Privacy Policy

Last updated: March 2026

1. What AAS Shield Does

AAS Shield analyzes workplace emails for toxic communication patterns including passive aggression, gaslighting, and manipulation. We provide toxicity scores, category classifications, plain-language translations, and suggested rewrites.

2. Data We Collect

  • Account information: Email address (via Google OAuth or email/password signup through Supabase) and authentication tokens.
  • Analysis metadata: Toxicity scores, category classifications (e.g., passive aggression, gaslighting), and processing timestamps. This metadata is stored in your account.
  • Sender identifiers: Sender email addresses are SHA-256 hashed before storage. We never store raw sender email addresses.
  • Usage data: Analysis counts for plan enforcement. No behavioral tracking or analytics.

3. Email Content Handling

When you analyze an email, the subject line and body (up to 3,000 characters) are sent to our API for processing.

Email content is processed in transit and never stored in our database.

Once the analysis is complete, only the resulting metadata (scores, categories) is retained. The original email text is discarded immediately after processing.

4. Third-Party AI Services

Email content is sent to the following AI providers for toxicity analysis:

  • Anthropic (Claude) — primary analysis engine.
  • OpenAI (GPT-4o) — fallback analysis engine.

These providers process email content according to their respective API data policies. Content is not retained by these services beyond their standard processing windows. We use their API services only — your data is not used to train their models.

5. Evidence Vault (Citadel Tier)

The Evidence Vault uses client-side AES-256-GCM encryption. Encryption keys are generated and stored exclusively on your device. They are never transmitted to our servers. This means only you can access your saved evidence — we cannot read it, and neither can anyone who accesses our database.

6. Data Storage and Security

  • Infrastructure: Supabase (PostgreSQL) hosted in the EU.
  • Access control: Row Level Security (RLS) ensures users can only access their own data.
  • Encryption: Data encrypted in transit (TLS) and at rest.

7. Cookies

We use minimal cookies, strictly for functionality:

  • Authentication tokens (Supabase Auth)
  • Theme preference (light/dark)
  • Onboarding completion flag

We do not use third-party tracking cookies, advertising cookies, or analytics services.

8. Data Retention

  • Email content: Never retained. Discarded immediately after analysis.
  • Analysis metadata: Retained until you delete your account.
  • Account data: Deleted when you delete your account.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (right to be forgotten)
  • Port your data to another service
  • Restrict processing of your data
  • Object to processing of your data

To exercise any of these rights, contact us at hello@aasshield.com. We will respond within 30 days.

10. Children

AAS Shield is not designed for or directed at users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related inquiries: hello@aasshield.com