Privacy Policy

At Shadow AI Discovery, we are committed to protecting the privacy and security of your organization's data. This Privacy Policy details our approach to privacy, specifically how we process, transfer, and store data within our zero-knowledge architecture.

1. The Zero-Knowledge Standard

Most traditional security assessment software requires you to upload and store your corporate network logs in cloud-hosted databases. This practice introduces significant exposure risks, including the potential for data breaches, cloud configuration errors, and regulatory compliance issues under laws like GDPR and HIPAA.

Shadow AI Discovery is engineered differently. We operate under a strict Zero-Knowledge Architecture. This means:

• No Log Ingestion: Your raw firewall or network connection logs are processed locally inside your web browser. They are never transmitted over the internet to our servers.
• No Database Storage: We do not operate databases or centralized log stores. All processed states, telemetry statistics, and threat records exist solely in your browser's active sandbox.
• Total Ephemerality: Closing your browser tab or clicking "Log Out" immediately and permanently clears all parsed files, session storage values, and analysis charts.

2. Data We Collect and Process

While we do not ingest or store your logs, we do collect minimal information necessary to deliver our services, process payments, and support our users:

• Payment Credentials: Transactions are handled securely via Stripe. We collect billing email address, cardholder name, and transaction metadata. We do not store or see your raw credit card numbers.
• URL Sharing Hash Payload: When you generate a shareable dashboard link, the metadata (totals and high-level risk scores) is compressed into a URL hash parameter using LZ-String. We do not store, catalog, or keep records of these hashes on our servers; they reside entirely in the client-side link you distribute.
• Customer Support: If you contact us via email, we collect your email address and any content provided to resolve your inquiry.

3. Legal Compliance Boundaries

Because Shadow AI Discovery does not upload, store, or transmit Personal Identifiable Information (PII) or raw corporate connection telemetry to our servers, our platform acts as a standard sandboxed calculator. This helps organizations maintain alignment with key compliance frameworks:

• GDPR (Art. 25 & 32): Our data-minimization architecture means zero transmission of employee internal IPs or timestamps to third parties.
• HIPAA Security Rule (§164.312): Absolute client-side data isolation preserves health record networks from exposure.
• SOC 2 Type II: Local evidence hashes allow compliance verification without perimeter boundary modifications.

4. Cookies and Analytics

We do not use tracking cookies, advertising scripts, or marketing tools that follow you across the internet. Our website serves static files, keeping your browsing experience fast, clean, and private.

5. Contact Information

If you have any questions or feedback regarding our privacy practices, please contact us at nick_stavrou@live.com.