Ethira Security by Ethira

0 Stars out of 5

Introduction
This Privacy Policy describes how Ethira AB ("Ethira", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the Ethira platform and related services (the "Service"), including when you visit the ethira.dev marketing website.

This policy applies to all users of the Ethira product, including workspace administrators, team members, and external parties who interact with features such as the Trust Center, as well as visitors to the ethira.dev marketing website.

We are committed to protecting your privacy and processing your personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law (LGPD), and other relevant frameworks.

Data Controller
Ethira AB acts as the data controller for the personal data described in this policy.

Registered address: Luntmakargatan 26, 111 37 Stockholm, Sweden
Registration number: 559531-1480
Data Protection Officer (DPO): Lucas de Araujo (privacy@ethira.dev)
Contact email: privacy@ethira.dev
If you are a user within a workspace managed by an organization, that organization may also act as a data controller or joint controller for data processed within their workspace.

Personal Data We Collect
3.1 Data you provide directly
Category Data elements When collected
Account information Full name, email address, profile picture Registration and profile setup
Authentication credentials Password (stored as a cryptographic hash, never in plaintext) Account creation and updates
Single sign-on identifiers Google account ID, SAML attributes, SCIM identifiers When SSO or directory sync is configured
Physical location Street address, city, country, postal code When optionally provided by users or administrators
Chat messages Message content, conversation titles When using the in-app AI assistant
Trust Center requests Requester name, email, organization name When external parties request access to your Trust Center
Uploaded documents Files and documents uploaded to the platform When using document management features
3.2 Data collected automatically
Category Data elements Purpose
Session data Authentication cookies, session tokens Maintaining your authenticated session
Product analytics Page views, feature usage, session recordings (including console log capture and cross-origin iframe content), UI interactions, user email address and name (sent to PostHog on login for user-level analytics) Product improvement and user experience optimization
Error and performance data Browser information, error stack traces, session replays, user context at time of error Diagnosing and resolving technical issues
AI usage logs User identifier, model used, token counts, request metadata Usage metering, billing, and service optimization
Activity logs Actions performed within a workspace, actor user ID, timestamps Audit trail and security monitoring
Marketing website analytics Page views, clicked links and buttons (autocaptured), approximate IP geolocation (country/city), browser type, referrer URL — only collected with your consent via the cookie banner on ethira.dev Understanding how visitors find and navigate the marketing website
Advertising analytics Conversion events, ad interaction signals, approximate IP geolocation (country/city), browser type — only collected with your consent via the cookie banner on ethira.dev Measuring the effectiveness of paid advertising campaigns
3.3 Data collected through third-party integrations
When you connect third-party services to Ethira, we collect and store the following data with your explicit authorization:

Integration Data collected
Google Workspace / Calendar / Drive Google account email, OAuth access and refresh tokens (encrypted at rest)
Microsoft 365 Microsoft account email, Microsoft user ID, OAuth access and refresh tokens (encrypted at rest)
Jira OAuth access and refresh tokens (encrypted at rest)
Linear OAuth access and refresh tokens (encrypted at rest)
Slack Webhook and notification configuration; Slack user ID, email, and profile data when Slack Sign-In (OpenID) is used for authentication
Vanta Client ID and encrypted client secret (configured by workspace administrator via OAuth2 client credentials)
Claude (Anthropic) Encrypted API key (configured by workspace administrator)
Cursor Encrypted API key (configured by workspace administrator)
Wordsmith Encrypted API key, encrypted webhook signing secret (optional), and repository metadata (repository ID, repository name) (configured by workspace administrator)
All OAuth tokens are encrypted at rest before storage. You can revoke integration access at any time through your workspace settings.

3.4 Data managed on behalf of your organization
As part of the platform's compliance and governance features, workspace administrators may store the following categories of data about third parties:

Vendor/third-party records: Name, legal name, passport number, national identity number, VAT number, Legal Entity Identifier (LEI), European Unique Identifier (EUID), corporate registration number
Device inventory: Device owner and custodian assignments, IP addresses, MAC addresses, network and physical location
Deployment metadata: Commit author email addresses
Contractual relationships: Business owner, security owner, account manager names
Your organization acts as the data controller for this data. Ethira processes it on your behalf as a data processor.

