Live: https://getcaveat.fyi/legal/extension-privacy

Copy:
What the extension does on pages you visit

Nothing. On page load the extension makes no network requests — it only reads the page locally to tell whether it's an article and to show a badge from a local cache.

The page's text leaves your browser only when you're signed in and open the Caveat panel on an article — clicking the ※ flag runs the analysis (and the ↻ button re-runs it). Separately, the account requests that keep you signed in — signing in or out, refreshing your session, and checking your quota when you open the popup — also reach our servers, but they never include the pages you read.
What we send when you analyze (sign-in required)

When you trigger an analysis, the extension sends to our backend:

The article's title.
The article's text, extracted by Mozilla Readability.
The publication name (when detected).
A one-way SHA-256 hash of the canonicalized URL. We never send the URL itself.
Your account identifier (extracted from your sign-in token).


What we store

About your account (in Amazon Cognito):

Your email address
Your invite code association
Your running per-day usage count (a number, no URLs)


About each analysis (in our analyses database):

We do not store the article text. The text is processed by our AI analysis pipeline and discarded once analysis completes. Only the analysis result is persisted.
We do not store the article URL. We store a one-way SHA-256 hash that prevents the URL from being reconstructed but lets us return the same analysis to anyone else who analyzes the same article — saving compute.
We store the analysis result, the article title, the publication, a 250-character excerpt (for fair-use display in the report), the one-way URL hash, and the timestamp.


What we do NOT store: any field linking an analysis to the account that ran it, and no URL plaintext anywhere. Your account holds counts; the analyses database holds analyses keyed by hash.
Local cache (on your device only)

When you analyze an article, the extension stores the full analysis result locally in your browser so that revisiting the same article shows the prior analysis instantly without a backend round-trip. This cache is keyed by the canonicalized URL (in your browser only — never transmitted), holds the full analysis result, and expires after 90 days or whenever you clear extension storage.
What we do NOT collect

We do not read or transmit content from pages you don't explicitly trigger the extension on.
We do not use trackers, analytics, or telemetry of any kind.
We do not share your data with third parties beyond the AI provider used for the analysis (Anthropic). Anthropic's Commercial Terms (Section B, current as of this writing) state Anthropic does not train its models on content sent through the API. We have no control over Anthropic's policy and will update this notice if it changes.


Authentication

Your refresh token is stored in your browser's extension storage (chrome.storage.local). Your short-lived access and id tokens are stored in chrome.storage.session (browser session memory only, wiped on browser restart).
We do not collect or store passwords; sign-in happens on our companion web app, which uses Amazon Cognito.


Limited Use compliance

Our use of information received from Chrome Web Store user data complies with the Chrome Web Store User Data Policy, including the Limited Use requirements.
Contact

Questions: privacy@getcaveat.fyi