WASViking AI Guardian Privacy Policy

Last updated: June 19, 2026
Publisher: WASViking LLC (Florida, USA)
Contact: legal@wasviking.com
Product page: https://wasviking.com/platform/ai-guardian/

WASViking AI Guardian ("the Extension") is the browser component of an enterprise tool that helps organizations prevent sensitive data from being shared with public AI services. The Extension is deployed and managed by an organization (your employer, or a service provider acting on its behalf). That organization is the data controller. WASViking LLC acts as a data processor on the controller's behalf. This policy describes what the Extension accesses and how information is handled.

Scope and activity
The Extension is active only on a fixed allowlist of public AI websites: ChatGPT, Claude, Gemini, Copilot, GitHub Copilot Web, Perplexity, Poe, DeepSeek, Grok, OpenRouter, HuggingFace Chat, and Mistral. It performs no function on any other website. On the allowed sites it observes user-initiated actions in the chat composer: text being pasted or submitted as a prompt, a file being uploaded through the composer, and limited context such as the page address and the length of the AI response.

For each action, the Extension passes the content to the WASViking Sentinel agent installed locally on the same device and in the same user session. The agent classifies the content for sensitive data and applies the organization's configured policy (allow, audit, warn, or block). The Extension then enforces that decision.

What the Extension does not do
The Extension does not intercept network traffic, install certificates, or perform SSL inspection. It does not access pages outside the allowlist above. It does not capture screenshots or keystrokes, and it does not access the microphone or camera. It does not transmit any data to WASViking-operated servers directly from the browser. Raw prompt text and file contents are not retained; they are held in memory only for the time required to reach a policy decision, over a local channel between the Extension and the agent.

Data flow
The Extension communicates only with the WASViking Sentinel agent on the same device, through the browser's native messaging interface over an authenticated local channel. The agent keeps a metadata-first audit record on the device and, where the organization has configured it, forwards that metadata to the organization's own WASViking endpoint over an encrypted, mutually authenticated connection. The Extension itself opens no internet connection; its only outbound path is to the local agent on the same device.

Information processed
The Extension stores only minor interface preferences (for example, the status text shown in its popup), which remain on the device. Event records are created by the local agent rather than by the Extension, and consist of metadata rather than message content: a timestamp, the AI website, the action type (paste, submit, upload), the browser and operating system, the signed-in user name, the device outbound IP address, and an agent identifier. Each record also includes the classification labels detected (for example, "cpf", "email", or "aws_keys"), a one-way cryptographic fingerprint of the inspected content, the policy decision, and the rule that matched. Where evidence is shown, it is masked (for example, •••.•••.•••-35 or AKIA••••••MPLE); raw values are not stored.

Permissions
"storage" retains local interface preferences only; nothing is sent off the device. "nativeMessaging" is the sole transport used by the Extension, limited to the local WASViking Sentinel agent on the same device. "alarms" keeps the background service worker active so an in-progress policy decision is not lost when the worker is evicted. Content scripts on the allowlisted AI sites observe composer actions only.

Security
Communication between the Extension and the local agent stays on the device over an authenticated local channel. Where the agent forwards metadata to the organization's WASViking endpoint, that transfer is encrypted and mutually authenticated under the organization's own identity. Content classification occurs on the device, and raw content is not persisted.

Legal basis and controller responsibilities
The organization that deploys the Extension determines the purposes and legal basis for processing (for example, its legitimate interest in protecting confidential and regulated information, or compliance with its own legal obligations) and is responsible for informing its users. WASViking processes data only on the organization's documented instructions.

International transfers
Where a deployment involves transferring data across borders, those transfers are governed by the agreement between the organization and WASViking and by appropriate safeguards, such as standard contractual clauses where applicable.

Sub-processors and third parties
The Extension does not transmit data to any third party. The local agent forwards event metadata only to the organization's own WASViking endpoint, operated by the organization or by WASViking LLC under a written agreement with the organization.

Retention
The organization controls how long event records are retained. By default, WASViking does not receive the organization's telemetry.

Your rights
Requests to access, correct, or delete personal data (including under the LGPD, GDPR, CPRA, and PIPEDA) are handled through the organization that controls the deployment. WASViking provides controllers with the means to fulfil these requests, including deletion and retention-sweep facilities.

Children
The Extension is intended for managed workforce devices under an employer's policy. It is not designed for or directed to children.

Changes to this policy
Material changes will be reflected by an updated date above and announced on https://wasviking.com/platform/ai-guardian/.

Contact
legal@wasviking.com