Privacy & GDPR

What data is collected

The ShieldLabs JS snippet collects browser environment signals — not direct PII.

Data collected	Purpose
Browser rendering (canvas, WebGL, fonts, audio)	Device fingerprint
Screen, hardware, navigator properties	Device identification
Browser timezone	Timezone mismatch detection
`entryUrl`, `referrer`	Traffic attribution on protected page
IP address	Detected server-side from TCP connection

Not collected:

Name, email, phone number
Full browsing history (only current page URL and referrer)
Form field contents

First-party storage:

visitorID in localStorage and a first-party cookie (persistent visitor ID)
Session ID in sessionStorage (~10 min)

UserHID and hashing

Pass only a hash of your user identifier to checkAuthenticatedUser():

const hashedId = await sha256(currentUser.id);
mod.checkAuthenticatedUser(hashedId);

// Wrong — never pass raw PII
mod.checkAuthenticatedUser(currentUser.email); // ❌

Data retention

Session snapshots stored in ClickHouse
Default operational retention: ~90 days (contact support for deletion requests)
No automatic TTL is enforced in application code — retention is an operational policy

Legal basis: legitimate interest for fraud prevention (GDPR Recital 47)
No consent banner required for fraud-prevention fingerprinting in most jurisdictions
IP addresses sent to ipapi.is for classification (third-party processor)
Reference ShieldLabs in your Privacy Policy

Data processing agreement

DPA available for Enterprise customers: privacy@shieldlabs.ai

Security Billing

​Privacy & GDPR

​What data is collected

​UserHID and hashing

​Data retention

​GDPR compliance

​Data processing agreement

What data is collected

UserHID and hashing

Data retention

GDPR compliance

Data processing agreement