PromptAura Logo PromptAura
← Back to Home

PRIVACY POLICY FOR PROMPTAURA

How PromptAura collects, uses, and protects your information — explained clearly.

📅 Effective: April 28, 2026 🔄 Last Updated: April 28, 2026
Contents
01 Introduction 02 Technical Architecture 03 Information We Collect 04 Chrome Limited Use 05 Info We Do NOT Collect 06 How We Use Your Info 07 Data Sharing & 3rd Parties 08 Websites Where PA Operates 09 Permissions Declared 10 Data Storage & Security 11 Data Retention 12 Your Rights 13 Legal Basis (GDPR) 14 Children's Privacy 15 Contact Information 16 Changes to This Policy 17 Governing Law
Section 01

Introduction

Welcome to PromptAura. This Privacy Policy explains how the PromptAura Chrome extension ("Extension"), developed and operated by PromptAura ("we," "us," or "our"), collects, uses, stores, and protects your information.

PromptAura is a Chrome extension that helps users enhance, refine, and polish their text prompts and messages across various websites and platforms using AI-powered assistance via Google's Gemini API.

By installing and using the PromptAura extension, you agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the extension.

Section 02

How PromptAura Processes Your Data — Technical Architecture

It is important to understand how PromptAura works technically so you can make an informed decision.

When you trigger a PromptAura feature (Refine, Chat Assist, Quick Polish):

1

The text from your active text field on a supported website is read by the extension's content script.

2

That text is sent to PromptAura's backend server (api.promptaura.in) over HTTPS.

3

PromptAura's backend server sends the text to Google's Gemini API for AI processing.

4

The AI response is returned to the backend and then delivered back to your extension.

Fallback Behaviour: If PromptAura's backend server is temporarily unavailable (e.g., due to a server outage, timeout, or network error), the extension may call Google's Gemini API directly from your browser using your locally stored API key. In this case, your text is sent directly from the extension to Google's Gemini API without passing through our backend.

Your Gemini API Key (if using BYOK — Bring Your Own Key)

  • Is sent to PromptAura's backend server as part of each API request
  • Is used server-side to authenticate the request to Google Gemini
  • Is not permanently stored on our servers — it is only held in server memory for the duration of the request
  • In fallback mode, your API key is used directly by the extension to call Google's Gemini API without any server involvement

This means your text prompts and API key may pass through PromptAura's backend server, or in fallback scenarios, may be transmitted directly from your browser to Google's Gemini API.

Section 03

Information We Collect

3.1 Account and Authentication Data

If you register an account with PromptAura, we collect:

  • Email address — used to identify your account, manage your session, and for payment processing
  • Full name — collected during Google OAuth sign-in or email registration, used for account personalisation
  • Password — stored as a cryptographically hashed value using PBKDF2 with a unique salt. Your plain-text password is never stored or logged
  • Google profile information — if you sign in via Google OAuth, we receive your email address and name from Google via the userinfo.email and userinfo.profile OAuth scopes

3.2 Gemini API Key (BYOK — Bring Your Own Key)

When you provide your Google Gemini API key:

  • It is transmitted to PromptAura's backend server over HTTPS with each AI request
  • It is used server-side to make requests to Google's Gemini API on your behalf
  • It is not permanently stored in our database — it is held in server memory only for the duration of each request
  • It is stored on your device in the following locations for reuse between sessions:
    • chrome.storage.sync — Chrome's synchronised storage, which may sync the key across all Chrome browsers where you are signed in with the same Google account
    • chrome.storage.local — Chrome's local extension storage, which stays on the device
    • window.localStorage — the browser's local storage, used as a last-resort fallback if Chrome extension storage is temporarily unavailable (e.g., when the extension context is invalidated). Note: localStorage is scoped to the web page origin and may be readable by the host website's own scripts