3.5 Data collected through the Browser Extension
The Ethira Security browser extension ("Extension") is an enterprise tool that requires explicit user acknowledgment before any monitoring begins. When the Extension is active and the user has acknowledged monitoring, it collects the following categories of data:

Browsing activity and provider classification (hostname-level)

The Extension records the domain/hostname of websites you visit, not full URLs or page content. For each site session the Extension records: hostname, time of visit, active time on site, and coarse interaction counts (number of clicks, form inputs, page navigations, and scrolls). The Extension also derives a provider classification for each site — a risk score, a category label (e.g. "cloud storage", "social media"), and the signal evidence that triggered the classification. Full page URLs, page titles, and page DOM content are never sent to Ethira servers.

Third-party service signals

The Extension observes the distinct third-party hostnames that web pages contact (e.g. analytics, cloud services). This helps your organization discover unauthorized or shadow IT services. Only hostnames are recorded, not full request URLs or response content.

Outbound PII detection results (category-only)

The Extension intercepts outgoing network requests (POST, PUT, PATCH, DELETE) made by web pages to scan for potential outbound PII submissions. This scanning happens entirely on your device; raw request body content is never transmitted to Ethira. An on-device AI model (bundled with the Extension, running locally) may be used for verification. Only the result of that scan is sent to Ethira: the destination hostname, the detected PII category (e.g. "email address", "credit card number"), the HTTP method, and a timestamp. The actual values detected are never uploaded.

Provider and OAuth signals

The Extension detects patterns consistent with OAuth authorization flows and cloud service API calls to support shadow IT discovery. Reported signals include: the initiating page origin, the destination domain, flow type classification, and timestamp.

Identity and authentication

The Extension stores authentication credentials (ingest token or OAuth access/refresh tokens) in the browser's secure extension storage (browser.storage) to authenticate API calls. User email and workspace ID are stored locally and sent with activity payloads to associate records with your Ethira workspace.

When an ingest token (non-OAuth) is used and no email is available in storage or extension policy, the Extension may read the user's email from the Chrome browser profile via chrome.identity.getProfileUserInfo. This requires the user to be signed into Chrome with a Google account. No password or other Google account data is accessed.

Categories of PII the Extension can detect (on-device scanning)

The Extension scans outbound request bodies on-device for the following PII categories. Only the category label is sent to Ethira — the actual value is never transmitted:

Email address
Phone number
Credit card number
National identity number (e.g. SSN, BSN, NIF)
Physical address
Passport number
Bank account number
Health data (GDPR Art. 9 special category)
Biometric data (GDPR Art. 9 special category)
Genetic data (GDPR Art. 9 special category)
Racial or ethnic origin (GDPR Art. 9 special category)
Political opinion (GDPR Art. 9 special category)
Religious or philosophical belief (GDPR Art. 9 special category)
Trade union membership (GDPR Art. 9 special category)
Sexual orientation (GDPR Art. 9 special category)
What the Extension does NOT collect

Browsing history from the browser's built-in history API
Full page URLs, page titles, or page content
Password field values
Raw request or response body content (on-device only; categories sent, not values)
Content of web page cookies, localStorage, or IndexedDB
Any data from websites when monitoring is paused or before acknowledgment is given
Crash and error reporting (optional)

If error reporting is enabled in your organization's deployment, crash reports and diagnostic data may be sent to Sentry (see section 6.1). This is controlled by whether a Sentry DSN is configured in the build your organization deploys; personal browsing data is never included in error reports.

Enterprise deployment

Enterprise administrators can pre-configure the Extension via browser managed storage policies (e.g. ingest token, API base URL, user email). In this mode, settings are pushed from your IT administrator and individual users cannot modify them.

