Privacy Policy

Slopfence (“we”, “us”, “our”) is a browser-based Data Loss Prevention (DLP) service that helps organisations monitor and control what data employees share with AI tools such as ChatGPT, Claude, and Gemini.

Organisation administrators provide a corporate email address, organisation name, and billing details. This is used to create and manage your account.

End users (employees) are enrolled by invitation. We store their work email address, name, and department.

Alert metadata — when the Slopfence browser extension detects a policy violation, we record: the matched rule name, the first 200 characters of the content that triggered the rule (the snippet), the platform (e.g. chatgpt.com), the timestamp, and the user identifier. Full message or file content is never transmitted to or stored on Slopfence servers.

Usage data — aggregate counts of messages scanned, files scanned, and alerts triggered per organisation. No individual message content.

• Full text of AI prompts or responses
• Full content of uploaded files
• Browsing history outside of AI tool domains
• Keystrokes or screen recordings
• Any data from non-monitored websites

The Slopfence Chrome extension operates entirely within the user's browser. It patcheswindow.fetch andXMLHttpRequest on supported AI tool domains. When a prompt or file upload is detected, the content is scanned locally using your organisation's DLP rules. No data is routed through Slopfence servers as a proxy — only the resulting alert metadata (not the content itself) is sent if a rule is triggered.

• To power your organisation's admin dashboard and alert feed
• To generate aggregate compliance reports
• To send webhook notifications to third-party integrations you configure (Slack, Teams, PagerDuty, etc.)
• To improve DLP detection accuracy
• To respond to support requests

We do not sell your data. We do not use your data to train AI models.

Alert records are retained for 12 months from creation, after which they are automatically deleted. Organisation and user records are retained for the lifetime of the account and deleted within 30 days of account closure.

We share data only with sub-processors necessary to operate the service (cloud infrastructure, database hosting, authentication). We do not share data with third parties for advertising purposes.

Webhook data is transmitted to the integrations your organisation administrator configures. You are responsible for the privacy practices of those third-party services.

If you are located in the EU or California, you have the right to access, correct, export, or delete the personal data we hold about you. To exercise these rights, email [email protected]. We will respond within 30 days.

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel. We operate on modern cloud infrastructure with SOC 2-compliant providers.

We may update this policy. We will notify the administrator of your organisation by email at least 14 days before material changes take effect.

Questions about this policy: [email protected]