Log in Install free
Legal

RedactPrompt privacy policy

Last updated: 25 April 2026

1. Who we are

RedactPrompt is operated by Hackify B.V. (KvK 85690449).

If you have questions about privacy or want to exercise your privacy rights, you can contact us at:

Email: privacy@redactprompt.com
Security contact: security@redactprompt.com
Address: Hub van Doorneweg 10, Sassenheim, The Netherlands

2. What RedactPrompt does

RedactPrompt is a browser extension that helps prevent accidental sharing of personal or sensitive information with AI chatbots.

When you type in a supported chatbot, RedactPrompt scans the text locally in your browser and lets you review detected items before sending. You can choose to redact them, pseudonymise them, or keep them unchanged.

Single purpose. The single purpose of the RedactPrompt extension is to detect personal and sensitive data in text a user is about to send to supported AI chatbots, and to let the user review, redact, or pseudonymise that data before it is sent. Every permission the extension requests and every piece of data it processes exists to serve this single purpose.

How you give consent. If you use RedactPrompt without signing in, scanning happens entirely on your device and no personal data is sent to RedactPrompt, so no consent to server-side processing is required. If you create a RedactPrompt account by email, you must explicitly accept this policy before the account is created. If you sign in with your organisational Microsoft account, the act of signing in indicates that you have read and accept this policy; no statistical data is sent to our servers before that sign-in completes.

3. What happens on your device

RedactPrompt is designed so that as much as possible happens locally in your browser.

The following is processed only on your device and is never sent to RedactPrompt:

  • the text of your prompts
  • the values that RedactPrompt detects in those prompts
  • the redactions and pseudonymisations you apply to them

The extension also keeps a small amount of information in your browser's extension storage so it can work between sessions:

  • your preferences, such as language, detection sensitivity, and the on/off toggle
  • local counters that track how many detections have happened (used for the free local detection limit and for the statistics shown in the popup)
  • a cached copy of your organisation's configuration (only for logged-in users)
  • your authentication tokens (only for logged-in users)

For local and free use, nothing about your prompts is sent to RedactPrompt.

4. What data we may receive

We only receive limited data when this is needed to provide account, organisation, or support features. In Chrome Web Store terms, RedactPrompt may handle the following categories of user data:

  • Personally identifiable information — the name, email address, and organisation or tenant identifier of users who create an account or sign in.
  • Authentication information — signed access and refresh tokens issued by RedactPrompt after successful sign-in. These keep you signed in between browser sessions. We never see or receive your Microsoft password.
  • Personal communications and website content — the text you type into supported AI chatbot pages. This text is scanned only on your device to detect personal or sensitive data. Neither the full text nor the detected values are ever transmitted to RedactPrompt.
  • User activity — summary events that describe what the extension detected (the type of data, which chatbot, which action you took). These are sent only when you are signed in.

The subsections below describe each of these in detail, including when and why we receive them.

If you sign in

If you sign in with Microsoft, we may receive basic account information such as:

  • your name
  • your email address
  • your organisation or tenant information

We do not receive your Microsoft password.

Detection statistics for signed-in use

When you use RedactPrompt with a signed-in account, the extension sends limited statistical data to RedactPrompt so that you, and — where applicable — your organisation's admin, can see detection trends and chatbot usage. Each event contains:

  • the type of detection, for example email address, IBAN, or API key — never the value itself
  • the chatbot or supported service where the detection happened, for example ChatGPT or Microsoft Copilot
  • the time of the event
  • whether you chose to redact, pseudonymise, or keep the item

If your account is linked to an organisation that uses departments, the department name on your account is attached to each event so your admin can see per-department statistics in the dashboard.

Each received event also updates three fields on your account on our server: the last-activity timestamp, a rolling 30-day prompt counter, and a rolling 30-day redaction counter. These are used for service-tier management and for the statistics page you see when signed in. They are not shared outside RedactPrompt.

We do not receive the full text of your prompt, and we do not receive the detected values themselves.

If you submit optional feedback

If you explicitly submit feedback about a false positive or other detection issue, we may receive:

  • the flagged value
  • limited surrounding context
  • the detection type
  • your optional explanation

We use this only to review and improve detection quality.

Technical logs

When our website, API, or dashboard is accessed, our systems may process standard technical data such as:

  • IP address
  • browser or device information
  • date and time of access

We use this for security, stability, and abuse prevention.

5. How we use data

We use personal data only to:

  • provide the RedactPrompt service
  • authenticate users and manage accounts
  • apply organisation settings and policies
  • provide organisation-level statistics and controls
  • investigate optional feedback submitted by users
  • secure, maintain, and improve the service

We do not:

  • sell personal data
  • use personal data for advertising

6. Who we share data with

We do not sell or rent personal data. We share personal data only with the following named parties, and only where this is necessary to provide the service:

  • Microsoft Ireland Operations Limited (Microsoft Entra ID), when you choose to sign in with Microsoft. Microsoft acts as the identity provider for single sign-on. We receive basic profile information (name, email, tenant identifier) from Microsoft; we never receive your Microsoft password. Microsoft's processing is governed by Microsoft's own privacy terms.
  • TransIP B.V. (Schipholweg 9H, 2316 XB Leiden, the Netherlands), our hosting provider. TransIP operates the virtual private server, databases, and backups on which the RedactPrompt backend runs, within the European Union.
  • Competent authorities, only where we are legally required to disclose data (for example a court order or a statutory disclosure request).

We do not currently use any other processor, sub-processor, analytics provider, customer-support tool, advertising network, or marketing tracker that processes personal data on our behalf. If this ever changes, we will update this policy before the new processor begins operating.

If you use RedactPrompt through your employer or organisation, your organisation may receive dashboard statistics and security-related metadata. The full text of your prompts is never shown in the dashboard.

7. Legal basis under GDPR

If you are in the EEA, UK, or Switzerland, we rely on the following legal bases where applicable:

  • Contract, when processing is necessary to provide the service you requested
  • Legitimate interests, for security, service operation, and organisation-level reporting without prompt content
  • Consent, where you explicitly choose to submit optional feedback

If you use RedactPrompt through your organisation, your organisation may act as the data controller for certain organisation-level usage data, and we may process that data on its behalf.

8. Data retention

We keep personal data only as long as necessary for the purposes described in this policy and to comply with legal obligations.

As a general rule:

  • account data is kept while your account is active, and deleted within 30 days after you or your organisation closes the account
  • organisation usage metadata is kept for up to 12 months, after which it is deleted or aggregated into anonymous counts
  • optional feedback submissions are kept for up to 24 months to allow us to review and improve detection quality
  • security and access logs are kept for up to 90 days
  • local browser data remains on your device until you remove it, uninstall the extension, or clear browser storage

9. Security

We use appropriate technical and organisational measures to protect personal data.

These measures include:

  • encrypted connections using HTTPS with TLS 1.2 or higher for all traffic between the extension, our dashboard, and our backend
  • single sign-on through Microsoft Entra ID, so that authentication is handled by a trusted identity provider and we never see or store user passwords
  • signed authentication tokens that are verified on every request to our backend
  • data minimisation — we deliberately do not collect or store prompt content on our servers
  • logging and monitoring for security purposes

RedactPrompt is designed so that prompt content is processed locally wherever possible, which means there is no central store of prompt text that could be compromised.

10. Your rights

If GDPR applies to you, you may have the right to:

  • access your personal data
  • correct inaccurate personal data
  • request deletion of your personal data
  • request restriction of processing
  • object to certain processing
  • receive your data in a portable format
  • withdraw consent where processing is based on consent
  • lodge a complaint with your local data protection authority

To exercise your rights, contact privacy@redactprompt.com. We respond to verified requests within 30 days, as required by the GDPR.

11. International transfers

Our aim is to store and process data within the European Union wherever possible.

If a third-party provider, such as Microsoft for sign-in, processes data outside the EEA, that provider is responsible for its own processing under its own privacy terms and safeguards.

12. Cookies and similar technologies

The RedactPrompt browser extension does not set or read any cookies. Authentication tokens and preferences are stored using Chrome's chrome.storage.local and chrome.storage.sync APIs, as described in §3. These storage APIs are not cookies and are not shared between websites.

The redactprompt.com website, the dashboard, and the API do not set any cookies — no session cookies, no analytics cookies, no advertising cookies, no marketing cookies. We have verified this in our codebase and confirmed via the response headers of all our services. If we ever introduce strictly necessary cookies (for example for dashboard session persistence), we will update this policy first and ask for your consent where required by law.

The dashboard loads two static third-party assets for display purposes: web fonts via Google Fonts and the Chart.js charting library via the jsDelivr CDN. These are font and script files only; they are not used to identify or track you across sites.

13. Children's privacy

RedactPrompt is intended for adult professional use, in particular by employees of organisations using AI chatbots in a work context. We do not knowingly direct our service at, or collect personal data from, individuals under the age of 16.

If you become aware that a person under 16 has created a RedactPrompt account or otherwise submitted personal data to us, please contact privacy@redactprompt.com. We will delete the account and any associated personal data without undue delay.

14. Artificial intelligence and machine learning

RedactPrompt sits between you and external AI chatbots, but does not itself use artificial intelligence or machine learning to perform its detection.

  • Detection is rule-based. The 16 personal-data detectors and the secrets-detection rules use regular expressions, structured pattern matching, and check-digit validation (such as the IBAN checksum, the Luhn algorithm for credit cards, or the Dutch BSN 11-test). No machine-learning model is used to identify personal data.
  • We do not train AI or ML models on your data. Prompt content, detected values, optional feedback, detection metadata, and account information are never used to train, fine-tune, or evaluate any machine-learning model — neither by us, nor by any of the processors named in §6 on our behalf.
  • We do not transmit your prompt content to any AI service. Prompts are scanned only on your device. Whether you send a redacted, pseudonymised, or original version of your prompt to an AI chatbot is your decision; RedactPrompt does not receive, intercept, or store that content.
  • If we ever introduce ML-based detection (for example to reduce false positives), it will run locally in your browser, the model parameters will be bundled with the extension, and we will update this policy before shipping that change.

15. Chrome Web Store statement

RedactPrompt's use of information received from Chrome APIs and from any website the extension is installed on adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

More specifically:

  • we use user data only to provide or improve the user-facing functionality of RedactPrompt
  • we do not transfer user data to third parties except as needed to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (in which case the successor is bound by this policy)
  • we do not sell user data
  • we do not use user data, including prompts, detections, metadata, or feedback, for advertising or to build advertising profiles
  • we do not use user data to train general artificial-intelligence or machine-learning models, and we do not allow any third party to do so on our behalf
  • we do not allow humans to read user data except (a) with your explicit consent, (b) where necessary for security or to comply with applicable law, or (c) where the data has been aggregated and anonymised for internal operations

16. Changes to this policy

We may update this policy from time to time.

If we make a material change, we will update the date at the top of this page and, where appropriate, provide additional notice.

17. Contact

Privacy: privacy@redactprompt.com
Security: security@redactprompt.com

Hackify B.V.
Hub van Doorneweg 10, Sassenheim, The Netherlands