# AiEGIS Privacy Policy

Effective: 2026-05-04 · Version 1.0 · Document owner: privacy@aiegis.ie


**One-paragraph summary:** AiEGIS is a compliance tool. It captures the prompts your employees send to AI services (ChatGPT, Claude, Gemini, Copilot) so your organisation can prove regulatory compliance. **Captured prompt content never leaves the customer's machine.** The daemon makes exactly one external network call — a weekly license-validity check that sends the license key only, never prompt content. PII redaction happens in-browser via the AiEGIS extension before any data is stored. The compliance dashboard runs on the same machine that captured the data. Verified by static analysis of the daemon source (single outbound URL on the documented allowlist; pre-release gate `check_outbound_endpoints.sh` blocks any deviation).


## 1. Who we are

AiEGIS is operated by AiEGIS Ltd (Ireland). Privacy contact:
[privacy@aiegis.ie](mailto:privacy@aiegis.ie). Postal address available
on request via that mailbox.

## 2. What AiEGIS captures

The browser extension and native messaging host capture:



Field Source Stored where Sent off-device?


`prompt_redacted` AI-vendor chat box (DOM intercept) or vendor API call (webRequest) Local SQLite on the capturing machine **No.**
`response_redacted` Same as above (response side) Local SQLite **No.**
`ts` Browser clock at capture moment Local SQLite **No.**
`vendor`, `model_version` Inferred from URL / request payload Local SQLite **No.**
`license_key` From `~/.aegis/license` on the capturing machine Local SQLite (per row) Sent to `aiegis.ie/api/license/check` weekly to verify license is still valid. Prompts are *not* sent.
`tab_title`, `url` Browser tab metadata Local SQLite **No.**



**Redaction happens in-browser, before the daemon ever sees the prompt.**
The AiEGIS browser extension's content script applies PII redaction (email
addresses, phone numbers, credit-card patterns, IBANs, etc.) inside the
browser tab. The redacted text is then sent via Chrome Native Messaging to
the local daemon, which stores it in the local SQLite. **The daemon
never sees, processes, or transmits unredacted prompt content.**
The daemon also does not invoke any AI model — local or remote — for
post-processing. There is no llama, no OpenAI/Anthropic/Google call from
the daemon. Capture → redact-in-browser → store-locally is the entire flow.

## 3. What AiEGIS does NOT capture


- Anything outside the browsers / pages the customer's IT explicitly enables (default scope: `chat.openai.com`, `chatgpt.com`, `claude.ai`, `gemini.google.com`, `copilot.microsoft.com`).

- Personal browsing (Gmail, banking, social media) — content scripts only inject on the AI-vendor domains above.

- Keystrokes outside the AI chat boxes.

- Files, downloads, screenshots.

- Webcam, microphone, location.

- Anything once the extension is disabled in the browser settings.



## 4. Data flow and policy enforcement (intercept-and-conditionally-block model)

AiEGIS is not a passive logger. The browser extension intercepts AI service
calls before they leave the browser, allowing the customer's policy engine to
permit or refuse each prompt. **The interception is read-only on prompt
content — AiEGIS never modifies what the user typed before forwarding.**
The flow for a single prompt:


- Observe. The extension's content script monkey-patches
`window.fetch` + `XMLHttpRequest`. When the user submits a
prompt to ChatGPT / Claude / Gemini / Copilot, the extension reads the
prompt body client-side, in-browser. No data has left the machine yet.

- Redact. PII patterns (emails, phone numbers, IBANs, etc.)
are masked in-browser before any further step.

- Check policy. The redacted prompt is sent to the customer's
local policy engine (the AiEGIS daemon's `/api/protect` endpoint
on `localhost`). The customer configures the policy.

- Enforce. If the policy returns BLOCK, the wrapped
`fetch` call is refused — the prompt never reaches the AI vendor.
If ALLOW, the original (unmodified) request is forwarded to the original
vendor URL the user requested (chatgpt.com / api.anthropic.com / etc.).

- Log. The redacted copy is sent via Chrome Native Messaging
to the local daemon and stored in local SQLite for compliance evidence.



