Privacy Policy
Last updated: February 11, 2026
Privacy Summary
AmbientMeta is a privacy gateway that detects and replaces personally identifiable information (PII) in text before it reaches AI systems. Here is how we handle your data:
What we process: When you call our API or use our Chrome extension, we receive text that may contain PII. We detect PII entities (names, emails, SSNs, etc.), replace them with safe placeholders, and return the sanitized text. In standard mode, the original values are cached for up to 24 hours so you can restore them later. In redaction mode, values are permanently removed with no possibility of restoration.
What we never store: We never permanently store your original PII values. Sensitive identifiers like SSNs and credit card numbers exist only in our encrypted temporary cache and are automatically destroyed after 24 hours (or immediately in redaction mode). We never store the raw text you submit beyond the temporary processing window.
Detection metadata: We retain anonymized detection metadata (entity types detected, confidence scores, and irreversible context hashes) to improve detection accuracy. This metadata cannot be used to reconstruct original PII. Entity-type-to-text-span mappings are randomized before storage for contextual identifiers, making re-identification impossible. You may opt out of metadata collection entirely.
No human review: Your text is processed by automated systems only. No AmbientMeta employee reviews Customer Data, except in narrow circumstances: with your explicit consent, when required by law, or to provide technical support you have requested.
Chrome extension: The extension reads text you enter into AI assistant input fields (ChatGPT, Claude, Gemini), sends it to our servers over encrypted HTTPS for PII detection, and returns sanitized text to your browser. We do not read, store, or transmit any text outside of the specific input fields you choose to sanitize.
No tracking: We use essential-only cookies for session management. No tracking, analytics, or marketing cookies. No cookie consent banner needed because we don't track you.
Your rights: You can access, correct, delete, or export your data at any time. Contact privacy@ambientmeta.com.
1. Definitions
- "AmbientMeta," "we," "us" refers to AmbientMeta, the operator of the Privacy Gateway service.
- "Customer," "you" refers to any individual or entity that registers for or uses our services.
- "Customer Data" refers to text content submitted to our API or Chrome extension for PII detection and sanitization.
- "Account Data" refers to information you provide when registering (email, name, authentication credentials).
- "Detection Metadata" refers to anonymized data generated during PII detection: entity types, confidence scores, detection methods, and irreversible context hashes. Detection metadata never contains original PII values.
- "Controller" refers to AmbientMeta when collecting Account Data for its own purposes.
- "Processor" refers to AmbientMeta when processing Customer Data on behalf of Customers.
2. Data We Collect as Controller
2.1 Account Information
When you register, we collect:
- Email address
- Display name (optional)
- Authentication provider (email, Slack, GitHub, or Google)
- OAuth provider identifiers (Slack user ID, GitHub ID, or Google ID)
This information is stored in our database and used to manage your account, authenticate API requests, and communicate service updates.
2.2 Billing Data
Payment information is collected and processed by Stripe, Inc. We store only your Stripe customer ID and subscription status. We never store credit card numbers, bank account details, or other payment credentials on our servers.
2.3 Usage Metadata
We collect metadata about your API usage: request timestamps, request counts per endpoint, entity type distributions, error rates, and response latencies. This data is used for billing, rate limiting, and service improvement.
3. Customer Data We Process
3.1 Processing Model
AmbientMeta operates as a data processor (GDPR Article 28) when handling Customer Data submitted via the API or Chrome extension. You (the Customer) are the data controller. We process Customer Data solely to provide the PII detection and sanitization service you have requested.
3.2 Standard Mode (Sanitize)
In standard mode, Customer Data follows this flow:
- Text is received over encrypted HTTPS
- Our detection engine identifies PII entities
- PII is replaced with safe placeholder tokens (e.g., [PERSON_1], [EMAIL_1])
- The mapping between placeholders and original values is stored in an encrypted session cache with a 24-hour time-to-live (TTL)
- Sanitized text is returned to you
- You may call the rehydrate endpoint within 24 hours to restore original values
- After 24 hours, the session cache entry is automatically and permanently deleted
3.3 Redaction Mode
In redaction mode (mode: "redact"), no session cache entry is created. PII is permanently removed. Restoration is not possible. This mode is designed for document redaction, FOIA processing, and data subject access request (DSAR) compliance.
3.4 Storage Tier Classification
Detected entities are classified into storage tiers that determine what metadata can be retained:
| Storage Tier | Entity Types | Metadata Handling |
|---|---|---|
| Tier 1: Never-Store | SSN, Credit Card | Entity type and character offsets recorded. Original value is never written to any persistent storage. |
| Tier 2: Store-Randomized | Person, Email, Phone, Location, Address | Entity type and character offsets recorded. Entity-type-to-span mappings are randomized before storage, preventing re-identification. |
You may override storage tier classification via the storage_overrides API parameter to promote contextual entities to never-store status (e.g., promoting MRN to Tier 1 for healthcare compliance).