3.3 Auto-Detection of API Key (Optional Feature)

  • PromptAura offers an optional "Auto-Detect API Key" feature that can detect your Gemini API key from the Google AI Studio website
  • This feature is opt-in — it only activates if you explicitly click "⚡ Yes, auto-detect it!" during the onboarding process
  • Chrome will display a native permission prompt asking your explicit consent before the extension is granted access to aistudio.google.com
  • If permission is granted, the extension injects a content script onto the Google AI Studio page that:
    • Scans visible page elements (inputs, text nodes, code blocks) for an API key pattern matching the format AIza followed by 35 alphanumeric characters
    • Listens for click events and attempts to read the clipboard to detect a copied API key
    • Attempts to auto-click the key row on the page to reveal the full key in a modal
  • Only the API key value is extracted — no other user data from Google AI Studio is collected, stored, or transmitted
  • After successful detection, the permission consent flag is automatically cleaned up from local storage

3.4 Text and Prompt Data

  • When you trigger a PromptAura feature, the text in your active text field is read by the extension's content script and sent to PromptAura's backend server (or directly to Google's Gemini API in fallback mode)
  • Because PromptAura operates across platforms including Gmail, WhatsApp Web, Telegram Web, and similar sites, this text may include the contents of your emails, private messages, or documents
  • This text is transmitted to our backend server and then forwarded to Google's Gemini API for AI processing
  • Text prompts are not permanently stored on our servers. They are held in server memory only for the duration of the request and discarded immediately after the response is returned
  • On your local device, a truncated version of recent prompts (up to 120 characters) is stored as part of the Memory system (see §3.5) to provide context for future sessions

3.5 Local Memory Data

The extension maintains a local "Memory" system on your device that tracks context to improve AI responses. This includes:

  • A history of recent prompts (truncated to 120 characters each, up to 8 entries)
  • Auto-generated project summaries and topic labels
  • Inferred user preferences based on repeated answer selections
  • Auto-extracted "memory files" — short summaries of completed prompt sessions, generated by AI

This memory data is stored on your local device via chrome.storage.local. If Chrome extension storage is temporarily unavailable, data may fall back to window.localStorage. Memory data is periodically pruned: entries with low usage scores are removed when storage exceeds 80KB or when 7 days have passed since the last prune cycle. The pruning considers a rolling 45-day window for relevance scoring. You can manually export, import, or delete all memory data at any time via the extension's Memory panel.

3.6 Usage and Credit Tracking

  • PromptAura tracks your daily feature usage count to enforce subscription and free-tier limits
  • Usage credits are tracked both on our server (via /api/credits and /api/credits/deduct endpoints) and cached locally on your device using chrome.storage.local
  • If the server is temporarily unavailable, the extension uses a locally cached credit count as a graceful fallback
  • No details about the content of your prompts are included in credit tracking — only a numeric count is recorded

3.7 Payment and Subscription Data

  • If you subscribe to a paid tier, your email address, name, and subscription/order metadata are shared with Razorpay for payment processing
  • PromptAura stores your subscription status and order identifiers in our database
  • Actual payment card details are handled entirely by Razorpay and are never seen or stored by PromptAura

3.8 Session Tokens and Authentication State

  • Upon successful sign-in (via Google OAuth or email/password), a cryptographically signed session token is generated by our server
  • This token is stored on your device using chrome.storage.sync, which means it may sync across all Chrome browsers where you are signed in with the same Google account
  • Your user profile data (name, email) is also stored in chrome.storage.sync alongside the session token
  • These are used to authenticate your requests to our backend server

3.9 Theme and UI Preferences

  • Your selected theme preference (default, dark, or light) is stored in chrome.storage.sync and syncs across your Chrome devices
  • The position of the extension's floating button on supported websites is stored in window.localStorage on each individual site
Section 04

Chrome Limited Use Disclosure

PromptAura's use of data obtained through Chrome extension APIs complies with the Chrome Web Store Developer Program Policies, including the Limited Use requirements.

Specifically:

  • We do not use your data for any purpose other than providing and improving the PromptAura service as described in this policy
  • We do not use your data to serve advertisements
  • We do not allow humans to read your text data unless you have given explicit affirmative consent, or it is necessary for security purposes or to comply with applicable law
  • We do not sell, transfer, or disclose your data to third parties except as described in this policy and as necessary to provide the service (i.e., processing via Google Gemini API and payment processing via Razorpay)
  • We do not use or transfer your data for purposes that are unrelated to the single purpose of the extension
Section 05

