Privacy Policy

Last updated: 2025-12-20

This Privacy Policy explains how the Kroki - Workflow Automation Chrome extension ("Extension", "we", "us") collects, uses, and protects information when you use the Extension.

Quick Summary

• Purpose: Automate web browsing tasks using AI agents and user-defined workflows (click, type, scroll, extract data, navigate pages).

• We collect minimal data for sign-in and subscription management: Google profile (ID, email, display name, avatar) stored in our database.

• We do not collect or transmit your browsing history, page content, or automation results to our servers.

• AI processing: Page content and prompts are sent directly to your chosen LLM provider (OpenAI, Anthropic, Google, etc.) using your own API keys.

• Payments are processed by Stripe. We do not store card data.

• Local storage: API keys, workflows, chat history, and settings are stored locally in your browser.

• We do not sell or share data for advertising. Data in transit is encrypted (HTTPS).

Who We Are

• Controller: Alexandr Kardash

• Business: Działalność gospodarcza (Poland)

• Tax ID (NIP): PL6783208954

• Address: Os. Jagiellońskie 6/8, 31-832 Kraków, Poland

• Contact: kardash.by@gmail.com

Scope & Single Purpose

The Extension's single purpose is to automate web browsing tasks through:

1. AI-powered natural language commands

2. User-defined visual workflows

The Extension operates on any website the user chooses to automate, only when explicitly initiated by the user.

Information We Collect

Google Profile (via Chrome Identity API)

Location: Stored in our database (Supabase)

• Google user ID: Account identification

• Email: Account identification, notifications

• Display name: Profile display in UI

• Avatar URL: Profile display in UI

Authentication Token (local only)

Location: Stored in chrome.storage.local

• Data: OAuth token from Google Identity

• Purpose: Keep you signed in

• Note: Not sent to our servers; not used to access Gmail or other Google data; revoked on logout.

API Keys (local only)

Location: Stored in your browser (chrome.storage.local)

• Data: LLM provider API keys (OpenAI, Anthropic, etc.)

• Purpose: Connect to your chosen AI provider

• Note: Never transmitted to our servers.

Workflows & Settings (local only)

Location: Stored in your browser (chrome.storage.local)

• Saved workflows: Run automations reliably

• User preferences: Personalize experience

• Chat history: Display conversation logs

Subscription (server)

Location: Stored in our database (Supabase)

• Data: Google ID, email, name, avatar. Purpose: Account management.

• Data: Subscription status, plan, billing cycle. Purpose: Billing administration.

• Data: Stripe customer ID. Purpose: Payment processing.

Support Communications (optional)

If you email us, we keep the message and address solely to respond and support you.

What We Do NOT Collect

• ❌ No page content is sent to our servers (only to your chosen LLM provider)

• ❌ No browsing history or URLs visited

• ❌ No passwords or credentials for websites you automate

• ❌ No payment card numbers (handled by Stripe)

• ❌ No keystroke logging or mouse tracking outside of automation

• ❌ No device location, health data, or sensitive categories

• ❌ No automation results or extracted data (stored locally only)

How We Use Information

• Authentication: Authenticate your account via Google OAuth

• Subscription management: Manage your plan and billing

• AI processing: Send prompts to your configured LLM provider (using your API keys)

• Local automation: Execute workflows and store results locally

• Support: Respond to your inquiries

We do not use your data for advertising or profiling.

Third-Party Services & Data Flow

LLM Providers (User's Choice)

When you use AI features, page content and prompts are sent directly to your configured LLM provider. Note: You provide your own API keys. We do not have access to your LLM usage or conversations.

Payment Processing

We receive only subscription status and Stripe customer ID. We never see or store your card details.

• Provider: Stripe

• Data Shared: Payment info (handled directly by Stripe)

• Privacy Policy: https://stripe.com/privacy

Backend Services

• Supabase: Profile, subscription status (https://supabase.com/privacy)

Legal Bases (GDPR)

• Performance of contract: Providing automation features you requested

• Legitimate interests: Security, fraud prevention, service reliability

• Consent: Google sign-in flow, optional communications (You may withdraw consent by logging out or contacting us.)

