSO sign-in, otherwise a local identifier)
- Event-specific metadata: for DLP events, only the class of sensitive data detected (e.g. "credit_card") not the raw matched content; for shadow-AI discoveries, only the hostname plus matched signals

The extension does NOT record: keystrokes, full page text, form inputs outside AI-tool contexts, passwords, or browsing activity on sites that are not recognised AI tools.

1. Authentication data
   When a user signs in via OIDC (Microsoft Entra, Okta, Google Workspace), we receive their verified email address and group memberships. OAuth tokens are stored in the user's browser only — never transmitted to our
   servers.
2. Extension telemetry
   Browser name, browser version, operating system, extension version. Used so administrators can see which installs are active.
3. Administrator data
   For administrators using the management console: email, role, session metadata, and audit log entries for every administrative action.

HOW WE USE THE DATA
- Provide the governance product (showing administrators which AI tools are used and by whom)
- Enforce the organisation's policies (block, warn, DLP, redirects)
- Operational security (verifying request authenticity)
- Administrator authentication

We do NOT sell or rent personal data. We do NOT use customer data to train AI models. We do NOT share data with advertising networks.

REGIONAL DATA RESIDENCY
Data is stored in one of four regional databases (Oceania, US, EU, APAC) chosen at provisioning time. Data stays in the region it was written to and is not replicated cross-region. EU customer data never leaves the
EU.

DATA RETENTION
- Browser activity events: 90 days default (configurable per plan)
- Audit log entries: 24 months
- Extension install heartbeats: 30 days past last heartbeat
- Authentication data: for the life of the subscription + 90 days

When a customer terminates their subscription, all data is deleted from the regional database within 30 days. Earlier deletion is available on request.

SECURITY
- All traffic encrypted in transit using TLS 1.3
- Each extension install enrols a unique HMAC secret; every API request is signed
- Administrator sessions are HMAC-SHA256 signed JWTs protected by OIDC + customer-enforced MFA
- Secrets at rest are encrypted with per-project keys
- OAuth access and refresh tokens remain in the user's browser only

SUBPROCESSORS
- Cloudflare, Inc. — edge compute, database, email, DNS, DDoS protection. Data stays in customer's chosen region.

We notify customers at least 30 days before adding a new sub processor.

YOUR RIGHTS
Under GDPR, UK DPA, Australian Privacy Act, and similar laws you have rights to access, correct, delete, and port your data. Requests should come through your organisation's administrator in the first instance.
Contact us directly if you cannot reach them.

CHILDREN
Port Cipher is a workplace product not intended for use by anyone under 16. We do not knowingly collect data from children.

CONTACT
Privacy: privacy@portcipher.com
Security: security@portcipher.com
General: support@portcipher.com

Effective date: 21 April 2026
Last updated: 21 April 2026