Privacy Policy

This privacy policy explains how Rendraft ("we", "us", or "our") collects, uses, stores, and shares personal data through your use of the Rendraft Chrome Extension and the Rendraft website at rendraft.com (together, "the Service").

The Service is not intended for children under 18, and we do not knowingly collect data from minors.

If you have any questions about this policy or how we handle your data, please contact us at contact@rendraft.com.

We may update this policy periodically. We encourage you to review it before each visit. If we make significant changes, we will notify you by email or via an in-app notice.

Single Purpose: The Rendraft Chrome Extension is an AI writing assistant. Its sole purpose is to improve text you are writing in input fields across websites — such as AI prompt boxes, email composers, chat inputs, and social media posts. The extension only activates when you explicitly trigger it on a specific input field.

This section provides a comprehensive disclosure of exactly what data the extension collects, how it is used, where it is stored, and who it is shared with.

2.1 Data the Extension Collects

a) User-submitted text content: When you explicitly trigger the extension on an input field (e.g. a prompt box, email composer, or chat input), the extension reads the text currently in that field. This is the only text the extension ever reads. No text is read or collected unless you actively trigger the extension.

b) Page URL and domain name: When you trigger the extension, the URL and domain of the active tab are collected. This is used to apply platform-specific processing instructions (e.g. different behaviour on Gmail vs. ChatGPT) and to log which platform was used.

c) Authentication credentials (stored locally only): After you sign in, your authentication token and refresh token are stored in chrome.storage.local on your device. These tokens are sent only to our backend server as a bearer token in API requests to verify your identity.

d) Browser and device information: Your browser type, browser version, and operating system are collected with each API request for compatibility and debugging purposes.

2.2 How the Extension Uses Your Data

• Text content: Sent to our backend server, which forwards it to Google for AI text generation. The sole purpose is to produce an improved version of your text and return it to you. Your submitted text and the AI-generated response are stored on our servers to learn and understand your preferred writing tone and style over time, enabling more personalised results.
• Page URL and domain: Used to determine platform-specific AI instructions and logged for usage analytics.
• Auth tokens: Used solely to authenticate your API requests and verify your subscription status.
• Browser/device info: Used for debugging, compatibility, and aggregated analytics.

2.3 Where Extension Data Is Stored

• On your device: Authentication tokens are stored in chrome.storage.local. No other data is persisted on your device by the extension.
• On our backend server: Your submitted text, the AI-generated response, page URL, domain, browser info, usage counts, and timestamps are logged in our database (hosted on Supabase). Text and responses are stored to learn your preferred writing tone and style, enabling more personalised results over time. See Section 10 (Data Retention) for retention periods.
• At Google: Your text is transmitted to Google for AI processing. Google processes the text to generate a response and returns it to our server. The text is processed in real time and is not stored by Google. Google is contractually bound to process your data solely for generating responses and not for training their AI models. Google Privacy Policy.

2.4 Third Parties That Receive Extension Data

The following third parties receive data collected through the Chrome Extension:

• Google: Receives the text you submit for AI processing. Google uses this data solely to generate a response and return it to our server. Your text is not stored by Google and is not used to train AI models. Google Privacy Policy.
• Supabase: Our database and authentication provider. Stores your account information, submitted text and AI-generated responses (used to learn your preferred tone and style), usage logs (page URL, domain, timestamps, and usage counts), and subscription data. Supabase Privacy Policy.
• Stripe: Processes subscription payments. Receives your email address, payment method, and billing details. Does not receive your text content. Stripe Privacy Policy.
• Cloudflare: Provides hosting and CDN services for our backend. Network-level data (IP address, request headers) passes through Cloudflare infrastructure. Cloudflare Privacy Policy.

No other third parties receive data collected through the Chrome Extension.

2.5 Sale of User Data

We do not sell, trade, or rent any user data collected through the Chrome Extension to any third party. Data is shared only with the service providers listed above, solely for the purpose of delivering the Service.

