Privacy Policy

1. Who We Are

Containment.ai LLC ("Containment AI," "we," "us") provides deterministic governance and data-loss-prevention controls for organizations using AI systems. Our mailing address is 10001 Georgetown Pike, #384, Fairfax, VA 22066, USA.

For privacy questions or requests, contact privacy@containment.ai.

This policy covers three surfaces: (a) this marketing website (www.containment.ai), (b) our product dashboard (app.containment.ai), and (c) the Containment AI browser extension (the "AI Chat Firewall"). Different data practices apply to each, so they are described separately below.

2. This Website (www.containment.ai)

The marketing website is a static site hosted on Cloudflare Pages. It uses:

• Google Analytics (gtag.js) — aggregate visit and traffic measurement. Google Analytics sets cookies in your browser.
• PostHog — product analytics (pageview events) so we can measure which content is useful.
• HubSpot — website tracking code and the forms behind our "Contact Us" and "Request Early Access" buttons. If you submit a form, the information you enter (such as name, email, company, and message) is stored in our HubSpot CRM so we can respond. HubSpot sets cookies in your browser.
• Cloudflare — hosting and content delivery, which involves standard server-side request processing.

We do not run advertising networks or ad-targeting pixels on this site.

3. The App (app.containment.ai)

When you or your organization create an account, we process:

• Account data — name, email address, and organization, used to operate your account and your organization's workspace.
• Authentication — handled via Supabase, which stores account credentials and session state.
• Billing — handled via Stripe. Payment card details are submitted directly to Stripe; we do not store full card numbers on our systems.
• Product telemetry — usage events captured via PostHog to understand how the product is used and to improve it.
• Error reporting — application errors captured via Sentry to diagnose and fix defects.

Policy configurations, violation alerts, and audit events created by your organization are stored in our database (hosted on Supabase) and are visible to your organization's administrators.

4. The Browser Extension (AI Chat Firewall)

The Containment AI browser extension evaluates prompts you are about to submit to monitored AI chat sites (such as ChatGPT, Claude, Gemini, Microsoft Copilot, Grok, and Perplexity) against your organization's policies, before the prompt reaches the AI provider.

• Prompt content. When you submit a prompt on a monitored AI site, the extension transmits the prompt text over an encrypted (TLS) connection to Containment AI's policy-check service, solely to evaluate it against your organization's policies and return an allow/block decision. The policy check does not store the full prompt.
• Violation alert metadata. When a policy violation is detected, alert metadata — the policy name, severity, violation message, the matched term or pattern, the site and URL, and a timestamp — is retained for review by your organization's administrators in the organization's audit log.
• Account and session data. The extension stores your authentication session tokens and cached policy configuration in chrome.storage.local on your device (per-device, not synced).
• How the check works. Policy evaluation is performed by deterministic detectors (pattern, keyword, and heuristic matching). One optional detector — the semantic prompt-injection classifier — can be enabled by your organization's administrators; when (and only when) that option is enabled, the text being evaluated is also sent to an AI model provider (Anthropic's Claude, by default) solely to classify it as a prompt-injection attempt. This option is disabled by default.
• Who controls this data. The extension is deployed by your employer or organization, and the data it processes is processed on behalf of that organization. Your organization is the data controller for employee monitoring data (including violation alerts); Containment AI processes it under our agreement with your organization. Questions about your organization's policies, monitoring, or your data should go first to your organization's administrators.

We do not sell data collected by the extension, and we do not use it for advertising.

5. Service Providers (Subprocessors)

We use the following service providers to operate the services described above:

• Cloudflare — hosting, content delivery, and edge compute for our website and services.
• Supabase — database and authentication.
• Stripe — billing and payments.
• Sentry — error reporting.
• PostHog — product analytics.
• Google Analytics — website analytics (website only).
• HubSpot — CRM and website forms (website only).
• Anthropic — only if your organization enables the optional semantic prompt-injection classifier described in Section 4; otherwise, prompt content evaluated by the policy-check service is not sent to AI model providers.

We do not sell personal data to third parties, and we do not share it with advertisers or data brokers.

6. Data Retention

• Prompt content evaluated by the policy-check service is processed for the check and the full prompt is not stored.
• Violation alert and audit metadata is retained per the customer agreement with your organization, and is subject to retention settings your organization's administrators control.
• Account data is retained while your account or your organization's account is active, and deleted or de-identified after termination, subject to legal and contractual retention obligations.
• Website analytics and CRM data is retained per the configured retention settings of the tools listed in Section 2.

7. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, or export personal data, and to object to or restrict certain processing.

• Where your organization is the controller (data the extension and policy service process on its behalf, including violation alerts), please direct requests to your organization's administrators; we support our customers in fulfilling these requests.
• Where Containment AI is the controller (website visitors, form submissions, and your account registration data), contact privacy@containment.ai and we will respond to your request as required by applicable law.

8. Security

All data transmitted to our services, including prompt content sent for policy checks, is encrypted in transit using TLS. Access to customer data within our systems is authenticated and scoped to the organization that owns it. Policy-violation and audit events are written to audit logs designed to be tamper-evident (cryptographically signed records). Our security practices, compliance roadmap, and security contact are described on our Trust & Security page.

9. Children

Our services are business tools intended for organizational use and are not directed to children.

10. Changes to This Policy

We may update this policy as our services or legal requirements change. We will post the updated policy on this page and revise the effective date above. Material changes affecting our customers will also be communicated through the product or the customer agreement.

11. Questions

If you have questions about this policy or our data practices, contact privacy@containment.ai.