๐ŸฆŠ ShroudFox
Start free trial

Legal

Privacy Policy

Effective May 27, 2026. The short version is on the Security & Privacy page. This document is the legally-precise version. Questions: compliance@shroudfox.io.

A note on this policy. This is the working version of our standard Privacy Policy. Material changes will be emailed to active customers at least 30 days before they take effect. If you are a school district or other organization that has signed a separate Data Processing Agreement ("DPA") with us, the DPA governs the handling of any student data you submit to the service.

The architectural premise

The single most important fact about ShroudFox's privacy posture is structural, not legal: we do not want to see your users' personally identifying information ("PII"), and we have built the product so that we don't.

PII detection runs in the user's browser. Names, emails, student IDs, dates of birth, addresses, and similar identifiers are replaced with reversible placeholder tokens ([[PERSON_1]], [[EMAIL_2]], โ€ฆ) before any text leaves the device. The map between tokens and the original values lives in an encrypted vault that stays in the user's browser only โ€” ShroudFox's servers never receive it. The Security & Privacy page walks through how to verify this in 60 seconds.

That structural choice constrains everything below. We can't sell PII because we don't have it. We can't be subpoenaed for student names because the names are not in our database. The rest of this policy describes the data we do hold (account records, tokenized text, request metadata) and how we handle it.

1. What we collect

We collect only what we need to operate the service and provide it to you reliably. Specifically:

  • Account information โ€” your email address, a salted PBKDF2-SHA256 hash of your password (we never store the password itself), the district or organization name you provide at signup, and the state-statute identifier you optionally provide so we can pre-populate the right DPA addendum. Created when you sign up; updated when you change it.
  • Billing information โ€” handled by Stripe, our payment processor. We do not store payment-card numbers ourselves; we receive only the Stripe customer ID, subscription ID, plan, and trial-end-date, used to route invoices and confirm entitlement. See Stripe's privacy practices at stripe.com/privacy.
  • Tokenized chat history โ€” messages you send through the product, after PII has been replaced with tokens in the browser. We store this so users can continue conversations across devices and review past sessions. Tokens are uninterpretable without the per-user vault (which lives only on the user's device).
  • Project and knowledge data โ€” project labels, instructions, and uploaded knowledge files, all tokenized in the same way as chat history. Useful for K-12 contexts (per-grade prompts, per-class reference docs) without exposing the underlying source content's PII.
  • Encrypted API keys (BYO plans only) โ€” if you add your own OpenAI / Anthropic / Google API key through Settings, we store it encrypted at rest (AES-GCM via Fernet, with the key derived from our session secret) and decrypt it only at request time to forward your chat to the upstream provider. We never log the plaintext key and never display it in the UI again after you save it (only a masked four-character tail).
  • Request metadata โ€” timestamps, HTTP status codes, the account identifier that made each request, and a coarse user-agent string. Used for operational diagnostics and abuse detection. Retained for 90 days then auto-deleted.
  • Spend metering (trial accounts) โ€” an integer running total of the upstream-AI cost we have covered on your behalf during the 14-day trial, used to enforce the $10 trial credit. No content of those messages is exposed by this counter.

What we do not collect. We do not collect or receive the underlying PII that the browser detected and tokenized: names, emails, phone numbers, student IDs, dates of birth, addresses, IEP details, or any other identifier that pointed to a real person. We do not collect biometric data, browsing history outside the product, location data, or contact lists.

2. How we use it

We use the data above to:

  • Authenticate your sign-ins and operate the product
  • Forward tokenized text to the AI provider you select (OpenAI, Anthropic, or Google) and return the reply to your browser
  • Bill you accurately and route Stripe receipts
  • Detect and respond to abuse, rate-limit violations, and security incidents
  • Send transactional emails (sign-up confirmation, billing receipts, trial-ending reminders, security notices). We do not send marketing emails without your explicit opt-in
  • Comply with legal obligations (a subpoena for account records would be answered with the limited account information we hold; we would notify you unless legally prohibited)

We do not use your data to train AI models, ours or anyone else's. We do not sell, rent, or trade your data. We do not use behavioral profiling or programmatic advertising.

3. Who we share it with

We share data only with subprocessors required to deliver the service. Each subprocessor is contractually bound to handle data only on our instructions and only for the purpose we engaged them for.

  • Google Cloud Platform (Cloud Run, Firestore, Secret Manager, in us-central1) โ€” hosts the application, stores tokenized chat history, and stores secrets. Bound by Google's standard DPA.
  • Cloudflare โ€” fronts our domains for DNS, TLS termination, DDoS protection, and edge routing. May briefly process tokenized request bytes in transit. Bound by Cloudflare's DPA.
  • Stripe โ€” processes payments and subscription state. Receives your email and payment-method details for billing. Bound by Stripe's privacy and PCI-DSS commitments.
  • Upstream AI providers (OpenAI, Anthropic, Google AI Studio) โ€” receive tokenized text only (no PII) when you initiate a chat. Each operates under their API enterprise terms, which prohibit training on submitted content. On the Standard (BYO) plan, your relationship with the AI provider is also direct.
  • Transactional email provider (one of Resend, Postmark, or SendGrid โ€” we will update this list as we add the integration). Receives recipient email + the body of system emails we send you.