**What this means in practice:**


- AiEGIS does NOT redirect AI-service traffic to a proxy. ALLOW'd prompts go
directly to the vendor URL the user requested.

- AiEGIS does NOT modify prompt content before forwarding. The vendor sees
exactly what the user typed.

- AiEGIS DOES have the technical capability to refuse forwarding. This is
the BLOCK feature — disabled by default, enabled per customer policy.

- AiEGIS's own infrastructure receives nothing about the prompt. The
policy check is local (`localhost`) and the audit log is local
(`SQLite`).



### 4.1 Scope of the BLOCK feature (current limitations)

The intercept-and-conditionally-block model applies to **chat-input
prompt text** — the content the user types into the chat box, or the
JSON body of a direct API call to `api.openai.com` /
`api.anthropic.com` / `generativelanguage.googleapis.com`.

It does **not** currently apply to:


- File attachments (PDFs, images, .docx, .txt, .csv, code
files, etc.) uploaded via the vendor's attachment UI. These travel in
`multipart/form-data` request bodies which the current content
script does not inspect for redaction or policy check. File-content
scanning ships in v0.5 — until then, customers should configure their
policy to BLOCK on prompt phrases like "summarise the attached" if file
leakage is a concern.

- Voice / image / video input that the vendor handles outside the standard
text-prompt flow.

- Prompts submitted via vendor-native desktop apps (ChatGPT desktop, Claude
desktop, Copilot in Word/Excel) that bypass the browser entirely. Native
agent coverage ships in v0.5 (Mac) / v0.6 (Windows).



Customers deploying AiEGIS with the BLOCK feature enabled should review
their employees' workflow with these gaps in mind. The compliance UI surfaces
these limitations in the in-app deployment checklist.

### 4.2 Behaviour when the policy engine is unreachable

If the local policy engine cannot be reached for any reason (engine
crashed, configuration error, port collision), AiEGIS defaults to
**fail-CLOSED** for sovereign and enterprise tiers (the BLOCK
verdict is returned to the wrapped fetch and the user sees a banner: "AiEGIS
could not verify this prompt. Submission paused. Retry or contact admin.")
For SMB tier deployments, the default is **fail-OPEN** with the
event logged and a customer-visible warning. The fail-mode is bound to the
license tier claim and is configurable via the deployment policy.

### 4.3 Threat model: co-installed extensions with debugger access

AiEGIS protects against the network-layer threats above (data exfiltration,
prompt forwarding, policy bypass). It does **not** protect against
a malicious co-installed browser extension that has been granted
`debugger` permission by the user, since such extensions can read
the message traffic of every extension running in the same browser profile.
Customer IT should pin allowed extensions via GPO / Intune / MDM and prevent
users from installing arbitrary "productivity" or "tab-management" extensions
that request debugger permissions. A recommended Edge / Chrome
`ExtensionInstallAllowlist` + `ExtensionInstallForcelist`
policy template is on our v0.3.7 roadmap; until then, customer IT can build
their own policy referencing the AiEGIS extension ID published in the
`deployment` section of `/.well-known/privacy.json`.

There are exactly three outbound network calls AiEGIS itself makes
(separate from the user's own AI-service traffic):



When To What's sent What's NOT sent


License check (weekly + on-launch, v0.3.5+) `aiegis.ie/api/license/check` License key (Bearer header), nothing else No prompts, no responses, no metadata about captures, no policy decisions
Initial license issuance (one-time, install) `aiegis.ie/api/fleet/license/issue` Machine hostname, OS name, customer email (provided by the admin) No prompts (none captured yet at install)
Cross-machine team sync (admin-side, optional) `aiegis.ie/api/team-share` Files the admin explicitly uploads (specs, scripts, policy bundles) No captured prompts; admin chooses what to upload



**Captured prompts are never sent to AiEGIS Ltd or any third party.**
They live in a local SQLite database on the capturing machine. The compliance
dashboard runs on the customer's own machine and queries the local database
over `localhost`. AiEGIS Ltd's infrastructure never sees prompt
content — that's both a policy commitment and a structural property of the
system, verified by static analysis (see `check_outbound_endpoints.sh`).