Information We Do NOT Collect

  • We do not track your browsing history or monitor which websites you visit. Content scripts are only injected on the specific supported websites listed in the manifest and only interact with text input fields when you trigger a feature
  • We do not permanently store your prompt text or conversation history on our servers
  • We do not sell, rent, or trade your personal data to any third party
  • We do not use advertising networks or embed hidden tracking pixels
  • We do not collect payment card details
  • We do not access Google AI Studio unless you explicitly grant the optional host permission through Chrome's native permission prompt
  • We do not read your clipboard unless you have opted into the API key auto-detection feature on Google AI Studio. In that case, clipboard reading occurs only on the Google AI Studio page to detect a copied API key
Section 06

How We Use Your Information

We use the information we collect solely to:

  • Provide core AI functionality — processing your text through our backend and/or Google Gemini API to generate refined prompts, chat responses, and polished text
  • Manage your account — authenticating your session, tracking your subscription tier and daily usage credits
  • Process payments — managing subscription billing via Razorpay
  • Personalise AI responses — using your locally stored memory context (recent prompts, preferences, and memory files) to provide more contextually relevant results
  • Enable cross-platform continuity — detecting when you switch between supported platforms and offering to inject context from your previous session
  • Maintain security — verifying session tokens and protecting against unauthorised access
Section 07

Data Sharing and Third Parties

We do not sell your personal data. Data is shared only with the following essential service providers:

Third PartyPurposeData Shared
Google Gemini APIAI text processingYour text prompts and API key (per request, not stored by us)
MongoDB AtlasAccount data storageEmail, hashed password, name, subscription status, credit count
RazorpayPayment processingEmail, name, subscription/order metadata
Google OAuthSign-in authenticationBasic profile: email and name (via userinfo.email and userinfo.profile scopes)
Render / CloudflareBackend hosting and DNSEncrypted HTTPS traffic only

All third-party providers are bound by their own privacy policies and applicable data protection laws. We encourage you to review:

Section 08

Websites Where PromptAura Operates

PromptAura's content scripts are injected on the following websites to provide its prompt refinement and message assistance features. The extension reads text from input fields on these sites only when you trigger a feature (Refine, Chat Assist, or Quick Polish).

🤖 AI and Productivity Platforms
chatgpt.com ChatGPT
claude.ai Claude
gemini.google.com Gemini
gamma.app Gamma
lovable.dev Lovable
bolt.new Bolt
v0.dev v0
notebooklm.google.com NotebookLM
www.perplexity.ai Perplexity
🔬 Research Platforms
emergentmind.com Emergent Mind
elicit.com Elicit
consensus.app Consensus
www.researchrabbit.ai Research Rabbit
app.litmaps.com Litmaps
💬 Communication Platforms (Chat Assist mode)
mail.google.com Gmail
web.whatsapp.com WhatsApp Web
web.telegram.org Telegram Web
🎨 Creative and Design Platforms
www.notion.so Notion
www.figma.com Figma
canva.com Canva
app.runwayml.com Runway
app.suno.ai Suno
elevenlabs.io ElevenLabs
🔐 Optional (requires explicit permission grant)
aistudio.google.com Google AI Studio (API key auto-detection only)

The extension does not operate on any websites not listed above.

Section 09

Permissions Declared in the Extension

PermissionWhy It Is Needed
activeTabTo identify and interact with the currently active tab when you trigger a feature
tabsTo query the active tab's URL for platform detection and to manage tab switching during the API key setup flow
storageTo save your API key, session token, memory data, credit cache, and theme preference using Chrome's extension storage APIs
sidePanelTo display the extension's main interface in Chrome's side panel
identityTo support Google OAuth sign-in using Chrome's identity API
scriptingTo dynamically inject the API key detection script on Google AI Studio when you have explicitly granted the optional host permission
optional: aistudio.google.comRequested only if you choose the auto-detect API key feature — Chrome displays a native permission prompt and this is never active by default

Host permissions are declared for each of the supported websites listed in §8, plus api.promptaura.in (our backend server) and generativelanguage.googleapis.com (Google's Gemini API endpoint, used for direct fallback calls).

