Privacy Policy
Last updated: March 21, 2026
Privacy Summary
AmbientMeta is a privacy gateway that detects and replaces personally identifiable information (PII) in text before it reaches AI systems. Here is how we handle your data:
What we process: When you call our API or use our Chrome extension, we receive text that may contain PII. We detect PII entities (names, emails, SSNs, etc.), replace them with safe placeholders, and return the sanitized text. In standard mode, the original values are cached for up to 24 hours so you can restore them later. In redaction mode, values are permanently removed with no possibility of restoration.
What we never store: We never permanently store your original PII values. Sensitive identifiers like SSNs and credit card numbers exist only in our encrypted temporary cache and are automatically destroyed after 24 hours (or immediately in redaction mode). We never store the raw text you submit beyond the temporary processing window.
Detection metadata: We retain anonymized detection metadata (entity types detected, confidence scores, and irreversible context hashes) to improve detection accuracy. This metadata cannot be used to reconstruct original PII. Entity-type-to-text-span mappings are randomized before storage for contextual identifiers, making re-identification impossible. You may opt out of metadata collection entirely.
No human review: Your text is processed by automated systems only. No AmbientMeta employee reviews Customer Data, except in narrow circumstances: with your explicit consent, when required by law, or to provide technical support you have requested.
Chrome extension: The extension reads text you enter into AI assistant input fields (ChatGPT, Claude, Gemini) only when you activate it. Text is sent to our servers over encrypted HTTPS for PII detection and sanitized text is returned to your browser. We do not read, store, or transmit any text outside of the specific input fields you choose to sanitize. We do not collect browsing history, web activity, keystrokes, or form data.
No tracking: We use essential-only cookies for session management. No tracking, analytics, or marketing cookies. No cookie consent banner needed because we don't track you.
Your rights: You can access, correct, delete, or export your data at any time. Contact privacy@ambientmeta.com.
Chrome Extension: Data Collection, Use, and Sharing
Data Collected by the Extension
| Data Type | What Is Collected | Purpose |
|---|---|---|
| Text from input fields | Text you enter into AI assistant input fields on supported sites (chatgpt.com, claude.ai, gemini.google.com) — collected only when you click "Scan" or "Sanitize" | Sent to AmbientMeta servers for PII detection and sanitization |
| Google account info | Email address and display name via Google OAuth (email and profile scopes only) |
Account authentication, per-user rate limit enforcement |
| Extension preferences | Entity detection toggles, UI settings | Stored locally in Chrome storage; synced to your account for consistent experience |
| Usage counts | Daily sanitization count (number only, no content) | Free-tier rate limit enforcement (50/day) |
Data NOT Collected by the Extension
- We do not collect browsing history or web browsing activity
- We do not read page content from tabs you do not explicitly submit
- We do not collect keystrokes, form autofill data, or cookies from websites
- We do not monitor network activity, clicks, mouse position, or scroll behavior
- We do not collect personal communications (emails, texts, chat messages)
- We do not collect health, financial, or location information via the extension
How Extension Data Is Used
- PII detection and sanitization: Text you submit is processed by our servers to identify and replace PII with safe placeholders, then returned to your browser.
- Accuracy improvement: Anonymized detection metadata (entity types, confidence scores, context hashes — never original text) is retained to improve detection quality over time.
- Ambiguous entity classification: When our deterministic and statistical detection tiers cannot confidently classify a text span (e.g., distinguishing a phone number from a medical record number), sanitized context may be sent to Anthropic's Claude AI for classification. Your original PII values are never sent — all personally identifiable information is replaced with safe placeholders (e.g., [PERSON_1], [PHONE_1]) before any data leaves our servers. The AI only sees the surrounding non-PII context and structural position to make its classification. See "Third Parties" below.
- Rate limiting and account management: Your Google account email is used to enforce per-user daily limits and manage your subscription.
How Extension Data Is Stored
| Data | Where Stored | How Long |
|---|---|---|
| Text submitted for sanitization | Encrypted Redis cache (Fly.io) | 24 hours max, then auto-deleted |
| Google account info (email, name) | Encrypted PostgreSQL (Fly.io) | Until account deletion |
| Extension preferences | Chrome local storage (your device) | Until extension uninstall or manual clear |
| Detection metadata (anonymized) | Encrypted PostgreSQL (Fly.io) | 30 days (raw); aggregated indefinitely; deleted on account closure |
| Usage counts | Encrypted PostgreSQL (Fly.io) | 30 days |
Third Parties With Whom Extension Data Is Shared
| Party | Data Shared | Purpose |
|---|---|---|
| AmbientMeta servers (Fly.io infrastructure, United States) | Text you submit for sanitization, Google account email | PII detection and sanitization processing, account management |
| Anthropic, PBC (United States) | Sanitized text only — all PII values are replaced with safe placeholders before transmission. Original PII values are never sent. | Tier 4 entity classification (e.g., determining if a number is a phone number vs. medical record number). Only sanitized context with placeholders is sent, not original text or full documents. The AI sees structural context (surrounding non-PII words, document position) but never your actual data values. |
| Google (United States) | OAuth authentication tokens during sign-in | Identity verification only. We request email and profile scopes. No other Google data is accessed. |
| Stripe, Inc. (United States) | Email address, subscription tier (if you upgrade to a paid plan) | Payment processing. AmbientMeta never sees or stores your credit card number. |
We do not share extension data with advertising networks, data brokers, information resellers, or any party for purposes unrelated to providing the AmbientMeta service.
