Privacy Policy

Effective date: 3 July 2026 · Last updated: 3 July 2026

What Slopfence is

Slopfence (“we”, “us”, “our”) is an enterprise Data Loss Prevention (DLP) service that helps organisations monitor and control what information employees share with AI tools such as ChatGPT, Claude, and Gemini. The service consists of a Chrome browser extension deployed on managed devices and a cloud-hosted administration dashboard.

Slopfence is a business-to-business (B2B) product. Individual employees do not sign up directly — they are enrolled by their employer (“the organisation”). The organisation is the data controller; Slopfence acts as a data processor on their behalf.

Data collected and why

Account and identity data

  • Organisation name and administrator email address — to create and manage the account.
  • Employee work email address, display name, and department — provided at enrolment.
  • Authentication tokens issued by Clerk (our identity provider) — to secure access to the dashboard and extension.

Content scanned for DLP

When the extension detects a prompt or file upload on a monitored AI platform, the content is sent to your organisation's Slopfence server instance for policy evaluation. Specifically:

  • The text of the outgoing message or prompt.
  • For file uploads: the filename, file type, size, and text extracted from the file (e.g. text extracted from a PDF or Word document).
  • The AI platform name (e.g. chatgpt.com) and a timestamp.
  • The user identifier associated with the device.

This content is evaluated against your organisation's configured DLP rules. If no rule triggers, the content is not stored. If a rule triggers, the matched rule name, the DLP action taken (block, alert, or anonymise), and a metadata record (not the full content) are stored in your organisation's audit log for up to 12 months.

Full prompt text and full file content are not retained in the audit log after rule evaluation is complete.

Extension heartbeat

Every 30 minutes the extension sends a heartbeat to confirm it is active. This records the extension version, the device's resolved user identifier, and a timestamp. No browsing data is included.

Usage and aggregate data

We collect aggregate counts (messages scanned, files scanned, alerts triggered) per organisation for dashboard reporting. These are not linked to individual users at the Slopfence infrastructure level — only within your organisation's own dataset.

What we do not collect

  • Browsing history, visited URLs, or any activity outside monitored AI tool domains.
  • AI responses or model output — only outgoing prompts and uploads are inspected.
  • Keystrokes, screenshots, or screen recordings.
  • Personal data from devices outside the scope of the employer-deployed extension.
  • Any data from employees who have not been enrolled by their organisation.

How the Chrome extension works

The extension is deployed by IT administrators via Windows Group Policy (GPO), macOS MDM (Jamf, Kandji, Mosyle, or Intune), or Chrome Browser Cloud Management. Individual users cannot install or configure it independently.

Inside the browser, the extension intercepts outgoing network requests on supported AI platforms by patching window.fetch and XMLHttpRequest. It does not act as a network proxy — all AI traffic goes directly to the AI provider. Only the outgoing message or file content is extracted and forwarded to your organisation's Slopfence server for rule evaluation before the request is allowed to proceed.

Permissions used by the extension and why:

storageStores the organisation token and configuration pushed by the IT team, and caches the resolved user identity locally.
cookiesReads the Slopfence session cookie on slopfence.com to identify the signed-in user without a separate login prompt.
identityEnables silent sign-in for Google Workspace and Microsoft Azure AD environments so employees are identified automatically without entering credentials.
alarmsSchedules the 30-minute heartbeat check and policy-refresh cycle.
Host access (all HTTPS sites)Required because organisations use AI tools on a wide variety of URLs, including internal enterprise portals and custom AI deployments, beyond the three named platforms.

How we use the data

  • To evaluate outgoing AI prompts and file uploads against your organisation's DLP rules in real time.
  • To power your organisation's admin dashboard, audit log, and alert feed.
  • To generate compliance reports (GDPR, PDPL, CCPA, and custom frameworks).
  • To send webhook notifications to third-party integrations your administrator configures (Slack, Microsoft Teams, PagerDuty, etc.).
  • To maintain extension availability and respond to support requests.

We do not sell your data. We do not use scanned content to train AI or machine-learning models. We do not use employee data for advertising.

Data retention

  • Alert metadata records: retained for 12 months from creation, then automatically deleted.
  • Heartbeat and extension activity logs: retained for 90 days.
  • Organisation and user account records: retained for the lifetime of the account and deleted within 30 days of account closure on request.
  • Scanned message and file content: not retained after rule evaluation — only the resulting metadata is stored if a rule triggers.

Data sharing and sub-processors

We share data only with sub-processors required to operate the service, including cloud infrastructure and database hosting providers. All sub-processors are contractually bound to process data only on our instructions and to maintain appropriate security measures.

Webhook data is transmitted to the third-party integrations your organisation administrator configures. Your organisation is responsible for the privacy practices of those services.

We will disclose data to law enforcement or regulators only where required by applicable law and will notify the relevant organisation where permitted to do so.

Your rights (GDPR · PDPL · CCPA)

Depending on your jurisdiction, you may have the right to access, correct, export, restrict processing of, or delete the personal data held about you. Because Slopfence processes employee data on behalf of the employing organisation, requests from individual employees should in the first instance be directed to your employer's IT or privacy team.

If you believe your employer is not addressing your request, or if you have a direct concern about Slopfence's data handling, contact us at privacy@slopfence.com. We will respond within 30 days.

Security

All data is encrypted in transit (TLS 1.2 or higher) and at rest. Access to production systems is restricted to authorised personnel using multi-factor authentication. We operate on cloud infrastructure maintained by SOC 2-compliant providers. We conduct periodic security reviews and address vulnerabilities promptly.

Children

Slopfence is an enterprise product intended for use in professional workplace environments. It is not directed at children under 16 and we do not knowingly collect data from minors.

Changes to this policy

We may update this policy as the product evolves. We will notify the administrator of your organisation by email at least 14 days before any material changes take effect. The current version is always available at slopfence.com/privacy.

Contact

Privacy enquiries: privacy@slopfence.com

General: hello@slopfence.com