2.6 Chrome Web Store Compliance

Rendraft's use and transfer to any other app of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. The extension only accesses the minimum data necessary to provide its core functionality (AI text improvement) and does not use this data for purposes unrelated to the Service.

2.7 Data Not Collected

The extension does not read or transmit text unless you explicitly trigger it. It does not run in the background, monitor browsing history, capture keystrokes, take screenshots, access bookmarks or downloads, read cookies, or collect geolocation data. The extension does not sell user data to any third party.

2.8 Browser Permissions and Justification

The Rendraft Chrome Extension requests the following browser permissions. Each permission is required for the extension to function and is used only for the purposes described below:

• Host permission — All websites (*://*/*): The extension needs access to all websites because it is designed to work on any input field across the web — including AI platforms (ChatGPT, Claude, Gemini), email providers (Gmail, Outlook), messaging apps (WhatsApp, Slack), social media (Facebook, Instagram), and any other site where you write text. The extension injects a small UI overlay (a floating button) next to the focused input field so you can trigger it. Without this broad permission, the extension would not be able to function on websites outside a predefined list. The extension does not read any page content or text unless you explicitly trigger it on a specific input field.
• Host permission — Google Generative Language API (generativelanguage.googleapis.com): Required to send your text to Google's AI service for processing and receive the improved version back. This is the core functionality of the extension.
• Storage (chrome.storage.local): Used to store your authentication token and refresh token locally on your device after you sign in. This keeps you logged in between browser sessions. No other data is stored locally.
• Identity (chrome.identity): Used to enable Google OAuth sign-in. When you choose to sign in with your Google account, this permission allows the extension to securely authenticate you through Google's OAuth flow. No Google account data beyond your name and email address is accessed.

The extension does not use any remote code. All extension code is bundled and included in the extension package.

2.9 Data Handling and Security

All data transmitted between the extension and our backend server, and between our backend and Google, is encrypted using HTTPS/TLS. Authentication tokens are transmitted only as bearer tokens over encrypted connections. User-submitted text is transmitted securely and is never exposed to any party other than our backend server and Google (for AI processing).

Across the Chrome Extension and the Rendraft website, we may collect and process the following categories of personal data:

• Identity Data: Name (provided via Google sign-in or account registration)
• Contact Data: Email address
• User Content: Text you submit through the extension for AI processing, and the AI-generated responses — stored to learn your preferred writing tone and style
• Transaction & Financial Data: Subscription level, payment method, and transaction history (processed via Stripe — we do not store full card numbers)
• Technical Data: IP address, browser type and version, device type, operating system, time zone, and page URL/domain when the extension is triggered
• Usage Data: How you interact with the Service, daily usage counts (e.g. number of rewrites used), which platforms you use the extension on, and timestamps of usage

We do not collect special category data such as race, ethnicity, religious beliefs, sexual orientation, health information, or biometric data.

We collect data through the following methods:

Direct Interactions: When you create an account, purchase a subscription, contact support, provide feedback, or trigger the Chrome Extension on an input field.

Automated Technologies: As you use the Service, we automatically collect Technical and Usage Data via server logs, the Chrome Extension, and similar technologies.

Third Parties: We receive data from payment processors (Stripe), analytics providers (Google Analytics), and authentication providers (Google OAuth / Supabase Auth).

We use your personal data for the following purposes:

• AI Text Processing: To send your submitted text to Google for AI processing and return the AI-generated result to you (contract performance)
• Account Registration: To create and manage your account (contract performance)
• Payment Processing: To manage subscriptions and billing via Stripe (contract performance)
• Usage Tracking: To enforce free-tier limits and track subscription usage (contract performance)
• Customer Support: To respond to your enquiries and resolve issues (legitimate interests)
• Service Improvement: To analyse usage patterns and improve the Service (legitimate interests)
• Security & Fraud Prevention: To protect our users and Service (legitimate interests / legal obligation)

We will only use your personal data for purposes for which it was collected, unless we reasonably determine another purpose is compatible. We will notify you of any material change in purpose.

