Governance 1st Browser Extension Privacy Policy

This policy explains exactly what data the Governance 1st Browser Extension (the "Extension") collects, where that data goes, and what is not collected. The Extension is published and operated by HR Rebooted LLP ("we," "us," "our"). Contact for privacy questions: info@hrrebooted.com.

1. What the Extension does

The Extension watches what you type into supported third-party AI chat sites, ChatGPT, Claude, Gemini, Microsoft Copilot, Bing Chat, Perplexity, DeepSeek, Meta AI, and Grok, and what those sites send back. Before a prompt is submitted, the Extension scans it locally against a configurable library of sensitive-data patterns (Social Security numbers, credit cards, API keys, medical record numbers, etc.) and either lets it through, redacts the matched portions in place, or warns you. If you have enabled Behavior Monitoring, the Extension also audits the AI's responses for thirteen governance behavior categories (hallucination, dangerous medical, legal, financial, safety advice, bias, jailbreak compliance, misinformation, and others).

2. What we do NOT collect, ever

• Your name.
• Your email address.
• Your IP address.
• Your Google account, Microsoft account, or any other personal account identity.
• Any AI-tool password, login credential, or session token.
• Your geographic location.
• Your browsing history outside the supported AI chat sites listed above.
• The matched values from sensitive-data filter hits (e.g., when the Credit Card filter fires, we never see the actual credit card number, only that the filter fired).
• Anything from any website other than the supported AI chat sites listed above.

The Extension contains no third-party advertising, analytics, fingerprinting, or session-recording code.

3. Data stored locally on your device

The Extension uses your browser's chrome.storage.local API to keep the following on your computer only:

• Your filter library (the regular-expression patterns used to detect sensitive content).
• Your feature toggles and the master ON/OFF state of the floating "GOV 1st" pill.
• The Google Gemini API key you optionally paste in to enable Behavior Monitoring.
• A rolling 30-day count of activity on your device: total prompts seen, prompts flagged, responses redacted, behavior flags by category, and which AI chat tools you used.
• An anonymous random installation identifier (a UUID generated locally on first run) used to distinguish reports from different browsers within the same organization when enterprise reporting is in use. It is not tied to your name, email, IP, or Google account.

This local data does not leave your computer unless one of the two situations described in the "Plain-English summary" above applies.

4. Data sent to Google Gemini, only if you enable Behavior Monitoring

If you paste a Google Gemini API key into the Extension's options page and turn on Behavior Monitoring, the Extension will send the text of each AI response you receive on a supported site, along with the prompt you sent, to Google's Gemini API for a thirteen-category behavior audit. The call goes directly from your browser to generativelanguage.googleapis.com; we do not see, intercept, proxy, or log it.

Each call is bounded: your prompt is truncated to 4,000 characters and the AI response to 8,000 characters before being sent. The audit call is made under your own API key, meaning you (or your organization) pay Google directly for the call, and the data-handling relationship for that text is between you and Google.

Google's treatment of submitted content is governed by your relationship with Google. On the free tier of the Gemini API, Google may use submitted content to improve their models. On paid Gemini API tiers (billing-enabled Google Cloud projects), submitted content is not used for training. The Extension displays a clear privacy warning in its options page when free-tier mode is selected. If the content you audit is confidential, use a paid Gemini key.

You can disable Behavior Monitoring at any time by clearing the API key field or toggling the feature off in the options page, or by toggling the floating "GOV 1st" master switch in the lower-right corner of any AI chat page to OFF. Once disabled, no further calls to Gemini are made.

5. Data sent to our compliance backend, only if your employer deploys a managed configuration

If your employer's IT department uses Chrome Enterprise, Google Workspace, or Microsoft Intune to push a managed configuration that points the Extension at our compliance backend, the Extension will send a daily report to that backend. The default ingestion endpoint, used when an organization buys a commercial license, is https://api.hrrebooted.ai/ingest. Each daily report contains:

• The tenant identifier and authentication token your IT department configured.
• The anonymous installation identifier described in Section 3.
• The date.
• Numeric counters: how many prompts were sent, how many were flagged or blocked by which filter category, how many responses were redacted, how many behavior categories were flagged.
• Per-tool aggregate counts (e.g., "ChatGPT: 12 prompts; Claude: 4 prompts").
• A per-event compliance log of which filter fired, at what severity, on which AI tool, at what timestamp, but never the matched content itself.

