Privacy Policy
This policy explains what data Shieldly AI collects, why we collect it, how we store it, and your rights as a user. We believe in plain language — not legal obfuscation.
Overview
Shieldly AI is operated by Flexitime Microsystems, a company registered in Nigeria (Plot 18, 231 Crescents, Kado Estate, Kado, Abuja, Nigeria). We provide an AI-powered security operations platform for small and medium businesses.
This Privacy Policy applies to all services provided through shieldlyai.cc including the free domain audit tool, the Shieldly AI dashboard, vendor risk management, breach scanning, and vulnerability scanning features.
Data we collect
We collect only what is necessary to deliver the service. Below is a complete list of every category of data we process.
| Category | What we collect | Why |
|---|---|---|
| Account data | Business email address | Authentication via magic link — no password ever collected |
| Session data | Encrypted session token, expiry time | To keep you signed in for 30 days |
| Domain data | Domain names you add, scan results (SSL, headers, SPF, DMARC, MX, breach status), scores, scan history | To monitor your domain security and show score history |
| Vendor data | Vendor names, domains, contact names and emails, risk tiers, questionnaire responses, scores | To power the vendor risk register and questionnaire tool |
| Breach scan data | Domain names and email addresses you scan for breach exposure | To check against breach databases and show results in your dashboard |
| Vulnerability scan data | Domain names you scan, findings, severity scores, categories | To identify and report web-facing vulnerabilities |
| Lead capture data | Email address, domain name (if entered on the free scan page) | To send you your audit report and follow up about the platform |
| Technical data | Vercel serverless function logs (domain name, timestamp, HTTP status) — no IP addresses stored | Debugging and platform reliability only |
How we use your data
We use your data only for the purposes below. We do not use your data for advertising, profiling, or any purpose unrelated to delivering the Shieldly AI service.
- Authentication: Your email is used to send magic links and verify your identity. We do not store passwords.
- Service delivery: Domain names and scan targets are used to run security checks and return results to you.
- AI analysis: Scan results are sent to our AI provider (Google Gemini or Groq, depending on configuration) to generate plain-language risk assessments and remediation guidance. See Section 6 for details.
- Vendor questionnaires: Vendor contact emails are used to send questionnaire links on your behalf. Questionnaire responses are stored in your account only.
- Email notifications: We send magic link emails, weekly digest emails (if enabled), and audit report emails via Resend. You can opt out of digest emails at any time.
- Platform improvement: Aggregated, anonymised usage data (e.g. number of scans per day) may be used to improve the platform. This data cannot be linked to individual users.
- Legal compliance: We may retain certain data as required by Nigerian law or applicable international regulations.
Data sharing and third parties
We do not sell, rent, or trade your personal data. We share data with the following third-party service providers only to the extent necessary to operate the platform:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database and authentication token storage | Email, session tokens, scan results, vendor data | EU (eu-central-1) |
| Vercel | Platform hosting and serverless functions | HTTP request logs (no personal data stored) | Global CDN |
| Resend | Transactional email delivery | Recipient email address, email content | US (AWS SES) |
| HaveIBeenPwned | Breach database lookups | Domain names and email addresses being scanned | US |
| Google Gemini | AI-powered security analysis (if GEMINI_API_KEY configured) | Scan results and finding details — no personal identifiers | US |
| Groq | AI-powered security analysis (if GROQ_API_KEY configured) | Scan results and finding details — no personal identifiers | US |
We may disclose data to law enforcement or regulatory authorities if required by law. We will notify affected users where legally permitted to do so.
Data storage and security
Your data is stored in Supabase, a PostgreSQL database hosted in the EU (Frankfurt, Germany). We implement the following security measures:
- Encryption in transit: All data transmitted between your browser, our platform, and our database is encrypted via TLS 1.3.
- Encryption at rest: Supabase encrypts all stored data at rest using AES-256.
- Authentication: We use time-limited magic links (15-minute expiry) rather than passwords, eliminating the most common vector for account compromise.
- Session security: Sessions expire after 30 days and are stored as encrypted tokens, not cookies accessible to JavaScript.
- Row-level security: Our Supabase database uses row-level security policies to ensure users can only access their own data.
- No stored payment data: We do not process or store payment card information on our platform.
AI processing
Shieldly AI uses third-party AI models to generate plain-language security analysis, remediation guidance, vendor risk summaries, and breach impact assessments. This is a core feature of the platform.
What data is sent to AI providers: When you trigger an AI analysis, we send the security scan findings (domain security check results, vulnerability findings, breach exposure data, or vendor questionnaire answers) to the AI provider's API. We do not send your email address, vendor contact names, or any personally identifying information to AI providers.
