Privacy Policy

Nyuway Cybersecurity Solutions Pvt. Ltd. (“Nyuway”, “we”, “us”, or “our”) is committed to protecting privacy and securing data. This Privacy Policy explains how we collect, use, disclose, and secure information across the Nyuway GenAI Security Platform and associated components: the Nyuway AI Prompt Sanitizer browser extension for Chrome and Edge,   Developer Security Agents for IDE and CI CD, Homegrown App SDKs and middleware, Nyuway PTaaS, and our websites and support channels. By using our products and services, you agree to this Privacy Policy.

1. Roles and Scope Controller vs Processor:

For our website, marketing, billing, and account administration, Nyuway acts as a data controller. For data processed on behalf of enterprise customers within our platform, SDKs, agents, extensions, or PTaaS, Nyuway acts as a data processor or service provider and our processing is governed by a Data Processing Addendum with the customer. Geographies: This Policy is designed to meet requirements of GDPR and UK GDPR, CCPA and CPRA, India’s DPDPA, and other applicable laws.

2. Information We Process

A. Extension, SDK, and Agent Data (Product Runtime): By default and by design, the Nyuway AI Prompt Sanitizer processes prompts and responses locally in the browser to detect sensitive data, jailbreaks, policy violations, or risky content. By default we do not collect, transmit, or store personal or sensitive data from the extension or SDKs on Nyuway servers. Enterprise logging is optional. If enabled by an enterprise admin, limited information may be sent to Nyuway or to a customer controlled destination, such as event metadata including timestamp, rule identifier, detector type, and decision outcome; redacted snippets or hashed tokens to validate detections; policy context such as workspace identifier, application name, or model provider; and user identifiers such as corporate email or single sign on identifier only if an admin configures it. We do not use product runtime data to train third party models. Model improvements use synthetic or de identified data unless the enterprise has expressly opted in otherwise. B. Platform and Account Data: We process organization name, admin contact, role assignments, SSO identifiers, and audit logs needed to operate the service. We process billing details through our payment providers. For PTaaS and GenAI detections, we store security findings and compliance artifacts configured by the customer and accessible only to authorized users. C. Website, Support, and Communications: We may process IP address, device and browser information, pages viewed, referrer, and session events to operate and improve the site and services. We process support interactions such as emails, attachments, chat transcripts, and issue metadata. D. Sensitive Categories Detected: Our products identify the presence of sensitive categories such as personal data, credentials, financial data, and health data to prevent leakage. By default we do not store content containing these categories. If an enterprise enables logging, we store

only what is configured, typically metadata and redacted context.

3. Legal Bases for Processing under GDPR and UK GDPR

We process data for contract performance to deliver and support Nyuway services; for legitimate interests to secure our services, prevent abuse, and improve functionality in a way balanced against user rights; based on consent where required for optional features; and to meet legal obligations.

4. How We Use Information

We use information to provide, maintain, and improve the platform, extensions, SDKs, agents, and PTaaS; detect and prevent data leakage, prompt injection, and policy violations; enforce enterprise security and compliance policies; provide support, account administration, and billing; develop new features and enhance detectors using synthetic or de identified data by default; comply with legal obligations; and protect the security and integrity of our services. We do not sell personal information and we do not use personal information for targeted advertising or cross context behavioral advertising.

5. Sharing and Disclosures

We share limited data with service providers and sub processors under contract such as cloud hosting, email delivery, payment processing, and logging or monitoring vendors. These providers may only use data to deliver the contracted service and must protect it appropriately. We share data with customer designated tools such as SIEM, ticketing, or data lake systems when an enterprise configures such integrations. We may disclose information if required by law or to protect rights and respond to lawful requests. In the event of a merger, acquisition, or asset transfer, data may be transferred under confidentiality safeguards. A current list of sub processors is available at https://nyuway.ai/subprocessors.

6. Data Retention

If enterprise logging is enabled, runtime events are retained according to customer configured periods. The default retention is 90 days and can be adjusted by an administrator in the workspace settings or by contract. Account and billing records are retained for the duration of the agreement and a reasonable period thereafter to comply with law and resolve disputes. Support data is retained as long as necessary to resolve the issue and for legitimate business or legal purposes. Website analytics if used without cookies rely on aggregate technical signals and are retained for a limited period aligned with provider defaults. When retention periods expire, data is securely deleted or de identified.

7. Security Measures

We implement administrative, technical, and physical safeguards including encryption in transit and at rest, least privilege and role based access controls, enforced multi factor authentication for employees, segregated environments, secure software development practices, vulnerability management, regular assessments, and logging and monitoring

with anomaly detection. No system is perfectly secure. If we detect a breach that presents a risk to individuals, we will notify customers and regulators as required by law and contract.

8. International Transfers

We and our service providers may process data in jurisdictions other than yours. When transferring personal data from the EEA, UK, or Switzerland or from India, we use appropriate safeguards such as Standard Contractual Clauses with the UK Addendum where applicable and contractual protections consistent with DPDPA and other laws, alongside additional technical and organizational measures as needed.

9. Cookies and Similar Technologies

We do not use cookies or similar tracking technologies on nyuway.ai or within our products. If this ever changes, we will update this Policy and provide any required notices or controls in advance.

10. Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, restrict processing, object to processing, port your data, or withdraw consent. Residents of the EEA, UK, and Switzerland may exercise rights under GDPR and UK GDPR. Residents of California may exercise rights under CPRA including access, deletion, correction, and the right to opt out of sharing for cross context behavioral advertising. Residents of India may exercise rights under DPDPA including grievance redressal. How to exercise rights: contact contact@nyuway.ai or use in product controls where available. If we process data on behalf of an enterprise customer, we will refer your request to that customer who is the controller.

11. Children’s Privacy

Our services are not directed to children under the age of 16 or as defined by local law. We do not knowingly collect personal data from children. If you believe a child has provided data, contact contact@nyuway.ai so we can remove it.

12. Product Specific Addendum:

Nyuway AI Prompt Sanitizer for Chrome and Edge Applies to the extension named Nyuway AI Prompt Sanitizer. Chrome Web Store Item ID: boligbandkaadmibpeehmiaamgklfihm. The extension scans prompts and AI responses locally to detect and prevent data leakage, unsafe content, or policy violations before they are sent to or returned from GenAI applications. By default no personal or sensitive data is collected, transmitted, or stored by Nyuway from the extension and there is no advertising, no selling, and no third party analytics in the extension. Optional enterprise logging may send event metadata and redacted context to a customer selected destination or to Nyuway acting as processor according to enterprise configuration. Users can view the extension’s permissions in the browser and we request only minimum permissions needed to perform security checks and policy enforcement. If enterprise logging is disabled, the extension does not retain data. If enterprise logging is enabled, retention follows the customer’s policy as described in Section 6. If future versions require additional data or permissions, we will update this Policy and the Chrome Web Store disclosures prior to release. Contact for the extension: contact@nyuway.ai. Chrome Web Store Data Safety Summary for the listing: collected by default none; with enterprise logging enabled event metadata and redacted context; data use security and compliance enforcement only; no ads, no sale, no third party training; sharing not shared except with configured enterprise destinations or sub processors under contract; security encrypted transport and admin controlled retention; deletion admin driven per enterprise retention and deletion policies and users may request through their organization or via contact@nyuway.ai.

13. PTaaS, IDE and CI Integrations, and SDKs

PTaaS processes application security scan outputs and related metadata as configured by the customer. Findings may include URLs, headers, or payload fragments necessary to reproduce issues. IDE and CI integrations analyze code or build artifacts to flag unsafe patterns and by default source code does not leave the enterprise environment unless configured for centralized reporting. SDKs and middleware enforce policy and redaction at runtime and follow enterprise logging choices.

14. AI Specific Disclosures

We do not use customer content or personal data to train third party models. Improving detectors relies on synthetic data and de identified or aggregated signals. Enterprise data may be used for model improvement only with explicit and written opt in. Our detectors and policies may automatically block or flag content. Enterprises control these policies and can review, override, or export related logs.

15. Your Controls

Administrators can configure detectors, logging destinations, retention periods, and any user identifiers captured. Users can view extension status, see policy prompts, and contact their administrator or Nyuway for questions or requests. Where telemetry is optional, administrators can disable it in workspace settings.

16. Contact, DPO, and Grievance Redressal

Email: contact@nyuway.ai. For privacy, security, DPO, EU UK representative information, or India grievance queries, write to contact@nyuway.ai and we will route your request to the appropriate contact.

17. Changes to This Policy

We may update this Policy. We will post changes here with an updated Last Updated date and, for material changes, notify administrators by email or in product notice. Continued use of the services after changes take effect constitutes acceptance.