AIRA DLP Browser Extension — Privacy Policy

Last updated: March 10, 2026

This privacy policy describes how the AIRA DLP browser extension ("Extension") operated by Cinder Labs ("we", "us") collects, uses, and protects information.

1. What the Extension Does

The Extension is a data loss prevention (DLP) tool that scans text you type or paste into web forms and AI services (such as ChatGPT, Claude, and Google Gemini) before it is transmitted. If sensitive data is detected, the Extension blocks the submission and alerts you.

2. Data We Collect

      We do NOT collect, store, or transmit the content of your messages, browsing history, or personal data.
    

When the Extension detects a DLP policy violation, the following metadata is sent to your organization's AIRA platform instance:

Event type — whether the text was blocked, bypassed, or logged
Rule matched — which DLP rule was triggered (e.g., "Credit Card Number")
Severity and category — the classification of the violation
Service name — which AI service or website was involved (e.g., "ChatGPT")
Device hostname — the name of the device (if configured)
Timestamp — when the event occurred
Bypass justification — if you chose to override a block, the reason you provided

The actual text content that triggered the rule is never transmitted to the AIRA server. Only the metadata above is sent.

3. Data Storage

The Extension stores the following data locally on your device using Chrome's chrome.storage.local API:

Your API key (for authenticating with your AIRA instance)
Cached DLP rules (synced from your AIRA server)
Connection status and last heartbeat timestamp
Pending event queue (flushed to your server every 10 seconds)
Device hostname (auto-detected or manually configured)

This data is stored locally and is not synced to Chrome Sync or any third-party service.

4. Where Data Is Sent

Event metadata is sent only to the AIRA platform instance configured by your organization (typically https://grc.cinderlabs.ai/api). No data is sent to any other third party, analytics service, or advertising network.

5. Permissions Explained

All URLs (content scripts) — Required to scan text on any website where you might enter sensitive data. The Extension does not read pages passively; it only activates when you submit text.
Storage — Stores API key, DLP rules, and event queue locally.
Alarms — Schedules periodic rule sync and event reporting.
Native Messaging (optional) — Detects your device hostname for inventory tracking. The Extension works fully without this.

6. Data Retention

Local data is stored until you uninstall the Extension or clear Chrome storage. Event metadata sent to your AIRA instance is retained according to your organization's data retention policies.

7. Your Rights

You can:

View your DLP event history in the AIRA platform audit trail
Uninstall the Extension at any time to stop all monitoring
Clear local storage via Chrome settings
Contact your organization's AIRA administrator for data access or deletion requests

8. Security

All communication between the Extension and the AIRA server uses HTTPS encryption. API keys are stored locally and transmitted via secure headers.

9. Changes to This Policy

We may update this policy as the Extension evolves. The "Last updated" date at the top will reflect the most recent revision.

10. Contact

For privacy questions or concerns, contact:

Cinder Labs
Email: support@cinderlabs.ai
Web: https://grc.cinderlabs.ai