We do not receive and never store the actual text of any prompt or any AI response. Only the items above are transmitted. This is enforced in the Extension's source code and verifiable by inspecting the upload payload.

When your organization stops using the service, or asks us to delete its data, we delete all reports associated with that tenant within thirty days.

6. The Chrome Web Store data-collection disclosure

For transparency, here is how each Chrome Web Store data-collection category applies to this Extension:

• Personally identifiable information, not collected. The Extension does not collect your name, email address, age, government ID, or any other identity-linking data. The anonymous random installation UUID has no link to your identity.
• Health information, not collected. Health-related regex filters detect-and-warn only; matched content is never transmitted.
• Financial and payment information, not collected. Financial regex filters detect-and-warn only; matched content is never transmitted.
• Authentication information, not collected by us. Your Google Gemini API key, if you choose to provide one, is stored locally and used to authenticate your own browser to Google. The Extension never collects passwords, AI-tool credentials, or system credentials.
• Personal communications, transmitted to Google only when you opt into Behavior Monitoring, as described in Section 4.
• Location, not collected. The Extension does not request location permissions and does not use geolocation APIs.
• Web history, only narrow per-AI-tool aggregate counts (as described in Section 5) are reported in the enterprise managed configuration. No URLs, page titles, or visit timestamps are reported.
• User activity, not transmitted. The Extension binds keyboard and click event listeners to intercept your prompt-submission gesture, but those events are processed locally and never sent anywhere.
• Website content, transmitted to Google only when you opt into Behavior Monitoring, as described in Section 4 (the AI's response text).

7. Cookies

The Extension itself does not set cookies. If you visit our company website at hrrebooted.ai or our tenant compliance dashboard, those pages may use a single session cookie for the duration of your login session. We do not use tracking or advertising cookies.

8. Data retention

• Local data on your device: kept until you uninstall the Extension or clear its storage. Daily statistics are automatically pruned after thirty days.
• Reports we receive on behalf of your employer (enterprise-managed installs only): retained for the duration of the commercial agreement, deleted within thirty days of contract end or written deletion request.
• Data sent to Google Gemini under your own API key: governed by your Gemini API agreement with Google, not by us.

9. Your rights

Because we do not collect information that identifies you personally, we generally have no individual record of you to disclose, correct, or delete. If you are an employee whose organization deploys the Extension under a managed configuration and you wish to know what counters have been reported about your installation, contact your organization's IT or compliance team, they have full access to their tenant's data through the compliance dashboard.

If you are a paying customer (the organization), you can export, correct, or delete your tenant's data at any time by contacting info@hrrebooted.com.

10. Children

The Extension is intended for use in workplace and professional settings. It is not directed at children under thirteen, and we do not knowingly collect data from children.

11. Security

All network traffic from the Extension, to Google Gemini and to our compliance backend, is encrypted in transit via HTTPS. The authentication token used by enterprise-managed installs is transmitted only over HTTPS and stored only in Chrome's managed-storage area, which is read-only to the Extension. The Extension ships unobfuscated and unminified so its behavior can be independently inspected.

12. Changes to this policy

If we materially change what data is collected or where it goes, we will update this page and increment the "last updated" date at the top. Because the Extension does not have a built-in update notification, material changes will also be reflected in the Extension's Chrome Web Store and Microsoft Edge Add-ons listing notes at the time of the version release that introduces them.

13. Contact

Privacy questions and requests: info@hrrebooted.com

General company contact:

HR Rebooted LLP
PO Box 326
Colebrook, NH 03576
United States

© 2026 HR Rebooted LLP. All rights reserved. Patent pending.