Purposes and Legal Bases for Processing
Purpose Legal basis (GDPR Art. 6) CCPA category
Providing and operating the Service Performance of contract (Art. 6(1)(b)) Business purpose
User authentication and session management Performance of contract (Art. 6(1)(b)) Business purpose
Sending transactional emails (verification, notifications) Performance of contract (Art. 6(1)(b)) Business purpose
Product analytics and improvement Legitimate interest (Art. 6(1)(f)) Business purpose
Marketing website analytics (ethira.dev) Consent (Art. 6(1)(a)) — via the cookie consent banner on ethira.dev Business purpose
Marketing website advertising analytics (ethira.dev) Consent (Art. 6(1)(a)) — via the cookie consent banner on ethira.dev Business purpose
Error tracking and performance monitoring Legitimate interest (Art. 6(1)(f)) Business purpose
AI-powered features (chat, enrichment, analysis) Performance of contract (Art. 6(1)(b)) Business purpose
AI usage metering and billing Performance of contract (Art. 6(1)(b)) Business purpose
Security monitoring and audit logging Legitimate interest (Art. 6(1)(f)) Business purpose
Compliance with legal obligations Legal obligation (Art. 6(1)(c)) Business purpose
Third-party integrations Consent (Art. 6(1)(a)) Business purpose
Browser Extension: monitoring website visits and third-party service discovery (hostname-level) Performance of contract (Art. 6(1)(b)) — monitoring is a core feature of the Service agreed to by the workspace Business purpose
Browser Extension: on-device PII detection and sending category-only results to Ethira Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) — helping your organization prevent data loss Business purpose
Browser Extension: domain risk scoring (per-domain risk lookup) Performance of contract (Art. 6(1)(b)) Business purpose
Browser Extension: on-device detection of GDPR Art. 9 special-category data — category labels only transmitted Substantial public interest (Art. 9(2)(g)) and/or employer's legitimate interest in data loss prevention, subject to the employer's own GDPR legal basis as data controller; Ethira processes as data processor under the workspace DPA Business purpose
Cookies and Tracking Technologies
We use the following cookies and tracking technologies:

5.1 Essential cookies
Cookie name Purpose Duration Type
__Host-ethira_session Authenticated session management 24 hours HttpOnly, Secure, SameSite=Lax
ethira_session Session management (development environments) 24 hours HttpOnly, SameSite=Lax
ethira_external_session Trust Center external access session Session-based HttpOnly, Secure, SameSite=Lax
5.2 Analytics and monitoring
Technology Provider Purpose Data collected
PostHog PostHog, Inc. Product analytics, session recording Page views, feature usage, autocapture UI events, session recordings (including console log output and cross-origin iframe content where present), user email and name (set at login via identify()), user ID; hosted at eu.posthog.com
Sentry Functional Software, Inc. Error tracking and performance monitoring Error reports, performance traces, session replays (10% of sessions; 100% on error), user ID and workspace ID (email is not sent); API ingest via EU endpoint (de.sentry.io)
Featurebase Featurebase In-product feedback widget, changelog announcements, and product roadmap User ID, name, email, and organization name (via a signed JWT issued by the Ethira backend); JavaScript SDK loaded at runtime into the web app
5.3 Browser Extension local storage
The Extension uses the browser's own extension storage APIs (browser.storage.local and browser.storage.session) to persist data on your device. No web-page localStorage, cookies, or IndexedDB are read or modified by the Extension.

Storage key Contents Scope
ethira_ingest_token Ingest token for API authentication local (persisted)
ethira_refresh_token OAuth refresh token local (persisted)
ethira_access_token OAuth access token session (cleared on browser close)
ethira_workspace_id Ethira workspace identifier local (persisted)
ethira_user_email Authenticated user email local (persisted)
ethira_buffer Queue of buffered activity and PII events awaiting upload local (persisted)
ethira_acknowledgment_given_at Timestamp of user monitoring acknowledgment local (persisted)
ethira_monitoring_paused Whether the user has paused monitoring local (persisted)
ethira_risk_dot_enabled Whether the domain risk indicator badge is enabled local (persisted)
All data stored in extension storage is local to your browser. Buffered data is uploaded to Ethira and then cleared.

