Privacy Policy

1. Who We Are

Threatlabs LLC ("we", "us", "our") operates VeilProxy, an LLM sanitization proxy available as a self-hosted open-source product and a managed cloud service at app.veilproxy.ai ("the Service").

Contact: support@veilproxy.ai

2. What We Collect

Account Information

When you create a cloud account, we collect:

• Email address
• Display name
• Hashed password (bcrypt, never stored in plaintext)
• Organization name

If you sign in with Google OAuth, we receive your name and email from Google. We do not receive or store your Google password.

Chat Messages & Documents

This is the core of what VeilProxy does. Messages you send through VeilProxy are processed in real time to detect and replace sensitive data (PII, credentials, etc.) before forwarding to your chosen LLM provider. Specifically:

• Original messages are stored temporarily in conversation history so you can view your chat. Retention depends on your plan tier (7 days for Free, up to 2 years for Enterprise).
• Sanitized messages (with PII replaced by placeholders) are forwarded to your configured LLM provider (OpenAI, Anthropic, or Ollama).
• Uploaded documents are processed in memory only. They are never written to disk or stored.
• Entity mappings (the link between a placeholder and the original value) are stored temporarily and deleted when the conversation is deleted.

Usage Data

We collect aggregate usage metrics: message counts, entity detection counts, token usage, and estimated cost. These are used for rate limiting, quota enforcement, and the admin dashboard. They do not contain message content.

Audit Logs

Administrative actions (login, password changes, rule edits, user management) are logged for security. Chat message content is not included in audit logs.

Self-Hosted Deployments

If you self-host VeilProxy, none of your data is sent to Threatlabs LLC. All data stays on your infrastructure. We have no access to your self-hosted instance, messages, or configuration. The only external calls are to the LLM providers you configure.

3. How We Use Your Data

• To provide the Service — processing messages, detecting PII, managing your account
• To enforce rate limits and quotas — based on your subscription tier
• To improve the Service — aggregate, anonymized metrics (never individual message content)
• To communicate with you — password reset emails, critical security notices
• To process payments — via Stripe (we never see or store your full card number)

4. Third-Party Services

The cloud Service integrates with:

• OpenAI / Anthropic / Ollama — Your sanitized messages (with PII removed) are sent to whichever LLM provider you select. Review their privacy policies: OpenAI, Anthropic.
• Stripe — Payment processing for paid tiers. Stripe Privacy Policy.
• Google OAuth — If you choose "Continue with Google". Google Privacy Policy.

We do not sell, rent, or share your personal data with advertisers or data brokers.

5. Data Retention

• Account data is retained while your account is active. You can delete your account by contacting support@veilproxy.ai.
• Conversation data is retained according to your plan tier, then automatically deleted.
• Audit logs are retained for up to 1 year for security and compliance purposes.
• Uploaded documents are never stored — processed in memory and discarded immediately.

6. Data Security

We protect your data with:

• TLS encryption in transit (HTTPS everywhere)
• Bcrypt password hashing
• JWT authentication with configurable expiration
• Content Security Policy (CSP) headers
• Rate limiting to prevent abuse
• Input validation and SQL injection prevention (parameterized queries via SQLAlchemy ORM)

7. Your Rights

You have the right to:

• Access your personal data (visible in your Profile page)
• Correct your display name and email (Profile page)
• Delete your account and all associated data
• Export your data upon request

To exercise any of these rights, contact support@veilproxy.ai.

8. Cookies

VeilProxy uses no tracking cookies, no analytics scripts, and no third-party trackers. We store a JWT authentication token in your browser's localStorage to keep you signed in. That's it.

9. Children's Privacy

VeilProxy is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered cloud users. The "Effective" date at the top indicates the latest revision.

11. Contact

Questions or concerns about privacy? Reach us at:

• Email: support@veilproxy.ai
• GitHub: Open an issue