Privacy Policy

1. Introduction

CIVRA ("we," "us," or "our") operates the CIVRA browser extension and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By installing or using CIVRA, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create a CIVRA account or sign in, we collect:

• Email address used for authentication
• Organization name (if applicable)
• Account preferences and settings

2.2 Email Metadata

To perform threat analysis, CIVRA processes the following email metadata within your Gmail inbox:

• Sender email addresses — used to evaluate sender reputation and detect spoofing
• Email subject lines — analyzed for phishing indicators and social engineering patterns
• Email body text — scanned for malicious links, risky phrases, and threat patterns
• Attachment filenames and types — checked against known dangerous file signatures

Email content is transmitted to our analysis API over encrypted connections (TLS 1.3) and is not stored persistently on our servers. Analysis results (risk scores, threat classifications) are cached temporarily for performance and are automatically purged after 24 hours.

2.3 Link and Attachment Data

When you hover over or click a link in a scanned email, the URL is checked against our threat intelligence database. When you use the deep attachment scan feature, the attachment is temporarily uploaded for analysis and deleted immediately after processing.

2.4 Usage and Diagnostic Data

We collect anonymized usage data including:

• Number of emails scanned and threats detected (aggregate counts)
• Extension version and browser type
• Feature usage patterns (e.g., which settings are enabled)
• Error reports for debugging purposes

3. How We Use Your Information

We use the information we collect to:

• Analyze emails for phishing, business email compromise (BEC), spoofing, and malware threats
• Display real-time security badges, banners, and risk scores in your Gmail inbox
• Send desktop notifications for high-risk threats
• Improve our AI threat detection models using anonymized, aggregated data
• Provide organization-wide security dashboards and reports (for team accounts)
• Maintain and improve the Service

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties.

We may share information only in the following circumstances:

• Threat intelligence partners — anonymized, hashed indicators of compromise (IOCs) such as malicious URLs or sender domains may be shared with security partners to improve industry-wide threat detection
• Service providers — trusted vendors who assist in operating our infrastructure, bound by confidentiality agreements
• Legal obligations — when required by law, regulation, or valid legal process
• Safety — to protect the rights, safety, or property of CIVRA, our users, or the public

5. Data Security

We implement industry-standard security measures including:

• End-to-end TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Regular security audits and penetration testing
• Role-based access controls for internal systems
• SOC 2 Type II aligned operational practices

6. Data Retention

• Email content — processed in real time and not stored. Analysis results cached for up to 24 hours.
• Account data — retained while your account is active. Deleted within 30 days of account closure.
• Usage analytics — retained in anonymized form for up to 12 months.
• Attachment scans — file data deleted immediately after analysis. Results retained for up to 7 days.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict processing of your data
• Export your data in a portable format
• Withdraw consent at any time

To exercise any of these rights, contact us at privacy@civra.ai.

8. Cookies and Local Storage

The CIVRA extension uses browser local storage (chrome.storage) to persist your preferences, authentication state, and cached scan results. We use cookies on civra.ai to maintain your login session. We do not use tracking cookies or third-party advertising cookies.

9. Children's Privacy

CIVRA is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Effective date" above. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@civra.ai
• Web: civra.ai