We share your data with the following third parties. Each third party receives only the data necessary to perform its specific function:

• Google: Receives user-submitted text for AI processing. Returns the generated result to our server. Does not receive your name, email, or payment information. Does not store your text or use it for model training. Google Privacy Policy.
• Supabase: Database and authentication provider. Stores account data, submitted text and AI responses (for tone learning), usage metadata (URLs, domains, timestamps, usage counts), and subscription information. Supabase Privacy Policy.
• Stripe: Payment processor. Receives email, payment method, and billing details for subscription management. Does not receive your text content. Stripe Privacy Policy.
• Cloudflare: Hosting, CDN, and security provider. Network-level data (IP address, request metadata) passes through Cloudflare. Cloudflare Privacy Policy.
• Google Analytics: Receives anonymized website usage data (page views, session duration, device type). Does not receive user-submitted text content. Google Privacy Policy.
• Professional Services: Lawyers, accountants, and insurers as required by law or for business operations.

We do not sell, trade, or rent your personal data to any third party. We do not allow third-party service providers to use your personal data for their own marketing or commercial purposes. We may disclose data to law enforcement or regulatory bodies when required by law.

When you trigger the Rendraft Chrome Extension, the following data flow occurs:

1. The extension reads the text in the active input field on the current page.
2. The text, page URL, domain, and your auth token are sent to the Rendraft backend server (hosted on Cloudflare).
3. The backend verifies your identity and subscription status via Supabase.
4. The backend sends your text to Google for AI processing.
5. Google returns the generated result to our backend.
6. The backend logs the request (submitted text, AI response, URL, domain, timestamp) in Supabase to learn your preferred tone and style, and returns the result to the extension.
7. The extension displays the result to you in the browser.

No data is sent to any party not listed above. No data is collected unless you explicitly trigger the extension.

Some of our third-party providers (such as Google, Stripe, Cloudflare, and Supabase) may process data outside your country of residence, including in the United States. In such cases, we ensure appropriate safeguards are in place, including standard contractual clauses and transfers only to countries deemed adequate under applicable data protection law.

We have implemented appropriate technical and organizational security measures to protect your personal data from accidental loss, unauthorized access, or disclosure:

• All data transmitted between the extension, our backend, and third-party services is encrypted using HTTPS/TLS.
• Authentication tokens are stored securely in chrome.storage.local and transmitted only as bearer tokens over HTTPS.
• Database access is restricted to authorized personnel with a genuine business need.
• We use Supabase Row Level Security (RLS) to isolate user data.

We have procedures in place to handle suspected data breaches, and we will notify you and relevant authorities where required by law.

We retain your personal data for as long as reasonably necessary to fulfil the purposes for which it was collected:

• Account data (name, email): Retained for as long as your account is active. Deleted upon account deletion request.
• Usage logs (submitted text, AI responses, URLs, domains, timestamps, usage counts): Retained for up to 12 months for tone learning, debugging, and service improvement, then deleted or anonymized.
• Payment and transaction data: Retained for as long as required by tax and accounting regulations (typically 7 years).
• Authentication tokens (on your device): Cleared when you sign out or uninstall the extension.

When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use, and whether the purposes can be achieved through anonymization.

You can request deletion of your data at any time by emailing contact@rendraft.com.

We use cookies and similar tracking technologies on the Rendraft website to enhance your experience. Cookies are small files stored on your device. You can configure your browser to refuse cookies, but this may limit certain functionality.

We use cookies for:

• Authentication (keeping you logged in)
• Preference storage (theme, language)
• Analytics via Google Analytics (understanding how the website is used)

The Chrome Extension itself does not use cookies. It uses chrome.storage.local for authentication tokens only.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data where there is no legitimate reason for us to keep it
• Object: Object to processing based on legitimate interests or for direct marketing
• Restriction: Request suspension of processing in certain circumstances
• Portability: Request transfer of your data to you or a third party in a structured format
• Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please email us at contact@rendraft.com. We aim to respond within one month. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

Email: contact@rendraft.com