## 5. Edge / Microsoft Add-ons specific disclosure

Per Microsoft Edge Add-ons policy 1.6 and 1.5.3:

### 5.1 Permissions and why


Permission Why we need it

`storage` Persist license key, dashboard endpoint, and the per-customer enforcement flag (`aegis_enforce`) across browser sessions.
`nativeMessaging` Send captured prompts to the local native host (which writes them to local SQLite). Customer-cloud-only deployment keeps captured data off AiEGIS Ltd cloud — data_residency property documented at [/privacy.json](/.well-known/privacy.json) + enforced via static-analysis gate `check_outbound_endpoints.sh`.
`webRequest` Observe outbound API calls to AI vendors (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com) for prompts that bypass the chat UI (e.g., direct API integrations).
`host_permissions` Inject content scripts on the 5 AI-vendor chat pages above. Each entry is necessary for a specific declared capture path.



### 5.2 First-run consent (v0.3.6+)

The extension shows a first-run consent dialog before any capture occurs.
Capture is opt-in (administrator policy), and the user can disable enforcement
via the popup at any time, even when policy-installed.

### 5.3 Third-party data sharing

None. AiEGIS does not share captured data with OpenAI, Anthropic, Google,
Microsoft, AiEGIS Ltd, or any other third party. The data lives on the
customer's machine, end of pipeline.

## 6. Legal basis (GDPR Article 6 / Article 13)

**Lawful basis:** Article 6(1)(f) — legitimate interest. The
customer (the data controller) has a legitimate interest in evidencing
AI usage for regulatory compliance (EU AI Act Article 26 record-keeping
obligations, ISO 42001 controls).

**Data subjects' rights:** Employees of customer organisations
may request access, rectification, or deletion of records pertaining to
them through their employer's compliance officer. AiEGIS Ltd does not have
access to the customer's local database and cannot fulfill these requests
directly — only the customer can.

## 7. Retention

**AiEGIS Ltd retains zero captured prompt data — it never reaches us.**
Captured data persists in the customer's local SQLite database
indefinitely, until the customer deletes it. The daemon does not
auto-prune or rotate the database; that decision sits with the customer
and their IT / DPO. A 90-day local-rotation policy is on our v0.4
roadmap as a configurable opt-in. Until then, retention is 100% under
customer control: the database file at
`~/Library/Application Support/AiEGIS/captured.db` (Mac),
`%LOCALAPPDATA%\AiEGIS\captured.db` (Windows), or
`~/.local/share/AiEGIS/captured.db` (Linux) is the
authoritative store.

## 8. License revocation and account termination

When a license is revoked (admin action), the daemon stamps subsequent
events as `license_revoked` security events but does not
delete prior captures (Article 26 evidence retention). The customer
retains full local access to their database; AiEGIS Ltd has no access
before, during, or after revocation.

## 9. Cookies and tracking on aiegis.ie

The aiegis.ie marketing site uses no third-party trackers, no advertising
pixels, and no cross-site cookies. A single first-party session cookie
is set on the admin dashboard for authentication only.

## 10. Machine-readable disclosure

A machine-readable summary of this policy is published at
`[/.well-known/privacy.json](/.well-known/privacy.json)`
for enterprise procurement / DPIA tooling. The JSON document mirrors
this page's data-flow tables and is updated when this policy is revised.


**Procurement / DPIA tooling:** the machine-readable feed at
`/.well-known/privacy.json` exposes the data-flow tables on this
page in a structured form (data_flows array, interception_model object,
data_flows_explicitly_NOT_PRESENT). Suitable for bulk import into CSA STAR /
Vanta / OneTrust workflows. A formal JSON Schema definition is on our v0.5
roadmap.


## 11. Changes to this policy

Material changes are announced 30 days in advance via email to the
registered admin contact for each customer. The version number and
effective date at the top of this page are authoritative.

## 12. Contact


- Privacy: privacy@aiegis.ie

- Security: security@aiegis.ie

- General: hello@aiegis.ie