Privacy Policy

Last updated: April 6, 2026

1. Overview

AI Malware Guardian ("we", "us", "our") operates the AI Malware Guardian desktop application and the website aimalwareguardian.com. This Privacy Policy explains what information we collect, why we collect it, and how we handle it.

Our product is designed with privacy as a core constraint: no file contents, no behavioral data, and no scan results ever leave your machine. All machine learning inference runs locally.

2. Information We Collect

2a. At Purchase

When you subscribe through Stripe, Stripe collects your name, email address, and payment information. We receive from Stripe only your email address and a Stripe subscription/customer ID. We do not store payment card details.

2b. At Activation & Subscription Verification

When you activate the application or when it checks your subscription status on startup, the following data is transmitted to our Cloudflare Worker API:

• Your email address
• Your activation token
• A machine identifier — a SHA-256 hash derived from hardware characteristics (not reversible to your hardware identity)

This information is used solely to verify that your subscription is active. We do not log or store individual verification requests beyond the subscription record itself.

2c. What We Do NOT Collect

• File contents or file paths from your machine
• Malware scan results or detection events
• Process names, behavior logs, or ETW event data
• Browsing history or network traffic
• Any telemetry or crash reports

3. How We Use Your Information

We use your email address and subscription record to:

• Deliver your activation token after purchase
• Verify your subscription status on application startup
• Contact you about subscription renewals, cancellations, or service announcements

We do not sell your information to third parties. We do not use your information for advertising.

4. Data Storage and Security

Subscription records (email + subscription ID + status) are stored in a Cloudflare D1 database hosted in Cloudflare's data centers. Data is encrypted at rest. Our Cloudflare Worker handles all API requests over HTTPS.

We retain your subscription record for the duration of your subscription and for up to 12 months after cancellation for accounting purposes, after which it is deleted.

5. Third-Party Services

We use the following third-party services:

• Stripe — payment processing. Stripe Privacy Policy.
• Cloudflare — infrastructure (Worker, D1, Pages). Cloudflare Privacy Policy.
• Resend — transactional email delivery. Resend Privacy Policy.

6. Your Data Rights

You may request access to, correction of, or deletion of your account data at any time by emailing privacy@aimalwareguardian.com from the address associated with your account. We will respond within 30 days and delete your subscription record within that period, subject to our accounting and fraud-prevention retention obligations (see Section 4).

6a. GDPR — European Residents

Our Software and service are not offered for sale or use within the European Economic Area (EEA), United Kingdom, or Switzerland (see our Terms of Service, Section 9). We block access from these jurisdictions at the website level. If you nonetheless access our website for informational purposes, the following disclosures are provided for transparency.

Lawful Basis for Processing (Article 6, GDPR): Where GDPR obligations apply, we process personal data on the following bases:

• Performance of a contract (Art. 6(1)(b)): Processing your email address and machine identifier hash is necessary to perform the subscription contract — specifically, to issue your activation token and verify subscription status on application startup.
• Legitimate interests (Art. 6(1)(f)): Retaining records after cancellation for up to 12 months serves our legitimate interests in fraud prevention, chargeback defense, and compliance with financial recordkeeping requirements. These interests are not overridden by your rights given the minimal nature of the data held.

Data Subject Rights: You have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing based on legitimate interests. You also have the right to lodge a complaint with your national supervisory authority. To exercise these rights, contact privacy@aimalwareguardian.com.

International Data Transfers: Your subscription data is processed by Cloudflare (U.S.-based), Stripe (U.S.-based), and Resend (U.S.-based). Where personal data is transferred from the EEA to the United States, each sub-processor either participates in the EU-U.S. Data Privacy Framework or relies on Standard Contractual Clauses. See each provider's privacy policy for the applicable safeguard: Cloudflare, Stripe, Resend.

6b. CCPA / CPRA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights with respect to your personal information:

• Right to Know: You may request disclosure of: the categories of personal information we have collected about you in the past 12 months; the specific pieces of personal information we hold; the categories of sources from which we collected it; our business purpose for collecting it; and the categories of third parties (service providers) with whom we share it.
• Right to Delete: You may request deletion of your personal information. We will honor this within 30 days subject to exceptions permitting retention for fraud prevention and legal compliance.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it with third parties for cross-context behavioral advertising. There is nothing to opt out of.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

Categories of Personal Information Collected (past 12 months): Identifiers — email address and a machine identifier hash (a SHA-256 derivative of hardware characteristics, not reversible to underlying hardware identity). We do not collect financial data, health data, biometric data, precise geolocation, or sensitive personal information. We do not use automated decision-making that produces legal or similarly significant effects on you.

To submit a CCPA/CPRA request, email privacy@aimalwareguardian.com from your account email address. We will verify your identity before fulfilling the request and respond within 45 days as required by law.

Shine the Light: California Civil Code § 1798.83 permits California residents to request a list of third parties to whom we disclosed personal information for direct marketing purposes in the preceding year. We do not disclose personal information to third parties for direct marketing purposes.

7. Data Breach Notification

In the event of a security breach that results in unauthorized access to, or acquisition of, your personal information, we will notify affected users by email within 72 hours of our becoming aware of the breach, to the extent required by applicable law. Our notification will include: the nature of the breach; the categories of information affected; the steps we have taken or are taking to address the breach; and recommended steps you can take to protect yourself. We will also notify the applicable state attorney general or data protection authority as required by state and federal law.

8. Children (COPPA)

Our service is not directed to children under 13. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this policy. If we make material changes, we will update the "Last updated" date above. Your continued use of the application after changes constitutes acceptance.

10. Contact

Questions about this policy: privacy@aimalwareguardian.com