4. Detection Metadata
We retain anonymized detection metadata to improve detection accuracy over time. This metadata includes:
- Entity types detected (e.g., "PERSON," "EMAIL_ADDRESS")
- Detection confidence scores (0.0-1.0)
- Detection method (regex, NER, or context-aware)
- Irreversible SHA-256 context hashes (cannot be reversed to original text)
- Character offset positions (span start/end)
- Storage tier classification
This metadata qualifies as anonymized data under GDPR Recital 26 because: (a) original PII values are never stored, (b) Tier 1 (toxic) identifiers have no value recorded, (c) Tier 2 (contextual) identifier type-to-span mappings are randomized, and (d) context hashes are cryptographically irreversible. This analysis is consistent with the European Court of Justice ruling in EDPS v. Single Resolution Board (C-413/23 P, September 2025), which held that pseudonymized data is not automatically personal data for all recipients when the recipient lacks reasonable means of re-identification.
Enterprise opt-out: You may opt out of detection metadata collection at any time by contacting privacy@ambientmeta.com, even though anonymized data is technically exempt from GDPR obligations.
5. Chrome Extension Data Flow
The AmbientMeta Chrome extension operates as follows:
- The extension reads text you enter into AI assistant input fields on supported sites (ChatGPT, Claude, Gemini)
- When you click "Sanitize," the text is transmitted over encrypted HTTPS to AmbientMeta's processing servers
- Our servers detect PII and replace it with privacy-safe tokens
- Sanitized text is returned to your browser and placed into the input field
- Original text is held in an encrypted session cache for up to 24 hours, then permanently deleted
- We do not permanently store, sell, or share the text you submit
The extension requires Google sign-in to enforce per-user rate limits (50 sanitizations/day on the free tier) and to attribute detection data for accuracy improvement. We request only email and profile scopes.
6. Data Security
We implement the following security measures:
| Layer | Standard | Implementation |
|---|---|---|
| Data in transit | TLS 1.2+ | Enforced on all API and extension communications |
| Data at rest | AES-256 | Database and cache encryption |
| API key storage | bcrypt | Keys are hashed; only prefix is stored after creation |
| Session data | Redis TTL | Automatic deletion after 24 hours |
| Authentication tokens | HS256 JWT | Short-lived tokens with configurable expiration |
SOC 2 Type II certification covering Security, Privacy, and Confidentiality Trust Services Criteria is targeted for Month 6-9.
7. Sub-Processors
We use third-party sub-processors to deliver our service. A complete list is available at /legal/sub-processors. We will notify you of changes to our sub-processor list at least 30 days before any new sub-processor begins processing Customer Data.
8. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Session cache (PII mappings) | 24 hours | Automatic TTL expiration |
| Account data | Active account + 30 days | Deleted on account closure request |
| Request logs | 30 days (configurable) | Hourly automated cleanup job |
| Detection metadata (raw events) | 30 days | Automated retention cleanup |
| Detection metadata (aggregated insights) | Indefinite | Deleted on account closure request |
| Billing data (Stripe) | Per Stripe retention policy | Managed by Stripe |
9. International Data Transfers
Our services are hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Self-hosted deployments process all data on your own infrastructure — no data is transferred to AmbientMeta.
10. Your Rights
Under GDPR (EEA, UK, Switzerland)
You have the right to:
- Access your personal data (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure ("right to be forgotten") (Article 17)
- Data portability in machine-readable format (Article 20)
- Object to processing based on legitimate interests (Article 21)
- Restriction of processing (Article 18)
- Lodge a complaint with your local supervisory authority
Under CCPA/CPRA (California)
California residents have the right to:
- Know what personal information is collected, used, and disclosed
- Delete personal information held by us
- Opt out of the sale or sharing of personal information
AmbientMeta does not sell personal information. Disclosure of Customer Data to AmbientMeta as a service provider is explicitly not a "sale" under CCPA.
To exercise any of these rights, contact privacy@ambientmeta.com. We will respond within 30 days (GDPR) or 45 days (CCPA).
11. Cookies
AmbientMeta uses essential-only cookies for session management and authentication. We do not use tracking cookies, analytics cookies, or marketing cookies. Because we use only essential cookies, no cookie consent banner is required.
12. Children's Privacy
Our services are not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete it.
13. Changes to This Policy
We may update this policy periodically. For material changes, we will notify you via email at least 30 days before the changes take effect. Non-material changes (clarifications, formatting) may be made without notice. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of our services after changes constitutes acceptance of the updated policy.
14. Data Processing Agreement
For customers who require a formal Data Processing Agreement (DPA) under GDPR Article 28, our standard DPA is available at /legal/dpa. The DPA governs our processing of Customer Data as a processor on your behalf.
15. Contact Us
For privacy-related questions, data subject requests, or concerns:
- Privacy inquiries: privacy@ambientmeta.com
- Data Protection Officer (EU): dpo@ambientmeta.com