Privacy Policy
Endon AI Security — DLP for AI Tools · Last updated: 9 April 2026
Key principle: Endon scans your prompts locally in your browser. We do not read, store, or transmit the content of your prompts unless you opt in to enterprise features.
1. What the Extension Does
Endon AI Security is a browser extension that prevents sensitive data (credit card numbers, API keys, passwords, ID numbers, etc.) from being sent to AI platforms like ChatGPT, Claude, Gemini, and others. It intercepts outgoing requests in your browser and scans them using pattern matching before they leave your device.
2. Data We Collect
2a. Free / Standalone Mode (no sign-in)
- No prompt data is collected or transmitted. All DLP scanning happens locally in your browser.
- We store aggregate counters (scanned, blocked, redacted) in local browser storage only.
- No analytics, telemetry, or tracking of any kind.
- No data leaves your device.
2b. Enterprise Mode (signed in)
When you sign in with your organisation's account, the following additional data may be transmitted to your organisation's Endon backend:
- Scan metadata: Which DLP rule triggered (e.g., "credit_card detected"), the AI platform name, and a timestamp. The actual prompt text is NOT sent unless your organisation's admin has explicitly enabled full-prompt logging.
- Threat intelligence fingerprints: Anonymised pattern signatures (character class shapes, not actual values) used to detect new sensitive data patterns across the organisation.
- Session identifiers: A random session ID for correlating scan events.
3. Data We Do NOT Collect
- Your prompts or messages to AI platforms
- AI responses
- Browsing history outside of supported AI platforms
- Keystrokes, screenshots, or screen recordings
- Personal data beyond what you provide at sign-in (email)
4. Permissions Explained
- storage: To save your preferences and scan counters locally.
- Host permissions (AI platform URLs): To inject the DLP scanning script that intercepts outgoing requests on supported AI platforms only. We do not access any other websites.
5. Data Storage & Security
- All local data is stored using Chrome's
chrome.storage.local API and never leaves your browser in standalone mode.
- Enterprise data is transmitted over HTTPS/TLS and stored in your organisation's provisioned backend infrastructure.
- Authentication tokens are stored locally and never shared with third parties.
6. Third-Party Services
In enterprise mode, the extension communicates with your organisation's Endon backend (hosted on your organisation's infrastructure or Endon's managed service). No data is shared with advertising networks, analytics providers, or any other third parties.
7. POPIA Compliance (South Africa)
Endon is designed with the Protection of Personal Information Act (POPIA) in mind:
- Minimal data collection — we only process what is necessary for DLP protection
- Purpose limitation — data is used solely for preventing sensitive data leakage
- Security safeguards — encryption in transit and at rest
- Data subject rights — contact us to request access to or deletion of your data
8. Changes to This Policy
We will update this page when the policy changes. Material changes will be communicated through the extension's update notes.
9. Contact
For privacy questions or data requests, contact us at info@endonai.com.