> ## Documentation Index > Fetch the complete documentation index at: https://docs.shieldlabs.ai/llms.txt > Use this file to discover all available pages before exploring further. # Privacy Policy > How ShieldLabs processes technical and personal data, as processor and as controller. *Last updated June 29, 2026. Contact: [legal@shieldlabs.ai](mailto:legal@shieldlabs.ai)* ## 1. Roles & Scope We act as a processor for Customer end-user technical data processed on Customer's behalf, and as a controller for our own account data, access logs, usage metrics, and billing. As processor, we act only on the Customer's documented instructions; the Customer, as controller, determines the purposes and means of that processing and is responsible for the related decisions. ## 2. Processor Data (on your behalf) We process technical and operational data about Customer's end-users as necessary to provide the Service, in accordance with the Customer's configuration and plan. Categories include device and browser signals, network identifiers (e.g., IP address), behavioral and event signals, and derived risk scores/labels. The exact composition of signals and processing methods is proprietary. ## 3. Controller Data (our own) Account data, technical access logs, performance metrics, billing/invoices, and support communications. ## 4. Purposes & Legal Basis We process Controller Data to provide and secure the Service, prevent abuse, analyze performance, provide support, and send product communications. Where applicable data protection law applies, we rely on performance of a contract, our legitimate interests in operating and securing the Service, and compliance with legal obligations. ## 5. Retention Retention is up to 12 months and may vary by plan, as agreed with Customer. Aggregated/anonymized metrics may be retained longer for analytics and quality. ## 6. Sharing & Subprocessors Access is limited to personnel/systems that need it. We use subprocessors (e.g., hosting, logging, analytics) under written confidentiality and data-protection obligations. A current list is available upon request, and we will provide notice of new subprocessors with a reasonable opportunity to object. ## 7. Security We implement commercially reasonable organizational and technical measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, proportionate to the nature of the data and risks involved. As processor, we will notify the Customer without undue delay after becoming aware of a personal data breach. ## 8. Data Subject Requests We handle data subject requests (e.g., access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority) within a reasonable time, subject to identity verification and applicable limitations. For end-user data we process on Customer's behalf, we will forward such requests to the Customer or assist the Customer as its processor. Requests: [legal@shieldlabs.ai](mailto:legal@shieldlabs.ai) ## 9. Cross-Border Transfers Data may be processed or accessed across regions as needed to provide the Service. We use contractual safeguards appropriate to the nature of processing. A Data Processing Addendum (DPA) will be provided upon conclusion of the contract. ## 10. Customer Responsibilities Customer is responsible for having a valid legal basis and providing clear end-user disclosures/consent via Customer's own interfaces/CMP where required, and for any decisions (including automated decision-making or profiling) it makes using the outputs. ## 11. Customer Controls Customer controls visibility and export of fields in the admin console and via supported interfaces, within plan limits and retention windows. ## 12. Children The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from children under 16. ## 13. Contact [legal@shieldlabs.ai](mailto:legal@shieldlabs.ai)