Privacy Policy

Vloex is an AI usage monitoring and governance platform built by Gofylo Technologies. This privacy policy explains what data the Vloex browser extension and platform collect, how that data is used, and the controls available to organization administrators.

Vloex is designed for enterprise deployment. Data captured by the extension is sent to your organization's Vloex backend — not to a shared multi-tenant service. Your organization's administrator controls what is captured and how long it is retained.

When installed and configured, the Vloex browser extension captures data about AI tool interactions on supported provider websites. The scope of data collected depends on the coverage level configured by your organization's administrator:

• Full trace — Provider name, model, timestamps, token counts, estimated cost, prompt text, and response text.
• Chat only — Provider name, model, timestamps, and conversation text. No API-level metadata.
• Metadata only — Provider name, model, timestamps, token counts, and estimated cost. No prompt or response text is captured.

For all coverage levels, the extension also collects:

• Chrome profile email address (for identity resolution)
• A device identifier (for enrollment tracking)
• Sensitive data detection results (pattern types found, not the raw data)

• Browsing history outside of supported AI provider websites
• Passwords or authentication credentials
• Personal files, documents, or downloads
• Keystrokes outside of AI tool interactions
• Screen captures or screenshots
• Data from non-AI websites

The extension scans prompts for sensitive data patterns (such as Social Security numbers, API keys, credentials, and personally identifiable information) before they are sent to AI providers. Detection happens locally in the browser. Only the types of patterns detected are reported to the backend — not the sensitive values themselves.

When policy enforcement is enabled, the extension can block, redact, or warn before sensitive data is sent to an AI provider.

• In transit — All data is transmitted over HTTPS (TLS 1.2+).
• At rest — Prompt and response text is encrypted using AES-256-GCM before storage.
• Offline queue — Events captured while the backend is unreachable are stored temporarily in the browser's local storage and transmitted when connectivity is restored.

Data retention periods are configured by your organization's administrator. Vloex does not impose a minimum retention period. When data is deleted, it is permanently removed from all storage systems.

Vloex does not sell, rent, or share captured data with any third parties. Data is sent only to your organization's Vloex backend instance. There is no advertising, no analytics tracking of end users, and no data broker relationships.

Organization administrators have full control over:

• Coverage level (full trace, chat only, or metadata only)
• Which AI providers are monitored
• Policy enforcement rules (block, warn, redact, allow)
• Data retention periods
• Which users and departments are enrolled
• Export and deletion of captured data

The extension requests only the permissions necessary for its function:

• storage — Stores preferences and an offline event queue.
• alarms — Retries failed event submissions on a schedule.
• identity / identity.email — Retrieves the Chrome profile email for automatic enrollment.
• Host permissions — Limited to specific AI provider domains (ChatGPT, Claude, Gemini, Perplexity) and your Vloex backend. The extension cannot access any other websites.

We may update this policy as the product evolves. Material changes will be communicated to organization administrators. The effective date at the top of this page reflects the most recent revision.

For privacy questions or data requests, contact us at sats@vloex.com.

Gofylo Technologies