Which AI providers we use: Depending on platform configuration, AI analysis is performed by Google Gemini (via Google's Generative AI API) or Groq (using Meta's Llama 3.3 model). Both providers process data in the United States.
Data retention by AI providers: Google and Groq may retain API request data for a limited period for safety monitoring and abuse prevention. We recommend reviewing their respective privacy policies:
Opting out of AI features: AI analysis is triggered only when you explicitly click an AI analysis button. If you prefer not to use AI features, you can use all other platform features without triggering any AI processing.
Cookies and local storage
Shieldly AI does not use advertising cookies, tracking cookies, or third-party analytics cookies. We use the following minimal client-side storage:
| Name | Type | Purpose | Expiry |
|---|---|---|---|
| ss_token | localStorage | Your session authentication token — kept locally to avoid re-authentication | 30 days |
| ss_email | localStorage | Your email address for display in the dashboard header | 30 days |
| ss_domains | localStorage | Cached domain list for faster dashboard loading | Session |
| so_vendors | localStorage | Cached vendor list for faster dashboard loading | Session |
All locally stored data is under your control and can be cleared at any time by signing out or clearing your browser's site data for shieldlyai.cc. We do not use cookies for tracking or advertising purposes.
Data retention
We retain your data for as long as your account is active or as necessary to provide the service. Specific retention periods are:
- Account data (email): Retained until you delete your account or request deletion.
- Session tokens: Expire automatically after 30 days. Expired tokens are deleted within 7 days of expiry.
- Magic link tokens: Expire after 15 minutes and are deleted within 24 hours.
- Scan results: Retained for the lifetime of your account to show score history. Deleted when you remove a domain or delete your account.
- Vendor data: Retained until you remove the vendor from your register or delete your account.
- Breach scan history: Last 50 scans retained. Older scans are automatically purged.
- Vulnerability scan history: Last 20 scans retained. Older scans are automatically purged.
- Email logs (Resend): Resend retains email delivery logs for 3 days.
If you request account deletion, we will delete all personal data associated with your account within 30 days, except where retention is required by law.
Your rights
Regardless of where you are located, you have the following rights regarding your personal data:
- Right to access: You can request a copy of all personal data we hold about you.
- Right to rectification: You can ask us to correct inaccurate or incomplete data.
- Right to erasure: You can request deletion of your account and all associated data ("right to be forgotten").
- Right to portability: You can request your data in a structured, machine-readable format (JSON).
- Right to object: You can object to processing of your data for direct marketing purposes at any time.
- Right to restrict processing: You can ask us to restrict how we use your data in certain circumstances.
- Right to withdraw consent: Where processing is based on your consent, you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, email us at privacy@shieldlyai.cc. We will respond within 30 days. We do not charge a fee for exercising your rights.
GDPR and NDPR compliance
For users in the European Economic Area (GDPR):
Flexitime Microsystems processes personal data of EEA residents in accordance with the EU General Data Protection Regulation (GDPR). Our legal bases for processing are:
- Contract performance (Article 6(1)(b)): Processing your email and scan data to deliver the service you signed up for.
- Legitimate interests (Article 6(1)(f)): Sending weekly digest emails to active users, aggregated platform analytics.
- Consent (Article 6(1)(a)): AI analysis features are opt-in — you trigger them explicitly.
Data transfers to the United States (Resend, AI providers) are conducted under Standard Contractual Clauses (SCCs) where applicable. If you are an EEA resident and believe your GDPR rights have been violated, you have the right to lodge a complaint with your national data protection authority.
For users in Nigeria (NDPR):
Flexitime Microsystems complies with the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA). As a Nigerian company, we process personal data in accordance with the NDPR's lawfulness, fairness, and transparency principles.
Nigerian users have the same rights as set out in Section 9 above. To exercise your NDPR rights, contact us at privacy@shieldlyai.cc. You may also lodge a complaint with NITDA at nitda.gov.ng.
Children's privacy
Shieldly AI is a business-to-business platform designed for use by adults in professional contexts. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us at privacy@shieldlyai.cc and we will delete the data promptly.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- Update the "Effective date" at the top of this page
- Send a notification email to all registered users at least 14 days before the changes take effect
- Display a notice in the Shieldly AI dashboard
Minor changes (such as clarifications or formatting) may be made without notice. The version history and effective date are displayed in the sidebar of this page. Continued use of the platform after a policy update constitutes acceptance of the revised terms.
Contact us
For any questions, concerns, or requests related to this Privacy Policy or how we handle your personal data, please contact us: