Privacy Policy

Last updated: April 8, 2026

Introduction

IndigiArmor (“we,” “us,” or “our”) is committed to protecting the privacy of every person and community that interacts with our platform. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Information We Collect

• Account information — name, email address, organization name, and organization type provided during sign-up or waitlist registration.
• Usage data — API call counts, scan metadata (classification tier, risk score, signal types, and a truncated prompt preview for licensed plans), timestamps, and feature usage. Full raw prompt content is never collected unless explicitly enabled by an organization admin.
• Billing information — payment details are processed and stored by Stripe. We never store full card numbers on our servers.
• Technical data — IP address, browser type, device information, and referral URLs collected automatically via server logs.

How We Use Your Information

• To provide, maintain, and improve the IndigiArmor service.
• To process payments and manage your subscription.
• To send transactional emails (account confirmations, billing receipts, security alerts).
• To monitor and enforce rate limits and acceptable-use policies.
• To generate aggregated, anonymized analytics that help us improve detection accuracy.

Chrome Extension

The IndigiArmor Chrome extension scans AI prompts for sensitive content before they are submitted. Here is how data is handled:

• Local scanning — all prompt and file scanning happens entirely in your browser using our detection engine. Your prompt text is never sent to IndigiArmor servers for scanning purposes.
• Website access — the extension requests access to all websites so it can detect and protect AI chat inputs on any platform, not just the ones we pre-configure. The extension only reads text from chat input fields at the moment you press send.
• Local storage — your settings, scan history, license key, and cached detection rules are stored locally in your browser using chrome.storage. This data never leaves your device unless described below.
• Audit logs — if you are on a licensed plan, scan metadata (classification tier, risk score, site hostname, and a truncated prompt preview) is sent to our server for your organization's audit dashboard. This can be reviewed and deleted from your dashboard at any time.
• License heartbeat — the extension sends a periodic check (every 24 hours) to verify your license status. This includes your license key and a randomly-generated device fingerprint. No browsing data is included.
• Custom rules sync — if your organization configures safe terms or custom alert rules, these are fetched from our server and cached locally. No prompt data is sent during this sync.

Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. Our analytics are based on server-side event logging, not client-side trackers.

Third Parties

We share data only with infrastructure and payment providers required to operate the service:

• Supabase — database and authentication.
• Stripe — payment processing.
• Vercel — hosting and edge functions.
• Upstash — rate limiting.

We do not sell, rent, or trade your personal information to any third party. Ever.

Data Retention

Scan audit logs are retained according to your plan tier — from 7 days on the Starter plan up to unlimited retention on Enterprise. Account information is retained for as long as your account is active. When you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Your Rights

You have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data and account.
• Export your data in a portable format.
• Withdraw consent for optional data processing at any time.

To exercise any of these rights, email hello@indigiarmor.com.

Children's Privacy

IndigiArmor is designed to protect student data, not collect it. Our detection engine runs in real time and does not store raw prompt content. We comply with COPPA requirements and do not knowingly collect personal information from children under 13 without verifiable parental or school consent. If you believe a child's information has been submitted without proper consent, please contact us immediately.

Security

We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, role-based access controls, and regular security audits. Our detection engine processes prompts in memory and does not persist raw input data.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the “Last updated” date. Continued use of the service after changes constitutes acceptance.

Contact

If you have questions about this Privacy Policy, contact us at hello@indigiarmor.com.