Privacy Policy
Last updated: June 23, 2026
1. Information We Collect
Medusa ("Medusa", "we", "us") collects the following information when you use our service:
- Account information: Email address and authentication credentials when you create an account.
- Extension telemetry: Metadata about flagged submissions from enrolled browsers (category counts, verdict, and destination host) along with extension health status. We never collect the scanned text or the prompt contents you type or paste.
- Findings: Detection findings including severity, category, and approval status for submissions flagged by the extension.
- Usage data: Page views, feature usage patterns, and error logs to improve the service.
2. Browser Extension — On-Device Processing
The Medusa browser extension scans text you type or paste into supported AI tools (such as ChatGPT, Claude, Gemini, Copilot, Perplexity, and Grok) to warn you before sensitive content is sent. How it handles your data:
- Detection runs on your device. The DLP model runs locally in your browser (WebAssembly). The text being checked is never sent to Medusa or any third party to be scanned.
- No content is uploaded by default. The prompt or file content you type or paste stays on your device. Medusa does not transmit it.
- Metadata only, and only when your organization enrolls the extension. If an organization deploys Medusa, the extension reports event metadata— detection category, verdict/action, the AI site domain and page URL, and a timestamp — to that organization's own Medusa control plane so its administrators can see policy activity. It never includes the scanned text. A personal install that is not enrolled in an organization transmits nothing.
- Optional flagged-text capture (off by default).An organization administrator may choose to enable storing flagged text for review. When enabled, short flagged snippets are kept in the local audit log and may be included in approval requests sent to that organization's own control plane. This is controlled by the organization, not by Medusa.
- Local storage.Your settings, the enrollment credential, and the on-device audit log are stored locally in the browser's extension storage.
- Permissions.The extension requests only the access needed for its single purpose: the supported AI sites (to scan prompts), local storage, scripting/offscreen (to run the on-device model), and — when enrolled — its control-plane host (to fetch policy and report metadata).
- Limited use. Data handled by the extension is used solely to provide its data-loss-prevention function. We do not sell it, and we do not use or transfer it for any unrelated purpose.
3. How We Use Your Information
- To provide and operate the Medusa security dashboard and browser extension.
- To enforce security policies and generate DLP incident reports.
- To display security posture metrics and findings trends.
- To improve our product and fix bugs.
- To communicate important service updates.
4. Data Storage and Security
Your data is stored on Supabase infrastructure with row-level security (RLS) policies ensuring each customer can only access their own data. All data is encrypted in transit (TLS) and at rest.
5. Data Retention
Extension event telemetry is automatically purged after 90 days. Findings are retained until you delete them. Account data is retained while your account is active and for 30 days after deletion.
6. Data Sharing
We do not sell your data. We may share data with third-party service providers (e.g., hosting, error monitoring) solely for operating the service, under strict data processing agreements.
7. Your Rights
You have the right to:
- Access your data through the dashboard.
- Delete your findings and enrolled browsers.
- Request full account deletion by contacting us.
- Export your data in standard formats (JSON, PDF).
8. Cookies
We use strictly necessary cookies for authentication session management. We do not use advertising or tracking cookies.
9. Contact
For privacy-related inquiries, contact us at privacy@medusasec.com.