Skip to main content

Privacy & GDPR

What data is collected

The ShieldLabs JS snippet collects browser environment signals — it does not collect personally identifiable information (PII).
Data collectedPurpose
Browser rendering parameters (canvas, WebGL, fonts)Device fingerprint
Screen resolution, hardware concurrencyDevice identification
Browser timezoneTimezone mismatch detection
Navigator properties (platform, vendor, languages)Browser/OS classification
IP addressDetected server-side from TCP connection — not by JS
Not collected:
  • Name, email, phone number
  • Browsing history or URLs
  • Cookies or session tokens
  • Any data from form fields

UserHID and hashing

The UserHID you pass to checkAuthenticatedUser() must be a hash of your user’s identifier, not the raw value. 
// Correct — hash before passing
const hashedId = await sha256(currentUser.id);
mod.checkAuthenticatedUser(hashedId);

// Wrong — never pass raw PII
mod.checkAuthenticatedUser(currentUser.email); // ❌

Data retention

  • Session data (snapshots) are stored in ClickHouse
  • Retention period: configurable (default 90 days)
  • Contact support to request data deletion

GDPR compliance

  • ShieldLabs processes data under the legal basis of legitimate interest for fraud prevention
  • No consent banner required for fraud prevention processing under GDPR Recital 47
  • Your users’ IP addresses are processed server-side — they are not sent to the browser
  • You may include a reference to ShieldLabs in your Privacy Policy

Data processing agreement

A Data Processing Agreement (DPA) is available for Enterprise customers. Contact privacy@shieldlabs.ai.