Sharing & Processors (No Selling)

We do not sell your data. We may share limited data with service providers (processors) strictly to deliver the service:

• Stripe (Payment processing): https://stripe.com/privacy

• Supabase (Database/APIs): https://supabase.com/privacy

• Google (OAuth Identity): https://policies.google.com/privacy

Processors must comply with confidentiality and security commitments and use your data only as instructed.

Remote Code, Permissions & Data Safety

Remote Code

We do not load or execute remotely hosted code. All JavaScript/CSS is bundled in the extension package. Network requests are HTTPS API calls only (no code execution).

Permissions (Chrome)

• storage: Store settings, workflows, API keys, and chat history locally

• unlimitedStorage: Store extensive workflow history for power users

• identity: Sign in with Google (profile/email only)

• tabs: Manage browser tabs during automation

• activeTab: Interact with the current tab during automation

• scripting: Inject automation scripts into web pages

• debugger: Advanced DOM interactions for complex automations

• webNavigation: Monitor page load completion

• webRequest: Handle HTTP authentication during automation

• alarms: Schedule automated workflow execution

• proxy: Configure proxy for workflows requiring it

• sidePanel: Provide the main user interface

Host Permissions

• <all_urls>: Automate any website the user chooses Note: The extension only accesses pages when the user explicitly initiates an automation task. No passive data collection occurs.

Data in Transit

All data in transit is encrypted via HTTPS.

International Transfers

Your data may be processed in regions where our processors operate. We rely on appropriate safeguards (e.g., Standard Contractual Clauses) and vendor certifications. Contact us for details of current data locations.

Security

• Encryption: All data in transit encrypted via HTTPS

• Data minimization: Collect only what's necessary

• Token revocation: OAuth tokens revoked on logout

• Local storage: Sensitive data (API keys) never leaves your device

• Access control: Limited to operational personnel and processors

No security system is impenetrable; we maintain safeguards and respond to incidents promptly.

Retention

• Profile & subscription (server): Retained while account is active; deleted upon request.

• Local settings, workflows, history: Stored in your browser; cleared by you anytime.

• Support emails: Up to 24 months, unless earlier deletion requested.

Your Rights

Depending on your location, you may have rights to:

• ✅ Access your data

• ✅ Rectify inaccurate data

• ✅ Erase your data

• ✅ Object to or restrict processing

• ✅ Data portability

• ✅ Withdraw consent (e.g., log out)

To exercise these rights or request account/data deletion: Email: kardash.by@gmail.com We will respond within a reasonable timeframe (typically 30 days).

For California Residents (CCPA/CPRA)

• Right to know, delete, and non-discrimination for exercising rights.

• We do not sell or share personal information for cross-context behavioral advertising.

Children's Privacy

The Extension is not intended for children under 13. We do not knowingly collect data from children under 13.

Changes to This Policy

We may update this policy from time to time. We'll post updates here and adjust the "Last updated" date. Material changes may be accompanied by additional notice in the Extension UI.

Contact

• Email: kardash.by@gmail.com

• Location: Kraków, Poland

If you have unresolved concerns, you may have the right to contact your local data protection authority.

Chrome Web Store Disclosures (Summary)

• Single purpose: Automate web browsing tasks using AI and user-defined workflows

• Data collected: Google profile (ID, email, name, avatar); local API keys, workflows, settings; subscription status on Supabase

• Data NOT collected: Page content, browsing history, passwords, card data

• AI processing: Sent to user's chosen LLM provider using user's API keys

• No sale or sharing: Data shared only with essential processors (Stripe/Supabase)

• No remote code: Packaged scripts only; HTTPS APIs

• Permissions: Justified strictly for functionality (see above)

Google API Services Disclosure

"This application's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements."

© 2025 Alexandr Kardash. All Rights Reserved.