5.4 Web application local storage
The Ethira web application (app.ethira.dev) uses the browser's localStorage and sessionStorage to persist user preferences and session state on your device. Representative keys that may contain personal data:

Key Contents Scope
user Cached user JSON (name, email, ID) localStorage
token Authentication token localStorage
selectedWorkspace Selected workspace metadata localStorage
lastEmail Last email used on the login screen (UX convenience) localStorage
ai_helper_input_* Draft text typed into the AI assistant input localStorage
ethira_dpa_cache, dpa_personal_data_categories_cache Cached DPA and personal data category data localStorage
extension_redirect_uri Browser extension OAuth return URL sessionStorage (cleared on tab close)
UI preference keys (sidebar state, theme, column widths, filter state) Layout and display preferences — no personal data localStorage / sessionStorage
This data is stored locally in your browser and is not transmitted to third parties. Clearing your browser storage removes this data immediately.

5.5 Marketing website (ethira.dev) — analytics cookies (consent-based)
Analytics on the ethira.dev marketing website are loaded only after you accept cookies via the cookie consent banner. If you decline or ignore the banner, no analytics cookies are set and no tracking occurs.

Cookie / storage key Provider Purpose Duration Activated
ph_ (PostHog cookies and localStorage) PostHog, Inc. Visitor analytics: page views, autocaptured UI interactions, approximate geolocation (country/city derived from IP), browser type, referrer URL; no user identity is sent Session cookie + persistent localStorage up to 1 year Only after consent
gcl (Google click ID), ga, _gid Google LLC Conversion tracking and advertising campaign performance measurement; no individual identity is sent _gcl*: 90 days; _ga: 2 years; _gid: 24 hours Only after consent
ethira_website_consent Ethira AB Stores your cookie consent preference for this website Persistent (localStorage) Always (contains only your consent choice — no tracking data)
You can withdraw your consent at any time by clearing your browser's localStorage for ethira.dev. No identify() call is ever made on the marketing website — your email or name is never sent to PostHog from ethira.dev.

Google Ads data is processed by Google LLC under their standard terms. Data may be transferred to the United States under Standard Contractual Clauses as described in section 7.

Data Sharing and Third-Party Processors
We share personal data with the following categories of third-party service providers who process data on our behalf:

6.1 Sub-processors
A complete, up-to-date list of all sub-processors engaged by Ethira AB — including their purpose, data location, personal data types, and retention periods — is maintained on our dedicated Subprocessors page.

All sub-processors are bound by data processing agreements (DPAs) that require them to protect your data in accordance with applicable law.

6.2 Other disclosures
We may also disclose personal data:

To comply with applicable laws, regulations, or legal process
To protect the rights, property, or safety of Ethira, our users, or others
In connection with a merger, acquisition, or sale of assets (with prior notice where required)
We do not sell personal data to third parties. We do not share personal data for cross-context behavioral advertising.

International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data outside the European Economic Area (EEA), United Kingdom, or Brazil, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where the destination country has been deemed to provide adequate protection
Contractual protections with our sub-processors
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

Data category Retention period
Account information Duration of account existence; deleted upon account closure
Authentication session data 24 hours (cookie and JWT expiry)
Email verification codes 30 minutes
Activity and audit logs Up to 90 days (per-workspace configurable; automatically purged daily)
AI usage logs (Ethira) Duration of workspace existence
AI data at OpenAI Zero Data Retention enabled — prompts and responses are not stored at rest
AI data at Requesty Zero data retention — requests and responses are discarded immediately after routing and not stored by Requesty
Product analytics (PostHog) Session replays: 90 days; analytics data: up to 7 years
Error tracking (Sentry) Errors and replays: 90 days; spans and transactions: 30 days; logs: 30 days
Continuous monitoring data 90 days (automatically purged daily)
Uploaded documents Duration of workspace existence, or until deleted by user
Document cache 7 days
Integration tokens Until integration is disconnected or token is revoked
Workspace-managed data (vendors, devices, etc.) Duration of workspace existence, managed by workspace administrators
When data is deleted, we remove it from our active systems. Backups may retain data for a limited additional period before being overwritten.

