Starter legal page — review with an attorney before production launch.

Privacy Policy

Last updated: 5/5/2026

What we collect

SafeLayer collects only what is needed to provide the security service:

  • Account email and name for authentication.
  • Risk event metadata: domain, event type, risk level, confidence score, redacted key preview. Never raw keys or clipboard content.
  • Vault entries: label, provider, and encrypted secret. The raw secret is never stored — only AES-256-GCM encrypted data.
  • Extension pairing token hashes. The raw token is shown once and never retained.
  • Subscription and billing data via Stripe. We never handle card numbers directly.

What we do not collect

  • Raw API keys or secrets from browser warning events.
  • Screen recordings or full keystroke logs.
  • Browser history beyond the specific domains analyzed by the extension.
  • Personal data from third-party services connected by users.

How we use data

Data is used solely to provide SafeLayer's security features: displaying your risk dashboard, generating weekly reports, and powering domain intelligence. We do not sell personal data or security events to advertisers or data brokers.

Data retention

Risk events are retained for 12 months by default. Vault entries are retained until deleted by the user. Account data is retained until the account is closed.

Third-party services

SafeLayer uses Supabase (database and auth), Stripe (payments), and Resend (email). Each operates under their own privacy policy and data processing agreements.

Contact

For privacy questions, contact: privacy@safelayer.app