ShieldFlow
Home Features Pricing Scanner FREE About Blog Contact
Get Started Free
Legal

Privacy Policy

Your privacy matters to us. This policy explains how ShieldFlow collects, uses, and protects your information.

Last updated: March 2026

ShieldFlow Ltd. ("ShieldFlow", "we", "us", or "our") operates the ShieldFlow platform at shieldflow.io and the ShieldFlow application at app.shieldflow.io. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

By accessing or using our services, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access our services.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Organization name and details
  • Password (stored as a cryptographic hash via Firebase Authentication)
  • Billing information (processed securely by Stripe; we do not store full payment card details)

Usage Data

We automatically collect certain information when you use our platform:

  • Browser type, version, and operating system
  • Pages visited and features used within the ShieldFlow dashboard
  • Time and date of access
  • IP address (used for rate limiting and security; not used for ad tracking)
  • Referring website addresses

Security Telemetry

When you deploy our SDK or middleware on your website, ShieldFlow collects security-related telemetry from your visitors' browsers, including:

  • Content Security Policy (CSP) violation reports
  • Security header configurations detected on your site
  • Resource loading patterns and third-party script behavior
  • Blocked or flagged requests based on your security policies

Important: Security telemetry is collected from your website visitors' browsers, not from the visitors themselves. We apply PII scrubbing to strip any personally identifiable information from violation reports before storage. This data is used solely to provide you with security insights and policy recommendations.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain our service: Operate the ShieldFlow platform, process security violations, and generate security recommendations
  • Improve our platform: Analyze usage patterns to enhance features, fix bugs, and optimize performance
  • Communicate with you: Send service-related notifications, security alerts, product updates, and respond to support inquiries
  • Billing and account management: Process payments, manage subscriptions, and enforce plan limits
  • Security and fraud prevention: Detect and prevent unauthorized access, abuse, and other security threats
  • Legal compliance: Comply with applicable laws, regulations, and legal processes

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. Specific retention periods vary by plan tier:

  • Free tier: 7-day data retention for security telemetry
  • Starter tier: 30-day data retention
  • Pro tier: 90-day data retention
  • Business tier: 365-day data retention
  • Enterprise tier: Custom retention period

Account information is retained for as long as your account exists. When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required by law to retain it.

Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement.

4. Third-Party Services

We use the following third-party services to operate our platform. Each has their own privacy policy governing their use of your data:

  • Google Cloud Platform (GCP): Cloud infrastructure, compute, and storage. Data is processed and stored in the United States. GCP Privacy Policy
  • Firebase (Google): Authentication, real-time database, and hosting. Firebase Privacy Policy
  • Stripe: Payment processing and subscription management. Stripe processes payment information directly; we do not store your full credit card number. Stripe Privacy Policy
  • Google Vertex AI: AI-powered security analysis features (Resource X-Ray, Shield Sentinel). Security data may be processed by Google's AI models. No personal information is sent to AI models.

5. Cookies and Tracking

ShieldFlow uses minimal cookies and tracking. We believe in privacy-respecting analytics and do not use invasive tracking technologies.

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: Store your dashboard preferences and settings (theme, layout, etc.).

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

6. Your Rights

For EU/EEA Residents (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request restriction of processing of your personal data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing of your personal data
  • Withdraw consent: Withdraw consent at any time where processing is based on consent

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to:

  • Know what personal information is collected about you
  • Know whether your personal information is sold or disclosed and to whom
  • Say no to the sale of personal information (we do not sell personal information)
  • Request deletion of your personal information
  • Not be discriminated against for exercising your privacy rights

To exercise any of these rights, contact us at privacy@shieldflow.io. We will respond to your request within 30 days.

7. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Firebase Authentication with secure token management
  • Role-based access control for all internal systems
  • Regular security audits and vulnerability assessments
  • PII scrubbing on all incoming security telemetry
  • Rate limiting and abuse prevention on all API endpoints
  • Infrastructure hosted on Google Cloud Platform with enterprise-grade physical security

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Children's Privacy

ShieldFlow is a business-to-business service intended for use by developers and organizations. Our services are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@shieldflow.io, and we will promptly delete such information.

9. International Data Transfers

ShieldFlow is based in Israel and our infrastructure is hosted on Google Cloud Platform in the United States. If you access our services from outside these countries, your information may be transferred to, stored, and processed in Israel or the United States.

Israel is recognized by the European Commission as providing an adequate level of data protection. For transfers to the United States, we rely on Google Cloud's Standard Contractual Clauses and compliance certifications.

By using our services, you consent to the transfer of your information to Israel and the United States as described in this policy.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will also send a notification to the email address associated with your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: