Privacy Policy

Last updated: March 25, 2026

The short version

CitrusGlaze is an AI security product. AI traffic inspection — including prompts, responses, and secret detection — happens locally on your machine. We collect usage analytics, error reports, and license data to operate and improve the product. We do not sell your data or use it for advertising.

1. Who we are

CitrusGlaze is a product of Gourmand Labs LLC, a Delaware limited liability company. For privacy questions, contact [email protected].

2. Desktop application

AI traffic is inspected locally. The CitrusGlaze proxy inspects AI API traffic on your device. By default, your prompts, responses, detected secrets, and security findings are stored in a local database on your machine.

Optional cloud storage (Pro and Enterprise): If you enable cloud sync, your inspection data — including prompts, responses, findings, and audit logs — is encrypted in transit (TLS 1.3) and at rest (AES-256) and stored in our cloud infrastructure. Cloud storage lets you access your data across devices, share dashboards with your team, and retain audit trails beyond your local machine. You control what is synced and can delete cloud data at any time from Settings. Cloud storage is off by default and requires explicit opt-in.

The desktop application also collects:

• License validation: License key, machine identifier, and activation status are sent to our licensing server to verify your subscription
• Error reports: Crash reports and error diagnostics are sent to our error tracking service (Sentry) to help us fix bugs. These may include stack traces, OS version, and app version. They do not include AI conversation content
• Usage analytics: Anonymous, aggregate feature usage (e.g., which pipeline stages are active, request counts, app version) to improve the product. No AI conversation content is included

You can disable analytics and error reporting in Settings. Disabling these does not affect core functionality. License validation cannot be disabled for paid plans.

3. Browser extension

The CitrusGlaze browser extension monitors AI chat websites (ChatGPT, Claude, Perplexity, and others) to capture API traffic for local security analysis. All captured data is sent exclusively to the CitrusGlaze desktop application running on your machine at 127.0.0.1 (localhost). No AI conversation data is sent to our servers or any third party.

The extension stores capture preferences and a request counter in Chrome's local storage. It does not read, collect, or transmit browsing history, form data, passwords, or content from non-AI websites.

The extension requires host permissions for AI chat domains to inject the traffic interceptor on those pages. It does not modify page content, inject ads, or alter your browsing experience.

4. What the website collects

When you visit citrusglaze.dev, we collect:

• Page views: Page visited, timestamp, referrer, and UTM parameters. We use a privacy-preserving fingerprint derived from your IP address and user agent — we do not store your raw IP address
• Interactions: Button clicks, form submissions, and install command copies
• Email address: Only if you voluntarily submit it to download a report or subscribe
• Error monitoring: JavaScript errors and performance data via our error tracking service

5. What we do NOT do

• No selling your data: We never sell, rent, or share your data with data brokers, advertisers, or third parties for their own purposes
• No ad targeting: We do not use your data for advertising or behavioral profiling
• No AI model training: We do not use your prompts, responses, or any content to train AI models
• No cross-site tracking: We do not track your browsing activity on non-AI websites
• No unencrypted cloud storage: If you opt into cloud sync, all data is encrypted in transit and at rest

6. Payment data

Payments are processed by Stripe. We do not store credit card numbers, bank account details, or other payment credentials. Stripe handles all payment processing in accordance with PCI DSS Level 1. We receive only: your name, email, subscription plan, and payment status.

7. Email communications

If you provide your email, we may send:

• The download link or report you requested
• Product updates and security advisories
• Up to 3 onboarding emails over the first 7 days
• Subscription-related emails (receipts, plan changes) if you are a paying customer

Every email contains a one-click unsubscribe link. We will never sell, rent, or share your email address.

8. Sub-processors

Service	Purpose	Data processed
Cloudflare	Website hosting and analytics database	Anonymous page view data
Stripe	Payment processing	Name, email, payment info
Resend	Email delivery	Email address, message content
Sentry	Error monitoring and crash reporting	Error data, device info, app version

9. Data retention

• Website analytics: 12 months, then automatically deleted
• Error reports: 90 days
• Email addresses: Until you unsubscribe
• Payment records: Retained as required by tax law (typically 7 years)
• License data: Duration of your subscription plus 30 days
• Local software data: Controlled entirely by you. Delete the database or uninstall at any time

10. Your rights

You can:

• Unsubscribe from emails via the link in any email
• Disable analytics and error reporting in the desktop app Settings
• Request deletion of your data by emailing [email protected]
• Request export of your data by emailing the same address
• Delete local data by removing the CitrusGlaze database from your machine
• Object to processing under GDPR by contacting us

We respond to all data requests within 30 days.

11. International transfers

Website and analytics data is processed on Cloudflare's global network. Payment data is processed by Stripe (US). Error reports are processed by Sentry (US). The CitrusGlaze software processes AI traffic locally — no international transfer of AI content occurs.

12. GDPR compliance

For EU/EEA users: Our legal basis for processing is (a) consent (for email communications and optional analytics), (b) legitimate interest (for error monitoring and product improvement), and (c) contractual necessity (for payment processing and license validation). You have the right to access, rectify, erase, restrict processing, data portability, and object. Contact [email protected] to exercise these rights.

13. CCPA compliance

For California residents: We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You have the right to know what data we collect, request deletion, and opt out of any future sale (which we don't do).

14. Children's privacy

CitrusGlaze is not directed at children under 13. We do not knowingly collect personal information from children.

15. Changes to this policy

We may update this policy. Changes will be posted on this page with an updated date. Material changes will be communicated via email to subscribers with 30 days' notice.

16. Contact

Privacy questions: [email protected]