Privacy and data handling
Shield is designed so organizations get governance without reading over anyone's shoulder: content stays on the device, and what admins can see is itself policy-controlled.
What is collected — the short version
Shield records which AI services were used and what kind of action happened (e.g. a prompt was submitted, a paste was blocked) plus, with on-device detection, category labels of sensitive data. Prompts, pasted text, file contents, and the sensitive values themselves are never collected — detection happens locally on the device, and employees see a consent prompt before anything is recorded (details).
Privacy controls for admins
Under Settings → Organization → Privacy you control visibility of employee-level data:
- Show user-level activity — whether admins can see which employees used each AI app. Aggregate counts are always visible regardless of this setting, so governance metrics don't depend on person-level visibility.
- Employee opt-out — whether employees may opt out of monitoring themselves, or collection is enforced organization-wide (the managed-deployment model, where the organization consents as controller).
Consent decisions are stored as compliance records, and withdrawing consent is as easy as granting it. In Users & Roles, admins see each member's consent state (Granted / Declined / Not set) and their Incognito coverage.
Audit access and retention
The audit log is the tamper-resistant record of policy-relevant events, exportable as CSV. Retention is plan-based — Starter 90 days, Business 365 days, Enterprise 730 days — with extended retention available as an add-on.
Note: for the legal specifics (roles under GDPR, processing purposes, data-subject rights), see the Qadar AI privacy policy and the Shield Web extension privacy notice.
Was this article helpful?
Related articles
Consent and what data Shield Web collects
Nothing is collected before you consent. Shield records which AI services you use and what kind of action happened — never your prompts or the sensitive values themselves.
Read articleData types and on-device detection
Which sensitive data Shield recognizes — PII, financial data, source code, secrets — and why the content never leaves the device to be classified.
Read articleDomain verification and join modes
Verify your company domain via DNS TXT record or email, then choose how sign-ups from that domain join: automatically, by approval, or invite-only.
Read articleRoles and permissions
Admin, Security, Auditor, Member — what each role can do and how to change a member's role.
Read articleStill stuck?
Send us the details — we answer within one business day.