Legal · Last updated 2026-04-24 · Effective 2026-05-01

Privacy Policy

This policy explains what personal data ShieldAgent collects, why we collect it, how long we keep it, and the rights you have over it. We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable national data-protection laws.

1. Controller identity

Who is responsible for your data?

ShieldAgent, S.L.

Registered in Andorra

Email: privacy@shieldagent.io

ShieldAgent, S.L. is the data controller for account and contact data you provide directly to us. For data your AI agents route through our proxy, ShieldAgent acts as a data processor under Article 4(8) GDPR — you (the customer) remain the controller and determine the purposes and means of that processing. A separate Data Processing Agreement governs the processor relationship.

2. Data we collect

What data do we collect?

Account data

Name and email address (registration and billing contact)
Company name and job title (for licence management and B2B context)
Password hash (bcrypt; we never store or log plaintext passwords)
SSO / SAML identity attributes when enterprise SSO is configured

Usage and telemetry data

MCP tool-call metadata (tool name, agent identity, outcome, latency) — not the raw payload unless DLP logging is enabled by the customer
Policy evaluation results and security-event classifications
Audit-trail entries (hash-chained for tamper evidence)
Dashboard interaction events (page views, feature usage)

Technical data

IP address and user-agent string (log retention: 30 days)
Session tokens (short-lived JWTs; not persisted beyond validity window)
API authentication keys (stored as salted hashes; never in plaintext)

Support communications

Email and in-app messages you send to our support or security teams
Bug reports and feature requests

We apply Data Loss Prevention (DLP) redaction to the 13 EU PII classes (names, email addresses, EU national ID formats, etc.) before events are persisted to our audit trail. Customers control whether raw-payload logging is enabled; by default it is off.

3. How we use your data

Why do we process personal data?

Purpose	Data categories
Provision and operate the ShieldAgent service	Account, usage, technical
Authenticate users and manage sessions	Account, technical
Billing and licence management	Account, payment reference
Detect, investigate, and respond to security incidents	Usage, technical, audit trail
Generate compliance evidence (Annex IV, SOC 2)	Usage, audit trail
Respond to support requests	Account, support communications
Send product and security updates (transactional)	Account (email)
Improve the service and train internal models (no customer payload data)	Aggregated, anonymised telemetry
Comply with legal obligations (GDPR Art. 17 erasure exceptions, Art. 18 10-year AI Act records)	Account, audit trail

4. Legal bases (GDPR)

Our legal bases for processing

Performance of a contract (Art. 6(1)(b))

Account registration, service delivery, billing, and authentication.

Legitimate interests (Art. 6(1)(f))

Security monitoring, fraud prevention, service improvement, and abuse detection — balanced against your rights; we have conducted a Legitimate Interests Assessment on request.

Legal obligation (Art. 6(1)(c))

Retention of audit records required by the EU AI Act (Art. 18), tax records, and responding to lawful authority requests.

Consent (Art. 6(1)(a))

Non-essential cookies and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Retention

How long do we keep your data?

Account data is retained for the duration of your subscription plus 90 days after account closure (to allow reactivation or data export), then deleted unless a legal hold applies.

Audit-trail events follow tier-specific schedules: Business (SaaS) — 1 year online; Enterprise Cloud — 1 year online + 4 years warm; Enterprise On-Prem — customer-controlled. The EU AI Act Article 18 requires providers of high-risk AI systems to retain technical documentation for 10 years; compliance snapshots (Annex IV PDFs, report manifests) are held by ShieldAgent for 10 years across all tiers at no additional cost.

IP / access logs — 30 days, then purged automatically.

Support communications — 3 years after ticket close.

Billing records — 7 years (tax obligation).

6. Sub-processors & international transfers

Who do we share data with?

We share data only with sub-processors necessary to deliver the service. The full, current sub-processor list is published in our Trust Center. Key principles:

Managed SaaS runs on EU-region infrastructure only.
BYOC (Bring Your Own Cloud) customers process all data inside their own AWS account — no data transits ShieldAgent infrastructure.
All sub-processors are bound by GDPR-compliant Data Processing Agreements.
Standard Contractual Clauses (EU SCC, 2021) apply to any transfer outside the EEA.
We notify affected customers at least 30 days before adding or replacing a sub-processor.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

7. Your rights

Your rights under GDPR

Access (Art. 15)

Obtain a copy of the personal data we hold about you.

Rectification (Art. 16)

Correct inaccurate or incomplete data.

Erasure (Art. 17)

Request deletion, subject to legal-hold exceptions.

Restriction (Art. 18)

Limit processing in certain circumstances.

Portability (Art. 20)

Receive your data in a machine-readable format.

Object (Art. 21)

Object to processing based on legitimate interests.

Withdraw consent

For consent-based processing (e.g. marketing emails) at any time.

Lodge a complaint

With the supervisory authority in your EU member state.

To exercise any right, email privacy@shieldagent.io. We respond within 30 days. We may need to verify your identity before fulfilling a request.

8. Security

How we protect your data

We implement appropriate technical and organisational measures including: TLS 1.3 in transit; AES-256 at rest with per-tenant keys; row-level security (RLS) at the database layer; Merkle-tree hash-chain integrity for audit events; DLP redaction of PII before persistence; and a SOC 2 Type II audit in progress. Full details are in the Trust Center. In the event of a personal-data breach affecting you, we will notify you as controller without undue delay and within 72 hours as required by GDPR Art. 33.

9. Cookies

Cookies and similar technologies

We use strictly necessary cookies for session management and authentication. We may use analytics cookies (with your consent) to understand how visitors use the marketing site. See our Cookie Policy for the full list, purposes, and opt-out instructions.

10. Changes to this policy

How we communicate updates

We may update this policy to reflect changes to our practices or applicable law. We will notify registered users of material changes by email at least 30 days before they take effect, or display a prominent notice in the dashboard. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

Questions or requests?

Privacy enquiries: privacy@shieldagent.io

Security incidents: security@shieldagent.io

DPA requests & sub-processor objections: privacy@shieldagent.io

This policy was last reviewed on 2026-04-24 and is effective from 2026-05-01. ShieldAgent, S.L. — Andorra.