Privacy Policy

Last Updated: February 10, 2026

Our Privacy Commitment

Cogumi AI Shield is built on a fundamental principle: your data is yours, and it never leaves your device unless you explicitly choose to share it.

Unlike traditional security tools that send your data to the cloud for analysis, Cogumi operates entirely client-side. This isn't just a feature — it's our architecture.

What We Collect (Current Version: Zero Telemetry)

No Telemetry in v0.1.0

Current version (v0.1.0) does NOT collect:

• ✗ No usage analytics
• ✗ No crash reports
• ✗ No device fingerprinting
• ✗ No browsing history
• ✗ No clipboard contents
• ✗ No API keys or credentials (detected or redacted)
• ✗ No personal information

Technical note: The extension includes telemetry infrastructure (opt-in toggle, install ID storage) in the codebase, but all telemetry is disabled and non-functional in this release. No data is transmitted to any servers.

Future plans: We may add optional, opt-in anonymous telemetry in future versions (e.g., aggregated feature usage statistics, crash reports). If we do:

• It will be opt-in only (disabled by default)
• You'll be prompted during onboarding with clear explanation
• You can toggle it on/off anytime in settings
• See "Changes to This Policy" below for details

Local Storage Only

All extension data is stored locally in your browser using Chrome's chrome.storage.local API:

• Policy configurations (your security rules)
• Grant history (time-limited permissions you've approved)
• Audit logs (events you choose to track)
• Settings (UI preferences, detection thresholds)

Who has access? Only you. This data never leaves your device.

Audit Log Privacy

When you allow or deny a paste/upload to an AI agent, Cogumi logs the event locally:

{
  "timestamp": "2026-01-15T10:30:00Z",
  "agent": "ChatGPT",
  "action": "paste",
  "detection": "API key (OpenAI)",
  "decision": "denied",
  "redacted_preview": "sk-proj-••••••••"
}

What's redacted? Everything except the first 8 characters (to help you identify which key).

Where is this stored? In chrome.storage.local on your device. We cannot access it.

Can you export it? Yes. The Options Console has an "Export Audit Logs" button that saves a JSON file to your Downloads folder. You control the data.

Can you delete it? Yes. Click "Clear Audit Logs" in settings, or uninstall the extension (removes all data).

What We DON'T Do

We Don't Intercept Your Data

How Cogumi works:

1. Detects when you're on an AI agent site (ChatGPT, Claude, etc.)
2. Listens for paste events or file uploads
3. Analyzes content locally (regex + entropy, runs in your browser)
4. Prompts you if sensitive data is detected
5. Logs your decision locally

What we DON'T do:

• ✗ Send clipboard content to a server
• ✗ Upload files to the cloud for analysis
• ✗ Store plaintext secrets (even locally — only redacted previews)
• ✗ Transmit audit logs to our servers (we don't have servers)

We Don't Track You

No third-party SDKs (except Google Analytics for basic page view metrics, which you can block with ad blockers).

We track:

• Page views (website only, to measure traffic)
• Install button clicks (to measure conversion)

We DON'T track:

• What you paste into AI agents
• Which secrets are detected
• Your browsing history
• Personally identifiable information

We Don't Monetize Your Data

Our business model (future, when we launch Teams tier):

• ✅ Freemium (free for individuals, paid for teams)
• ✅ Enterprise licenses (companies pay for centralized policy management)

NOT our business model:

• ✗ Selling anonymized usage data
• ✗ Training AI models on your prompts
• ✗ Advertising

Permissions We Request (And Why)

When you install Cogumi AI Shield, Chrome will show a permissions prompt. Here's what we need and why:

1. Storage (storage)

Why: Store your policy settings, grant history, and audit logs locally.

What we DON'T do: Send this data to external servers.

2. Tabs (tabs)

Why: Detect which website you're on to determine if it's an AI agent (ChatGPT, Claude, etc.).

What we DON'T do: Read tab contents, track your browsing history, or monitor non-AI sites.

3. Host Permissions (<all_urls>)

Why: Inject the content script that monitors paste events, file uploads, and network requests on AI agent sites.

What we DON'T do: Monitor all websites continuously. The content script runs on all URLs (to detect AI agents on any domain), but only activates protection logic when AI-like interaction patterns are detected.

Technical: Content scripts run at document_start to intercept events before they reach AI agents, but remain dormant on non-AI sites.

4. Idle (idle)

Why: Detect when you're away from your computer to auto-revoke time-limited grants (e.g., "Allow for 10 minutes").

What we DON'T do: Track your activity patterns or report idle time to external services.

5. Debugger (debugger) - Optional Permission

Why: Advanced users can enable CDP (Chrome DevTools Protocol) protection to block network requests at a deeper level.

When requested: Only if you manually enable "CDP Protection" in advanced settings. Not requested by default.

What it does: Allows the extension to use Chrome's debugging API to intercept network requests that might bypass standard interception.

What we DON'T do: Use this permission to spy on your browsing or debug your personal activity. It's purely for enhanced network request blocking.

Full transparency: See Permissions Explained for a plain-English breakdown of every permission.

Third-Party Services

Current version (v0.1.0) uses ZERO third-party services for analytics, logging, or telemetry.

The only external connections:

1. Chrome Web Store (for extension updates, managed by Google)
2. AI agent websites (when you interact with ChatGPT, Claude, etc. - but we only monitor, not transmit)

No CDNs. No external fonts. No tracking pixels. No backend servers.

Data Retention

How long do we keep your data? We don't. You do.

• Audit logs: Stored locally until you delete them (or uninstall the extension)
• Policy settings: Stored locally, cleared on uninstall
• Grant history: Stored locally, auto-purged after 90 days (configurable)

What happens when you uninstall?

All extension data is permanently deleted from chrome.storage.local. We have no backups (because we never had the data in the first place).

Your Rights (GDPR, CCPA, etc.)

Right to Access

How to export your data: Options Console → Audit → Export Logs (downloads JSON file)

Right to Deletion

How to delete your data:

1. Options Console → Settings → Clear Audit Logs
2. Or uninstall the extension (removes all data)

Right to Portability

Your audit logs are exported in standard JSON format. You can import them into any SIEM or log analysis tool.

Right to Opt-Out

What's there to opt out of? We don't collect anything by default. There's no telemetry toggle because there's no telemetry.

Children's Privacy

Cogumi is not directed at children under 13. We don't knowingly collect data from anyone (including adults), but if we did, we wouldn't collect data from children.

Changes to This Policy

Last Updated: February 13, 2026

If we add optional telemetry in future versions, we'll:

1. Update this policy with specific details about what data is collected
2. Notify users via the extension popup and options page
3. Require explicit opt-in consent (telemetry will be disabled by default)
4. Provide a clear toggle in settings to disable it anytime

Promise: Any future telemetry will always be:

• ✅ Opt-in (disabled by default, requires explicit consent)
• ✅ Anonymous (no personally identifiable information)
• ✅ Aggregated (usage statistics only, e.g., "X% of users enabled strict mode")
• ✅ Content-free (no sensitive data, detected secrets, or clipboard contents)
• ✅ Transparent (you can see exactly what data is being collected in settings)

Contact Us

Questions about privacy?

• Email: privacy@cogumi.ai
• Support: support@cogumi.ai

We typically respond within 24 hours.

---

The Bottom Line: Cogumi AI Shield never sees your data. We can't leak what we don't have.

Back to Home • Permissions Explained • Terms of Service