KoraSafe™ Chrome Extension privacy policy
This policy applies specifically to the KoraSafe™ Chrome Extension. For the main KoraSafe™ platform privacy policy, see korasafe.ai/privacy.
Summary
- The extension acts as a browser signal surface for KoraSafe™ governance.
- It records access to supported AI tools and LLM provider endpoints so your organization can maintain a shadow AI inventory.
- It surfaces governance context from your KoraSafe™ org, including registration status, policy context, and links back to the platform.
- It does not analyze, redact, filter, or block prompt or response content.
- The extension never transmits your prompts, LLM responses, or page contents to KoraSafe™ or any third party.
Data the extension processes locally
When you visit a supported AI surface such as ChatGPT, Claude, Gemini, Copilot, Perplexity, Poe, character.ai, or you.com, the extension checks the page location and extension state so it can identify the provider and display the correct KoraSafe™ context. It does not read prompt or response text for classification, redaction, or enforcement.
When the extension observes supported LLM provider network requests, it records request metadata needed for governance inventory, such as provider, surface type, timestamp, and organization context. It does not inspect request bodies or response bodies.
Data the extension sends to KoraSafe™ servers
Only when you have signed in with a KoraSafe™ account and connected the extension to your organization:
- Timestamped access events for supported AI surfaces, including provider name, surface type, and event source.
- LLM provider usage signals for supported provider endpoints, based on request metadata rather than request content.
- Registration prompts and user-selected status updates, such as linking a browser session to a registered KoraSafe™ system or marking a use case as experimental.
- Optional findings routed from customer-selected runtime tools, if your organization configures those tools to send events through the extension.
- Optional regulatory signal submissions you explicitly send to KoraSafe™ Research from the extension.
- Your KoraSafe™ account identifier and organization identifier for authentication.
Data we never collect
- Browsing history outside supported AI surfaces and configured LLM provider endpoints.
- The raw text of your prompts or LLM responses.
- Request bodies or response bodies from LLM API calls.
- Raw values of any sensitive data detected by customer-selected runtime tools.
- Cookies, passwords, or credentials from any site.
- Any content from non-AI tabs or websites.
Why we request each permission
| Permission | Why we request it |
|---|---|
activeTab | Identify the supported AI surface in the current tab when you use the extension, then display the matching KoraSafe™ context. |
storage | Persist sign-in state, organization selection, preferences, and cached governance context locally in the browser. |
sidePanel | Render the KoraSafe™ sidebar with registration status, policy context, routed findings, and links to your org dashboard. |
alarms | Schedule periodic refreshes of organization context and extension configuration. |
webRequest | Observe supported LLM provider request metadata so organizations can inventory direct API usage. The extension does not inspect request or response bodies. |
contextMenus | Let users explicitly submit selected regulatory context to KoraSafe™ Research when that feature is enabled. |
| Host access to AI surfaces | Recognize supported AI tools such as ChatGPT, Claude, Gemini, Copilot, Perplexity, Poe, character.ai, and you.com so the extension can show governance context. |
| Host access to LLM provider endpoints | Record provider-level usage signals for OpenAI, Anthropic, Google, Cohere, Azure OpenAI, and AWS Bedrock endpoints without reading request or response bodies. |
| Host access to korasafe.ai | Authenticate you, fetch your organization's governance context, and send permitted access events to your KoraSafe™ org. |
Data retention
Access events, usage signals, routed findings, and explicit regulatory signal submissions are retained for the retention period configured by your organization administrator. You can delete organization event history through the KoraSafe™ admin panel, subject to your organization's audit and legal requirements. If the extension is not connected to a KoraSafe™ org, no server-side event retention occurs.
Third parties
We do not sell, rent, or share extension data with advertisers, data brokers, or any third party outside of the KoraSafe™ service. The extension communicates with korasafe.ai and observes supported AI surfaces and LLM provider endpoints only for the governance uses described in this policy.
Your rights
You can uninstall the extension at any time, which removes all locally stored data. For organization-level data rights (export, deletion, correction), contact your KoraSafe™ admin or email Contact-us@korasafe.ai.
Changes to this policy
We may update this policy as the extension evolves. Material changes will be disclosed in the extension's release notes and on this page with a revised "Last updated" date.
Contact
Questions about this policy, or to exercise any data rights, email Contact-us@korasafe.ai.