Privacy Policy — Inscryble

1. Data Controller

The data controller for your personal data is SkyFotoStudio.pl — the company operating and managing the Inscryble platform, available at inscryble.com.

Contact details:
Website: skyfotostudio.pl
Data privacy e-mail: privacy@inscryble.com

2. Data We Collect

Inscryble processes only data necessary to provide the service (data minimisation principle, Art. 5(1)(c) GDPR):

a) User account data

Email address (used as login)
First and last name (optional, provided during registration)
Assigned role in the organisation (admin, analyst, read-only)
Date and time of registration and last login

b) Organisation (tenant) data

Company / organisation name
Subscription plan and billing dates
Billing details (passed to Stripe — external payment processor)

c) Security event metadata (violations)

Domain of the page where the event occurred (e.g. chatgpt.com)
Identifier of the rule that triggered the action
Severity level and action taken (warn / redact / block)
SHA-256 hash of the detected content fragment
Event timestamp
Chrome extension version

⚠️ Important — Zero Raw Data principle:
Inscryble never stores the original text typed by an employee. Only a one-way cryptographic hash (SHA-256) is sent to the server. It is impossible to reconstruct the original content from the stored hash.

d) Technical data

IP address (logged by the web server, removed from logs after 7 days)
HTTP headers (browser user-agent, language)
API authorisation tokens (Sanctum) — stored as bcrypt hashes

3. Purposes and Legal Bases for Processing

Processing purpose	Legal basis (GDPR)	Retention period
Service provision (login, policy management)	Art. 6(1)(b) — performance of contract	For the duration of the account
Security event metadata	Art. 6(1)(b) — performance of contract	30–90 days (depending on plan)
Invoicing and billing	Art. 6(1)(c) — legal obligation	5 years (tax requirements)
System security and technical logs	Art. 6(1)(f) — legitimate interest	7 days (IP logs)
Direct marketing (newsletter)	Art. 6(1)(a) — consent	Until consent is withdrawn

4. Data Recipients — Sub-processors

We entrust data processing only to trusted partners that provide appropriate protection guarantees:

Sub-processor	Role	Data location
IONOS SE	Application and server hosting, managed by skyfotostudio.pl	Germany / EU (data stays within EEA)
Stripe, Inc.	Payment processing	USA/EU (SCCs)
Google LLC (optional)	Font delivery (Google Fonts)	USA (SCCs)

A full list of sub-processors is available on request at privacy@inscryble.com.

5. Chrome Extension — Data Handling

The Inscryble Chrome Extension processes data locally in the browser only, with the following exceptions:

Policy sync — the extension periodically downloads DLP policy rules from the Inscryble server. No user data is sent in this request.
Violation reporting — when a policy is triggered, only metadata (SHA-256 hash, domain, severity, timestamp, extension version) is sent to the server. The original text is never transmitted.

Permissions used by the extension

Permission	Purpose
storage	Saves DLP policy rules and user configuration locally on the device so the extension works even when the server is temporarily unreachable.
alarms	Schedules periodic background synchronisation of policies from the organisation's Inscryble server (every 30 minutes).
notifications	Displays a browser notification when a violation is detected and a data submission is blocked, alerting the employee in real time.
tabs	Reads the URL of the currently active tab to apply domain-specific DLP rules (e.g. stricter rules on AI tool websites such as chat.openai.com).
host permissions (<all_urls>)	Required because sensitive data may be disclosed on any website. The extension monitors form submissions and paste events across all sites to enforce policies. No browsing data is collected or stored.

The extension does not monitor browsing history, search history, or any user activity beyond detecting sensitive data patterns in text input fields at the moment of form submission or paste.

6. Your Rights

Under Articles 15–22 GDPR, you have the right to:

Access — request information about what data we process (Art. 15)
Rectification — request correction of inaccurate data (Art. 16)
Erasure — request deletion of your data ("right to be forgotten") (Art. 17)
Restriction of processing — request suspension of processing (Art. 18)
Data portability — receive your data in JSON/CSV format (Art. 20)
Objection — object to processing based on our legitimate interest (Art. 21)
Withdraw consent — at any time, for processing based on consent (Art. 7(3))

We fulfil requests within 30 days. For complex requests the deadline may be extended by another 60 days, with notification. Submit requests to: privacy@inscryble.com.

You also have the right to lodge a complaint with a supervisory authority. In Poland: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, Warsaw — uodo.gov.pl.

7. Privacy by Design

Inscryble is built on the Zero Raw Data principle — the Chrome extension never sends raw typed text to our servers. Local analysis runs inside the user's browser; only a SHA-256 hash of detected fragments and event metadata (date, action, rule type) reach the backend. Multi-tenant isolation with database-level separation ensures data from different organisations is architecturally inaccessible across accounts. For questions about our privacy practices, contact privacy@inscryble.com.

8. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR):

TLS encryption (HTTPS) for all communications
Passwords stored exclusively as bcrypt hashes — never in plain text
API tokens stored as SHA-256 hashes — displayed only once at creation
Data isolation between organisations (multi-tenancy with database-level separation)
Automatic expiry of inactive sessions
Regular encrypted backups

9. Data Retention

Data category	Retention period
User account data	Until account deletion + 30 days (soft-delete)
Violation metadata (Starter plan)	30 days from event
Violation metadata (Business plan)	90 days from event
Violation metadata (Enterprise plan)	Configurable (default 365 days)
Billing data	5 years (legal requirement)
Server IP logs	7 days

10. Changes to This Policy

We reserve the right to update this Privacy Policy. We will notify you of material changes by email (to the address associated with your account) or via a prominent notice in the dashboard, at least 14 days before the changes take effect.

11. Contact

For all privacy-related inquiries:

Email: privacy@inscryble.com
Subject line: GDPR — [topic of request]
We respond within 5 business days