Chrome Extension Permissions Justification
| Permission | Why Required |
|---|---|
activeTab |
Required to read and modify text in the active tab's input fields on supported AI assistant pages, enabling the extension to detect PII in the user's typed text and replace it with privacy-safe placeholders. |
storage |
Used to persist the user's authentication token and daily sanitization count locally, so the user remains signed in across browser sessions without requiring repeated logins. |
identity |
Used for Google OAuth sign-in to create a user account and enforce the per-user daily sanitization limit (50/day on free tier) server-side via JWT. |
Host permissions (chatgpt.com, claude.ai, gemini.google.com) |
Host permissions are restricted to specific AI assistant domains where the extension needs to read and sanitize input field text. No broad or wildcard host permissions are requested. |
Host permission (api.ambientmeta.com) |
Required to communicate with our API backend for PII detection, sanitization, rehydration, and account authentication. |
1. Definitions
- "AmbientMeta," "we," "us" refers to AmbientMeta, the operator of the Privacy Gateway service.
- "Customer," "you" refers to any individual or entity that registers for or uses our services.
- "Customer Data" refers to text content submitted to our API or Chrome extension for PII detection and sanitization.
- "Account Data" refers to information you provide when registering (email, name, authentication credentials).
- "Detection Metadata" refers to anonymized data generated during PII detection: entity types, confidence scores, detection methods, and irreversible context hashes. Detection metadata never contains original PII values.
- "Controller" refers to AmbientMeta when collecting Account Data for its own purposes.
- "Processor" refers to AmbientMeta when processing Customer Data on behalf of Customers.
2. Data We Collect as Controller
2.1 Account Information
When you register, we collect:
- Email address
- Display name (optional)
- Authentication provider (email, Slack, GitHub, or Google)
- OAuth provider identifiers (Slack user ID, GitHub ID, or Google ID)
This information is stored in our database and used to manage your account, authenticate API requests, and communicate service updates.
2.2 Billing Data
Payment information is collected and processed by Stripe, Inc. We store only your Stripe customer ID and subscription status. We never store credit card numbers, bank account details, or other payment credentials on our servers.
2.3 Usage Metadata
We collect metadata about your API usage: request timestamps, request counts per endpoint, entity type distributions, error rates, and response latencies. This data is used for billing, rate limiting, and service improvement.
3. Customer Data We Process
3.1 Processing Model
AmbientMeta operates as a data processor (GDPR Article 28) when handling Customer Data submitted via the API or Chrome extension. You (the Customer) are the data controller. We process Customer Data solely to provide the PII detection and sanitization service you have requested.
3.2 Standard Mode (Sanitize)
In standard mode, Customer Data follows this flow:
- Text is received over encrypted HTTPS
- Our detection engine identifies PII entities
- PII is replaced with safe placeholder tokens (e.g., [PERSON_1], [EMAIL_1])
- The mapping between placeholders and original values is stored in an encrypted session cache with a 24-hour time-to-live (TTL)
- Sanitized text is returned to you
- You may call the rehydrate endpoint within 24 hours to restore original values
- After 24 hours, the session cache entry is automatically and permanently deleted
3.3 Redaction Mode
In redaction mode (mode: "redact"), no session cache entry is created. PII is permanently removed. Restoration is not possible. This mode is designed for document redaction, FOIA processing, and data subject access request (DSAR) compliance.
3.4 Storage Tier Classification
Detected entities are classified into storage tiers that determine what metadata can be retained:
| Storage Tier | Entity Types | Metadata Handling |
|---|---|---|
| Tier 1: Never-Store | SSN, Credit Card | Entity type and character offsets recorded. Original value is never written to any persistent storage. |
| Tier 2: Store-Randomized | Person, Email, Phone, Location, Address | Entity type and character offsets recorded. Entity-type-to-span mappings are randomized before storage, preventing re-identification. |
You may override storage tier classification via the storage_overrides API parameter to promote contextual entities to never-store status (e.g., promoting MRN to Tier 1 for healthcare compliance).