Your Rights
9.1 Rights under the GDPR (EEA/UK residents)
If you are located in the European Economic Area or the United Kingdom, you have the following rights:

Right of access — Request a copy of the personal data we hold about you
Right to rectification — Request correction of inaccurate or incomplete data
Right to erasure — Request deletion of your personal data ("right to be forgotten")
Right to restriction — Request that we limit processing of your data
Right to data portability — Receive your data in a structured, machine-readable format
Right to object — Object to processing based on legitimate interests, including profiling
Right to withdraw consent — Withdraw consent at any time where processing is based on consent
Right to lodge a complaint — File a complaint with your local data protection authority
9.2 Rights under the CCPA (California residents)
If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to know — Request disclosure of the categories and specific pieces of personal information we have collected
Right to delete — Request deletion of your personal information
Right to correct — Request correction of inaccurate personal information
Right to opt-out of sale/sharing — We do not sell or share your personal information for cross-context behavioral advertising
Right to non-discrimination — We will not discriminate against you for exercising your rights
Categories of personal information collected (per CCPA categories): Identifiers (name, email), Internet activity (usage data, session recordings), geolocation data (if provided), professional information (organization name), and inferences drawn from the above.

9.3 Rights under the LGPD (Brazilian residents)
If you are located in Brazil, you have the following rights under the LGPD:

Confirmation of the existence of data processing
Access to your personal data
Correction of incomplete, inaccurate, or outdated data
Anonymization, blocking, or deletion of unnecessary or excessive data
Data portability to another service provider
Deletion of data processed with your consent
Information about public and private entities with which your data has been shared
Information about the possibility of denying consent and its consequences
Revocation of consent
9.4 Exercising your rights
To exercise any of the rights described above, contact us at privacy@ethira.dev.

We will respond to your request within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA). We may need to verify your identity before processing your request.

Workspace administrators can manage certain data directly through the platform, including user deprovisioning via SCIM directory synchronization.

Children's Privacy
The Service is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.

If you believe that a child has provided personal data to us, please contact us at privacy@ethira.dev.

Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption at rest — All third-party OAuth tokens are encrypted before storage
Password hashing — User passwords are stored using cryptographic hashing; plaintext passwords are never stored or logged
Workspace isolation — Data is logically separated between workspaces to prevent unauthorized cross-workspace access
Secure session management — Authentication cookies use HttpOnly, Secure, and SameSite attributes
Access controls — Role-based access controls within workspaces
Transport encryption — All data in transit is encrypted using TLS
Audit logging — User actions within workspaces are logged for security monitoring
No method of transmission or storage is completely secure. If you discover a security vulnerability, please report it to security@ethira.dev.

Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify you through the Service or by email where required by applicable law
Where required, obtain your consent to material changes
We encourage you to review this policy periodically.

Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@ethira.dev
Data Protection Officer: Lucas de Araujo (privacy@ethira.dev)
Postal address: Luntmakargatan 26, 111 37 Stockholm, Sweden
If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Browser Extension — Additional Disclosures
This section provides additional disclosures specifically for the Ethira Security browser extension, required by browser vendors (Google Chrome Web Store, Mozilla Firefox Add-ons, etc.) and applicable privacy regulations.

14.1 Extension overview and purpose
The Ethira Security extension is an enterprise security tool designed to help organizations:

Discover unauthorized or shadow IT services used by employees (third-party service discovery)
Detect when employees submit sensitive data containing PII to external services
Monitor website usage at the domain level for security governance purposes
The Extension is intended for use by employees in corporate environments with the knowledge of both the employer (Ethira workspace administrator) and the employee (who must explicitly acknowledge monitoring before it begins).

