DRAFT — PENDING LEGAL REVIEW

Privacy

Last updated: 2026 · A formal, counsel-reviewed policy will replace this draft.

GPT-Shield is built on a simple principle: we protect your data by never holding it. This page explains, in plain terms, how that works.

Where detection runs

Core detection runs locally, on your own machine or infrastructure. Prompts and files are scanned in place and are not transmitted to us in order to be checked.

What we never store

We do not store raw sensitive values — not in logs, audit events, lineage records, or any default storage. Where we need to record that a crossing happened, we keep only salted, one-way hashes and token references that describe the shape and flow of data, never the value itself.

Encryption

Anything that is persisted (such as reversible pseudonymization mappings, when enabled) is encrypted at rest with AES-GCM, backed by the operating-system keychain.

Optional cloud features

If you enable cloud features (such as a hosted data-flow graph), they receive only de-identified signal — classifications, counts, and hashes — never raw sensitive values.

Contact

Questions or a data-processing agreement (DPA)? Email noah@gpt-shield.com.

This is placeholder copy describing GPT-Shield's intended data handling. It is not yet a binding legal agreement; a reviewed Privacy Policy will be published before public launch.