4. Detection Metadata
We retain anonymized detection metadata to improve detection accuracy over time. This metadata includes:
- Entity types detected (e.g., "PERSON," "EMAIL_ADDRESS")
- Detection confidence scores (0.0-1.0)
- Detection method (regex, NER, or context-aware)
- Irreversible SHA-256 context hashes (cannot be reversed to original text)
- Character offset positions (span start/end)
- Storage tier classification
This metadata qualifies as anonymized data under GDPR Recital 26 because: (a) original PII values are never stored, (b) Tier 1 (toxic) identifiers have no value recorded, (c) Tier 2 (contextual) identifier type-to-span mappings are randomized, and (d) context hashes are cryptographically irreversible. This analysis is consistent with the European Court of Justice ruling in EDPS v. Single Resolution Board (C-413/23 P, September 2025), which held that pseudonymized data is not automatically personal data for all recipients when the recipient lacks reasonable means of re-identification.
Enterprise opt-out: You may opt out of detection metadata collection at any time by contacting privacy@ambientmeta.com, even though anonymized data is technically exempt from GDPR obligations.
5. Data Security
We implement the following security measures:
| Layer | Standard | Implementation |
|---|---|---|
| Data in transit | TLS 1.2+ | Enforced on all API and extension communications |
| Data at rest | AES-256 | Database and cache encryption |
| API key storage | bcrypt | Keys are hashed; only prefix is stored after creation |
| Session data | Redis TTL | Automatic deletion after 24 hours |
| Authentication tokens | HS256 JWT | Short-lived tokens with configurable expiration |
SOC 2 Type II certification covering Security, Privacy, and Confidentiality Trust Services Criteria is targeted for 2026.
6. Sub-Processors
We use third-party sub-processors to deliver our service:
| Sub-Processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Fly.io, Inc. | United States | Application hosting | Text data (transient), account data |
| Redis (via Fly.io) | United States | Session cache (24hr TTL) | Session data, PII-to-placeholder mappings |
| PostgreSQL (via Fly.io) | United States | Account and metadata storage | Account data, detection metadata |
| Anthropic, PBC | United States | Tier 4 entity classification | Sanitized text only (all PII replaced with placeholders before transmission — original values never sent) |
| Stripe, Inc. | United States | Payment processing | Billing data, payment information |
| Google (OAuth) | United States | Extension authentication | Email, display name (identity verification only) |
A complete list is also available at /legal/sub-processors. We will notify you of changes to our sub-processor list at least 30 days before any new sub-processor begins processing Customer Data.
7. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Session cache (PII mappings) | 24 hours | Automatic TTL expiration |
| Account data | Active account + 30 days | Deleted on account closure request |
| Request logs | 30 days (configurable) | Hourly automated cleanup job |
| Detection metadata (raw events) | 30 days | Automated retention cleanup |
| Detection metadata (aggregated insights) | Indefinite | Deleted on account closure request |
| Billing data (Stripe) | Per Stripe retention policy | Managed by Stripe |
8. International Data Transfers
Our services are hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Self-hosted deployments process all data on your own infrastructure — no data is transferred to AmbientMeta.
9. Your Rights
Under GDPR (EEA, UK, Switzerland)
You have the right to:
- Access your personal data (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure ("right to be forgotten") (Article 17)
- Data portability in machine-readable format (Article 20)
- Object to processing based on legitimate interests (Article 21)
- Restriction of processing (Article 18)
- Lodge a complaint with your local supervisory authority
Under CCPA/CPRA (California)
California residents have the right to:
- Know what personal information is collected, used, and disclosed
- Delete personal information held by us
- Opt out of the sale or sharing of personal information
AmbientMeta does not sell personal information. Disclosure of Customer Data to AmbientMeta as a service provider is explicitly not a "sale" under CCPA.
To exercise any of these rights, contact privacy@ambientmeta.com. We will respond within 30 days (GDPR) or 45 days (CCPA).
10. Cookies
AmbientMeta uses essential-only cookies for session management and authentication. We do not use tracking cookies, analytics cookies, or marketing cookies. Because we use only essential cookies, no cookie consent banner is required.
11. Children's Privacy
Our services are not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete it.
12. Changes to This Policy
We may update this policy periodically. For material changes, we will notify you via email at least 30 days before the changes take effect. Non-material changes (clarifications, formatting) may be made without notice. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of our services after changes constitutes acceptance of the updated policy.
13. Data Processing Agreement
For customers who require a formal Data Processing Agreement (DPA) under GDPR Article 28, our standard DPA is available at /legal/dpa. The DPA governs our processing of Customer Data as a processor on your behalf.
14. Contact Us
For privacy-related questions, data subject requests, or concerns:
- Privacy inquiries: privacy@ambientmeta.com
- Data Protection Officer (EU): dpo@ambientmeta.com