14.2 Permissions justification
Browser permission Why it is required
storage Store authentication tokens, user preferences, and the activity buffer between sessions
tabs Detect tab navigation events and associate activity with the correct website domain
idle Distinguish active browsing time from idle time for accurate session duration measurements
alarms Schedule periodic upload of buffered activity data to the Ethira API
identity Support OAuth-based sign-in via the browser's identity API; retrieve user email for account association
webNavigation Declared in the extension manifest. This permission is currently not actively used for navigation event listening; OAuth redirect handling uses the identity API instead. The permission is retained for potential future use and is listed here for full transparency.
webRequest Observe completed outbound network requests from web pages to detect third-party service hostnames
offscreen (Chrome/Edge only) Run the on-device AI model (ONNX) for PII verification in a background context
host_permissions: <all_urls> Inject content scripts and observe network activity on all HTTP/HTTPS pages; required for universal shadow IT discovery
14.3 Data minimization principles
The Extension is built around data minimization:

Hostnames, not full URLs. Browsing activity is reported at the domain/hostname level (e.g. google.com), never the full URL or query string.
On-device scanning for PII. Request body content is scanned locally, first by regex patterns and then — where available — by a bundled on-device ONNX AI model (Piiranha NER) for second-pass verification. The AI model runs with local_files_only: true; if it cannot load, the regex-based detection still runs and PII category results are still sent to the server. In either case, only the PII category label is transmitted — raw request body content is never sent to Ethira.
Monitoring gate. No data is collected or sent before the user clicks "I acknowledge" in the extension popup. Users can pause monitoring at any time.
Explicit user control. Users can pause monitoring, revoke the ingest token, or uninstall the extension at any time to stop all data collection.
14.4 Data collected by the Extension (summary)
Data type Sent to Ethira servers? Notes
Website hostname Yes Not full URL; excludes Ethira's own domain and known analytics/CDN domains
Time on site / active time Yes Aggregated session metrics
Interaction counts Yes Coarse counts (clicks, scrolls, form inputs); not content
Third-party hostnames on page Yes Distinct hostnames of third-party resources loaded by the page
Provider risk score and classification Yes A numerical score, category label, and subcategory label derived by the extension (e.g. "cloud storage", "AI tool"); sent per session record
Provider signal evidence (fired signals) Yes The signal types that triggered the provider classification (e.g. "detected OAuth-like URL pattern", "detected SSE stream"); no raw URL paths or content transmitted
PII category detected Yes Category label only (e.g. "email_address", "health_data"); not the actual value. Detected by on-device regex and/or ONNX AI model
Destination domain (PII event) Yes Hostname of the endpoint the outbound request was sent to
HTTP method (PII event) Yes Method of the request that triggered detection (POST, PUT, PATCH, or DELETE)
User email (sent with each batch) Yes Used to associate activity records with the correct workspace member
Raw request body content No Scanned on-device only (up to 1 MB per request); never transmitted to Ethira
Full page URLs No Only the hostname (domain) is extracted and used
Page content / DOM No Not accessed or transmitted
Password field values No Not recorded or transmitted (presence of a password field is used only as a provider classification signal)
Browser history (history API) No The browser history API is not accessed
Web page cookies / localStorage No Web page storage is not accessed
14.5 Data retention for Extension data
Data category Retention
Browsing activity records 90 days, then automatically purged
PII submission detection events 90 days, then automatically purged
Provider / shadow IT signals 90 days, then automatically purged
Extension local storage (device) Until user uninstalls the Extension or clears extension data
14.6 Uninstalling or disabling the Extension
If you uninstall the Extension:

All locally stored data (tokens, buffered activity, settings) is cleared from your browser immediately
No further data will be collected or uploaded
Historical activity data already uploaded to Ethira will be retained according to section 8 above
You can request deletion of your activity data by contacting privacy@ethira.dev
If your administrator has deployed the Extension via enterprise policy, contact your IT administrator to manage the installation.

14.7 Enterprise deployment
When deployed via managed browser policies, the Extension may receive configuration (ingest token, API endpoint, user email, privacy policy URL) pushed by your IT administrator. In this mode, the Extension operates within the configuration your organization has established.