Effective Date: June 1, 2026
This Privacy Policy applies exclusively to the WASViking AI Guardian browser extension (the "Extension") distributed through the Chrome Web Store, Microsoft Edge Add-ons, and equivalent enterprise distribution channels. It is published by WASViking LLC, a Florida limited liability company (the "Publisher"), and complements the general WASViking Privacy Policy that governs the broader platform.
The Extension is installed and managed by an end-user organization (the customer, the user's employer, or a Managed Security Service Provider acting on the customer's behalf). The customer is the data controller for any personal data processed in connection with the Extension; WASViking LLC acts as the data processor.
Contact for privacy questions and data subject requests: [email protected].
The Extension has a single, narrowly defined purpose: to detect when a user is about to send sensitive data (such as personally identifiable information, protected health information, secrets, source code, or internal identifiers) to a public generative AI tool, and to apply the organization's configured policy (allow, audit, warn, or block) before that data leaves the device.
The Extension is the browser-side sensor of an enterprise AI exposure monitoring product. It is not a general-purpose extension, an advertising tool, a content scraper, or a productivity utility.
The Extension runs only on a fixed allowlist of public AI tool websites. The current allowlist includes:
On those sites only, and only at the moment the user initiates an action in the chat composer, the Extension observes:
For each action, the Extension asks the locally-installed WASViking Sentinel agent (running on the same device, under the same user session) to classify the content for sensitive data categories and to apply the customer organization's configured policy. The Extension then enforces the resulting decision (allow, audit, warn, or block) in the browser.
The Extension's only outbound channel is the operating system's Native Messaging interface to a locally-installed WASViking Sentinel host running under the same user account on the same device. There is no direct browser-to-cloud communication.
Browser (Extension)
-> Native Messaging (chrome.runtime.connectNative / browser.runtime.connectNative)
-> local Sentinel native-host process (same user, same device)
-> loopback (127.0.0.1, token-authenticated)
-> ai-browser monitor (local daemon)
-> local JSONL audit (metadata-first; raw bytes never stored)
-> mTLS gRPC tunnel to the customer organization's WASViking endpoint
The mTLS tunnel from the local agent to the customer organization's WASViking endpoint is authenticated by a client certificate provisioned to the customer organization during onboarding. Telemetry is logically partitioned per organization on the receiving side.
The Extension declares the minimum permissions required to fulfill its single purpose. Each permission is justified below.
com.wasviking.ai_browser. This permission is required because the policy engine, mTLS identity, and audit log must live in a customer-controlled process outside the browser sandbox.
storage. Nothing is synchronized off device.
The Extension does not request tabs, activeTab, webRequest, webRequestBlocking, cookies, history, downloads, declarativeNetRequest, or any <all_urls> host permission.
The Extension itself processes the following in memory only, for the duration of a single user action:
None of the above is persisted by the Extension. Content is forwarded over Native Messaging to the local Sentinel agent and discarded.
The local Sentinel agent persists only the following metadata-first record on the local device:
cpf, email, aws_keys, possible_phi) and a one-way short SHA-256 fingerprint of the inspected content;•••.•••.•••-35, AKIA••••••MPLE);Raw prompt text, raw file bytes, raw secret values, complete email addresses, complete national identifiers, and complete payment card numbers are never written to disk or transmitted off the device.
Data processed by the Extension and the local agent is used exclusively to:
Data is not used for advertising, behavioral profiling, training or fine-tuning machine learning models, sale to any third party, credit decisions, or any purpose unrelated to the single purpose stated in section 2.
The Extension itself transmits no data to any third party. The local Sentinel agent transmits the metadata-first event record to the customer organization's WASViking endpoint over mTLS. That endpoint is operated by WASViking LLC under a written agreement (including a Data Processing Agreement) with the customer organization, or by the customer organization itself in self-hosted deployments.
The current list of sub-processors that may receive data on behalf of WASViking LLC is published at Subprocessors and incorporated by reference into this policy.
Event metadata is stored in cloud infrastructure operated by WASViking LLC in the United States. If the user or the customer organization is located outside the United States, the data described in section 7 may be transferred to and processed in the United States under appropriate safeguards (including standard contractual clauses where applicable under the GDPR and equivalent international transfer mechanisms under the LGPD).
Retention is controlled by the customer organization. WASViking LLC honors retention sweeps, organization-wide deletion requests, and data subject deletion requests forwarded by the customer organization (the data controller).
The Extension and the local agent implement the following protections:
127.0.0.1 only and authenticated by a per-installation token written with file mode 0600;0600 for secrets, 0700 for state directories);Because the customer organization is the data controller, end-user rights under the LGPD (Brazil), the GDPR (European Union and United Kingdom), the CCPA and CPRA (California), and equivalent regimes are exercised through the user's employer or controller.
Depending on jurisdiction, these rights may include:
WASViking LLC provides controllers with the technical means to fulfill these requests, including a deletion API and retention sweeps. Direct requests from end users may be forwarded to [email protected], which will route them to the appropriate customer organization.
The Extension is not designed for or directed to children. It is intended for use on managed workforce devices under an employer's policy, and is distributed through enterprise channels.
For users who installed the Extension from the Chrome Web Store: WASViking LLC's use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. The Extension does not transfer user data to third parties for advertising, profiling, or any purpose unrelated to the single purpose stated in section 2, and does not allow humans to read user data except as expressly permitted (security investigations, debugging with the user's consent, or where required by law).
For users who installed the Extension from Microsoft Edge Add-ons: WASViking LLC complies with the Microsoft Edge Add-ons Store Developer Policies, including the policies on permissions, data collection, and disclosure. The Extension's behavior, permissions, and data handling are identical across browsers; only the distribution channel differs.
Material changes will be reflected by a revised Effective Date at the top of this page. Substantive changes that affect the categories of data processed, the permissions declared, or the recipients of the data will be announced on the WASViking AI Guardian product page and, where required, communicated to customer organizations through their administrative contact.
For any question, disclosure request, or report concerning this policy or the Extension:
WASViking LLC
Orlando, FL, United States
Privacy and data subject requests: [email protected]
Legal: [email protected]