Section 10

Data Storage and Security

On Your Device

DataStorage MechanismSyncs Across Devices?
API keychrome.storage.sync + chrome.storage.local + localStorage fallbackYes (via chrome.storage.sync)
Session tokenchrome.storage.syncYes
User profile (name, email)chrome.storage.syncYes
Memory data (prompts, preferences, projects)chrome.storage.local + localStorage fallbackNo
Usage credit cachechrome.storage.localNo
Theme preferencechrome.storage.syncYes
Button positionlocalStorage (per-site)No
Auto-detect permission flagchrome.storage.localNo

On Our Servers

  • Account data (email, hashed password, name, subscription status) is stored in MongoDB Atlas
  • Usage credits are tracked server-side per account
  • Text prompts and API keys are held in server memory only for the duration of each request and are discarded immediately after the response is returned. They are never written to disk or database

Security Measures

  • Encryption in transit — All communication between the extension and our backend (api.promptaura.in) and Google's Gemini API (generativelanguage.googleapis.com) is encrypted using HTTPS/TLS
  • Password security — Passwords are hashed using PBKDF2 with a unique cryptographic salt per user
  • Session tokens — Cryptographically signed by our server and verified on each request
  • Content Security Policy — Extension pages enforce script-src 'self'; object-src 'self' to prevent script injection
Section 11

Data Retention

Data TypeWhere StoredRetention Period
Gemini API keyDevice (chrome.storage.sync + chrome.storage.local + localStorage) and server memory per requestDevice: until you delete it, clear extension data, or uninstall. Server: discarded after each request completes
Text prompts (full)Server memory only during processingDiscarded immediately after AI response is returned
Text prompts (truncated, 120 chars)Device memory system (chrome.storage.local)Periodically pruned based on usage and storage limits (45-day relevance window)
Local memory (preferences, projects, files)Device only (chrome.storage.local)Until storage exceeds limits, manually cleared, or extension is uninstalled
Account dataMongoDB AtlasUntil you request account deletion
Session tokensDevice (chrome.storage.sync)Until sign-out or token expiry
Usage credit countDevice (chrome.storage.local) + serverDevice: reset daily. Server: per account lifecycle
Payment/subscription dataMongoDB Atlas + RazorpayPer Razorpay's retention policy and until account deletion
Theme preferenceDevice (chrome.storage.sync)Until changed or extension uninstalled
Section 12

Your Rights

Under GDPR (EEA and UK Users)

  • Right of Access — Request a copy of data we hold about you
  • Right to Erasure — Request deletion of your account and all associated server data
  • Right to Portability — Export your local memory data via the built-in Export feature (JSON format)
  • Right to Object — Object to processing for certain purposes
  • Right to Rectification — Request correction of inaccurate data

Under CCPA (California Users)

  • Right to Know — Know what personal data is collected and how it is used
  • Right to Delete — Request deletion of your personal information
  • Right to Opt-Out — We do not sell personal data, so this right is already fulfilled

Under India DPDP Act (Indian Users)

  • Right to Information — Know what data is processed and for what purpose
  • Right to Correction and Erasure — Request correction or deletion of your personal data
  • Right to Grievance Redressal — Contact us to raise any data-related grievance
  • Right to Nominate — Nominate another person to exercise your rights in case of death or incapacity

To exercise any of these rights, contact us at the email address provided in §15.

Section 13

Legal Basis for Processing (GDPR)

  • Performance of a Contract — Processing text and managing accounts to deliver the service you signed up for
  • Consent — Accessing text on supported websites when you trigger a feature, and optionally accessing Google AI Studio for API key auto-detection
  • Legitimate Interests — Maintaining security, preventing fraud, and enforcing usage limits
Section 14

Children's Privacy

PromptAura is not directed at children under the age of 13 (or 16 under GDPR). We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child under the applicable age, we will delete that data promptly.

Section 15

Contact Information

PromptAura
Email: promptaura.contact@gmail.com Website: https://promptaura.in

We aim to respond to all privacy-related requests within 30 days.

Section 16

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our extension's features, data practices, or legal requirements. When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Provide notice through the extension or Chrome Web Store listing where feasible

Continued use of the extension after changes constitutes acceptance of the updated policy.

Section 17

Governing Law

This Privacy Policy is governed by the laws of India. For users in other jurisdictions, applicable local data protection laws including GDPR (for EEA/UK users) and CCPA (for California users) also apply where required.