We will give 30 days' notice to active customers before adding a new subprocessor. The current subprocessor list is always available at this page.

4. How long we keep it

  • Account records โ€” until you delete the account, then deleted within 30 days (subject to legal-hold obligations)
  • Tokenized chat history + projects โ€” default 365 days from last activity, configurable per district by agreement. On account deletion, exported (on request) within 14 days and then deleted
  • Request metadata logs โ€” 90 days, then auto-deleted
  • Billing records โ€” retained as long as US tax law requires (currently 7 years for receipts), maintained by Stripe per Stripe's policy
  • Browser-side vault (token-to-PII map) โ€” destroyed on the device on sign-out; never reaches our servers

5. How we secure it

Transport-layer protections: TLS 1.2+ everywhere (Cloudflare + Cloud Run terminate TLS at the edge).

At-rest protections: Firestore data is encrypted with Google-managed keys; BYO API keys are double-encrypted (Fernet via SESSION_SECRET-derived key on top of Google's underlying disk encryption); session secrets and API credentials are in Google Secret Manager with audit logging enabled.

Access controls: a small number of operators have production access via Google Cloud IAM with two-factor authentication. Production access is logged and reviewed. We do not have shared root credentials.

See the Security & Privacy page for the full posture, the limitations we openly disclose, and the SOC 2 audit timeline.

6. Your rights

You can exercise any of the rights below by emailing compliance@shroudfox.io from the address on your account. We respond within 30 days (45 with prior notice if your request is complex).

  • Access โ€” receive a copy of the data we hold about you
  • Correction โ€” fix anything inaccurate in your account
  • Deletion โ€” delete your account and the data associated with it
  • Portability โ€” receive your tokenized chat history as a JSON archive you can take elsewhere
  • Object โ€” to any specific processing activity
  • Restrict โ€” pause processing while a dispute is resolved
  • Complaint โ€” file with the privacy regulator in your jurisdiction; we will cooperate in good faith

7. State-specific rights (US)

The rights in Section 6 are available to all users. Several US states grant additional rights โ€” see below. These are summaries; the full statutes control.

California (CCPA / CPRA). California residents may request the categories of personal information we collect, the business purposes for which we collect it, and the categories of third parties with whom we share it (all of which are listed in Sections 1โ€“3 above). You may also opt out of any "sale" or "sharing" of personal information for targeted advertising โ€” we do neither, so there is nothing to opt out of, but you can confirm in writing if useful for compliance documentation.

Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy statutes grant similar rights. We honor them uniformly through the compliance@shroudfox.io channel; you do not need to invoke a specific statute.

Student data laws. For school districts, college/university customers, and their students, the applicable framework is FERPA plus your state's student-data-privacy statute (SOPPA in Illinois, Ed Law ยง 2-d in New York, etc.). These are governed by the DPA we sign with your district rather than this Privacy Policy, but where they grant additional rights they apply by default.

8. Children's privacy (COPPA)

ShroudFox is designed for faculty, staff, and administrators. Under-13 students are not direct users of the product in the default configuration. If a district plans to extend the service to younger students, contact us first โ€” the COPPA-compliant configuration requires additional verifiable-parental-consent provisions per 16 CFR Part 312, which we will set up as part of onboarding.

9. Cookies and tracking

The marketing site (shroudfox.io) does not set tracking cookies. We do not use Google Analytics, Facebook Pixel, or any other third-party analytics or advertising identifier. Cloudflare may set a brief technical cookie (__cf_bm) to distinguish humans from automated bots during DDoS mitigation; this is operational and does not track you across sites.

The product (app.shroudfox.io) sets one cookie: anon_session, an HttpOnly, Secure, SameSite=Lax session cookie that keeps you signed in. It contains a base64-encoded JSON payload ({email, exp}) and an HMAC signature. It is never sent to any third party.

10. International users

ShroudFox is operated from the United States and the data we store lives in US data centers (Google Cloud us-central1). If you access the service from outside the US, you consent to the transfer of your data to the US for processing. We will honor any additional rights granted to you under your local jurisdiction's privacy law; contact us if you need specific commitments under the EU GDPR, UK GDPR, or other framework.

11. Changes to this policy

We will update this policy from time to time as the service evolves. Material changes โ€” anything that affects the categories of data we collect, the parties we share it with, or the rights you have over it โ€” are emailed to all active customers at least 30 days before they take effect. The "Effective" date at the top of this page changes on every revision.

12. Contact

ShroudFox is operated by a sole proprietor in the United States. For privacy questions: