PromptAura
PRIVACY POLICY FOR PROMPTAURA
How PromptAura collects, uses, and protects your information - explained clearly.
Introduction
Welcome to PromptAura. This Privacy Policy explains how the PromptAura Chrome extension ("Extension"), developed and operated by PromptAura ("we," "us," or "our"), collects, uses, stores, and protects your information.
PromptAura is a Chrome extension that helps users enhance, refine, and polish their text prompts and messages across various websites and platforms using AI-powered assistance via Google's Gemini API.
By installing and using the PromptAura extension, you agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the extension.
How PromptAura Processes Your Data - Technical Architecture
It is important to understand how PromptAura works technically so you can make an informed decision.
When you trigger a PromptAura feature (Refine, Chat Assist, Quick Polish):
The text from your active text field on a supported website is read by the extension's content script.
If you have provided your own API key, the text is sent directly to Google's Gemini API. If not, the text is sent to PromptAura's backend server over HTTPS, which then forwards it to Google.
The AI response is generated by Gemini and returned to the extension (either directly or via our backend).
After the response is delivered, the extension always sends a memory extraction request to PromptAura's backend server - this applies to all users, including those using their own API key (BYOK). The request contains the first 500 characters of the original prompt and the AI response. The server generates a short summary (filename + one-line description) which is returned and stored locally on your device. The full prompt and response are discarded by the server immediately after the summary is generated.
Your Gemini API Key (if using BYOK - Bring Your Own Key)
- Is used directly by the extension to call Google's Gemini API without server involvement.
- If our backend routing is ever required, the key is sent to PromptAura's backend server over HTTPS, where it is used server-side to authenticate the request and is never permanently stored in our database (held in server memory only for the duration of the request).
This means your text prompts are transmitted directly from your browser to Google's Gemini API if you use your own API key, or may pass through PromptAura's backend server if you do not.
Information We Collect
3.1 Account and Authentication Data
If you register an account with PromptAura, we collect:
- Email address - used to identify your account, manage your session, and for payment processing
- Full name - collected during Google OAuth sign-in or email registration, used for account personalisation
- Password - transmitted over HTTPS and hashed server-side using industry-standard cryptographic algorithms before being stored. Your plain-text password is never stored or logged by our servers
- Google profile information - if you sign in via Google OAuth, we receive your
email address and name from Google via the
userinfo.emailanduserinfo.profileOAuth scopes
3.2 Gemini API Key (BYOK - Bring Your Own Key)
When you provide your Google Gemini API key:
- It is used directly by the extension to authenticate requests to Google's Gemini API on your behalf.
- If our backend routing is ever required, it is transmitted to PromptAura's backend server over HTTPS and used server-side to make requests to Google's Gemini API on your behalf.
- It is never permanently stored in our database - if sent to our backend, it is held in server memory only for the duration of each request.
- It is stored securely on your device for reuse between sessions using secure extension storage, which may sync across your signed-in Chrome browsers. If extension storage is temporarily unavailable, local browser storage may be used as a last-resort backup mechanism.
3.3 Auto-Detection of API Key (Optional Feature)
- PromptAura offers an optional "Auto-Detect API Key" feature that can detect your Gemini API key from the Google AI Studio website
- This feature is opt-in - it only activates if you explicitly click "Continue" during the onboarding process
- Chrome will display a native permission prompt asking your explicit consent
before the extension is granted access to
aistudio.google.com - If permission is granted, the extension injects a content script onto the Google AI Studio page
that:
- Scans visible page elements (inputs, text nodes, code blocks) for an API key pattern matching a standard Google API key format
- Attempts to auto-click the key row on the page to reveal the full key in a modal
- Intercepts outgoing clipboard writes during the optional key-detection flow. It intercepts outgoing clipboard writes matching the standard Google API key format rather than reading your clipboard. This intercept runs only on the Google AI Studio page when the optional permission is active - all other clipboard writes pass through unmodified
- Only the API key value is extracted - no other user data from Google AI Studio is collected, stored, or transmitted
- If multiple API keys are found on your AI Studio account, all detected key values are temporarily stored in local memory during the session to present a selection interface. Once you select a key, all other detected keys and this temporary session entry are immediately deleted - only your chosen key is retained
- After successful detection, the permission consent flag is automatically cleaned up from local storage
3.4 Text and Prompt Data Collection
- When you trigger a PromptAura feature, the text in your active text field is read by the extension's content script
- Because PromptAura operates across platforms including Gmail, WhatsApp Web, Telegram Web, and similar sites, this text may include the contents of your emails, private messages, or documents
- On your local device, a truncated version of recent prompts (up to 120 characters) is stored as part of the Memory system (see ยง3.5) to provide context for future sessions
3.4a Service Improvement Logging
To improve the quality and accuracy of AI responses over time, PromptAura logs a record of your prompt session to our servers after each successful Refine, Polish, or Chat Assist generation.
What is logged
- A portion of your original prompt text (up to 1,000 characters)
- The clarifying questions shown to you and the answer options you selected
- A portion of the AI-generated output (up to 1,200 characters)
- The name of the platform you were using (e.g., ChatGPT, Gmail)
- A portion of your local memory context at the time of the request
What is NOT logged
- Your name or email in identifiable form โ only a pseudonymous account identifier is associated with your logs
- Your Gemini API key or authentication token
- Payment or subscription information
- Any data beyond what is listed above
Retention and purpose
Logged records are automatically and permanently deleted after 90 days. Logs are used solely to understand how prompts are refined and to improve AI response quality. They are not used for advertising, not sold to any third party, and not used to train external AI models.
How to request deletion of your logs
You may request deletion of all your stored prompt logs at any time by contacting us at promptaura.contact@gmail.com. We will process your request within 30 days.
3.5 Local Memory Data
The extension maintains a local "Memory" system on your device that tracks context to improve AI responses. This includes three main tiers:
- Personal Memory Traits: Up to 20 short user trait descriptions (e.g., "uses React", "prefers concise responses") inferred automatically from your prompts and stored locally. These decay over time and can be deleted individually.
- Session Memory: A short-lived memory of up to 12 items (up to 200 characters each) that resets automatically after 2 hours of inactivity. This helps carry context between platforms.
- History & Preferences: A history of recent prompts (truncated to 120 characters each, up to 8 entries), project summaries, topic labels, and auto-extracted memory files.
This memory data is stored securely on your device using secure extension storage. If Chrome's extension storage is temporarily unavailable, it may use local browser storage as a backup mechanism. To conserve space, memory data is periodically pruned based on usage relevance and local storage limits. You maintain full control and can manually export, import, or delete all memory data at any time via the extension's Memory panel.
3.6 Usage and Credit Tracking
- PromptAura tracks your daily feature usage count to enforce subscription and free-tier limits
- Prompt Statistics Logging: After each successful generation, the extension notifies our backend to increment your total prompt count and update your usage streak. No prompt text is included in this request - only an account-level numeric counter and streak value.
- Usage credits, total prompt count, and your active usage streak are tracked on our server and cached locally on your device using secure extension storage
- If the server is temporarily unavailable, the extension uses a locally cached credit count as a graceful fallback
- No details about the content of your prompts are included in usage tracking
3.7 Payment and Subscription Data
- If you subscribe to a paid tier, your email address, name, and subscription/order metadata are shared with Razorpay for payment processing
- PromptAura stores your subscription status and order identifiers in our database
- Actual payment card details are handled entirely by Razorpay and are never seen or stored by PromptAura
3.8 Session Tokens and Authentication State
- Upon successful sign-in (via Google OAuth or email/password), a cryptographically signed session token is generated by our server
- This token is stored securely in your extension settings, which means it may sync across all Chrome browsers where you are signed in with the same Google account
- Your user profile data (name, email) is also stored securely in your extension settings alongside the session token
- Sign-out & Account Switching: When you sign out, the extension revokes your Google OAuth token. When a different user account is detected, all API keys, memory data, and cached credit data stored on the device are automatically cleared.
3.9 Theme and UI Preferences
- Your selected theme preference (default, dark, or light) is stored in your extension settings and syncs across your Chrome devices
- The position of the extension's floating button on supported websites is stored in local browser storage on each individual site
Chrome Limited Use Disclosure
PromptAura's use of data obtained through Chrome extension APIs complies with the Chrome Web Store Developer Program Policies, including the Limited Use requirements.
Specifically:
- We do not use your data for any purpose other than providing and improving the PromptAura service as described in this policy
- We do not use your data to serve advertisements
- We do not allow humans to read your text data unless you have given explicit affirmative consent, or it is necessary for security purposes or to comply with applicable law
- We do not sell, transfer, or disclose your data to third parties except as described in this policy and as necessary to provide the service (i.e., processing via Google Gemini API and payment processing via Razorpay)
- We do not use or transfer your data for purposes that are unrelated to the single purpose of the extension
Information We Do NOT Collect
- We do not track your browsing history or monitor which websites you visit. Content scripts are only injected on the specific supported websites listed in the manifest and only interact with text input fields when you trigger a feature
- We do not sell, rent, or trade your prompt text or conversation history to any third party. (Prompt data logging is strictly for service improvement and is opt-out, as detailed in ยง3.4)
- We do not sell, rent, or trade your personal data to any third party
- We do not use advertising networks, serve targeted ads, or embed hidden tracking pixels. The extension uses privacy-focused, anonymised analytics (GA4 Measurement Protocol) within the extension's side panel only to track aggregate feature usage - no personal data, prompt content, or browsing history is included in analytics events. See ยง7b for full details
- We do not collect payment card details
- We do not access Google AI Studio unless you explicitly grant the optional host permission through Chrome's native permission prompt
- We do not read arbitrary clipboard contents at any time. During the optional API key auto-detection feature on Google AI Studio, the extension intercepts outgoing clipboard write operations that match a standard Google API key format - it does not read arbitrary clipboard contents. This interception occurs only on the Google AI Studio page, only when you have explicitly granted the optional host permission, and only during the active key-detection flow
How We Use Your Information
We use the information we collect solely to:
- Provide core AI functionality - processing your text through our backend and/or Google Gemini API to generate refined prompts, chat responses, and polished text
- Manage your account - authenticating your session, tracking your subscription tier and daily usage credits
- Process payments - managing subscription billing via Razorpay
- Personalise AI responses - using your locally stored memory context (recent prompts, preferences, and memory files) to provide more contextually relevant results
- Enable cross-platform continuity - detecting when you switch between supported platforms and offering to inject context from your previous session
- Maintain security - verifying session tokens and protecting against unauthorised access
Data Sharing and Third Parties
We do not sell your personal data. Data is shared only with the following essential service providers:
| Third Party | Purpose | Data Shared |
|---|---|---|
| Google Gemini API | AI text processing | Your text prompts and API key (per request). Note: Prompts may be stored in our database for 90 days if Prompt Data Logging is enabled (see ยง3.4). |
| Secure Cloud Database | Account data storage | Email, hashed password, name, subscription status, credit count. Users may request the identity of our database sub-processor by contacting us. |
| Razorpay | Payment processing | Email, name, subscription/order metadata |
| Google OAuth | Sign-in authentication | Basic profile: email and name (via userinfo.email and
userinfo.profile scopes) |
| Secure Cloud Hosting | Backend hosting and DNS | Encrypted HTTPS traffic only |
| Google Analytics (GA4) | Extension usage analytics | Anonymised client ID, session ID, feature usage events (mode selected, button clicks). No personal data, prompt content, or browsing history. See ยง7b |
All third-party providers are bound by their own privacy policies and applicable data protection laws. We encourage you to review:
Extension Analytics (Google Analytics 4)
PromptAura uses Google Analytics 4 (GA4) via the Measurement Protocol to collect anonymised, aggregate usage data within the extension's side panel. This helps us understand which features are used most and improve the product.
gtag.js or analytics.js tracking script. It uses the GA4 Measurement Protocol, which sends events via HTTPS POST
requests. No cookies (_ga, _gid, _gat) are
set in your browser by the extension.
What data is collected
| Data Point | Value | Purpose |
|---|---|---|
| Client ID | Random UUID (e.g., a1b2c3d4-...), generated once and stored in
chrome.storage.local |
Distinguish unique extension installs without identifying the user |
| Session ID | Timestamp-based, refreshed after 30 minutes of inactivity | Group events into usage sessions |
Event: mode_selected |
Which feature mode was chosen: refine, chat, or
polish |
Understand feature popularity |
Event: session_start |
Context: side_panel |
Count how often the side panel is opened |
Event: action_click |
Button name: sign_out or copy_message |
Track key interaction patterns |
What is NOT collected via analytics
- Your prompt text, messages, or any content you type
- Your email address, name, or any personally identifiable information
- Your API key or authentication tokens
- The websites you visit or your browsing history
- Your IP address (GA4 does not log IP addresses)
Where data is sent
Analytics events are sent to Google Analytics via the GA4 Measurement Protocol. Data is processed by Google under the Google Privacy Policy.
How to opt out
- You can block requests to
google-analytics.comusing any ad blocker or privacy extension (e.g., uBlock Origin, Privacy Badger). The extension will continue to function normally โ analytics failures are silently ignored - If you are in the EEA/UK, analytics data collection is subject to your consent under GDPR and PECR. You may opt out by blocking the domain as described above, or contact us to request exclusion
google-analytics.com via any ad blocker or by contacting us at promptaura.contact@gmail.com.
Websites Where PromptAura Operates
PromptAura's content scripts are injected on the following websites to provide its prompt refinement and message assistance features. The extension reads text from input fields on these sites only when you trigger a feature (Refine, Chat Assist, or Quick Polish).
chatgpt.com ChatGPTclaude.ai Claudegemini.google.com Geminigamma.app Gammalovable.dev Lovablebolt.new Boltv0.dev v0notebooklm.google.com NotebookLMwww.perplexity.ai Perplexityreplit.com Replitemergentmind.com Emergent Mindelicit.com Elicitconsensus.app Consensuswww.researchrabbit.ai Research Rabbitapp.litmaps.com Litmapsmail.google.com Gmailweb.whatsapp.com WhatsApp Webweb.telegram.org Telegram Weblinkedin.com LinkedInwww.notion.so Notionwww.figma.com Figmacanva.com Canvaapp.runwayml.com Runwayapp.suno.ai / suno.com Sunoelevenlabs.io ElevenLabsaistudio.google.com Google AI Studio (API key auto-detection
only)The extension does not operate on any websites not listed above.
MutationObserver solely to detect when the AI platform clears its input field after submission, removing our visual button pulse. On supported AI platforms (but not messaging apps), we also intercept the first Enter key press to suggest prompt refinement; this occurs once per page load.
Permissions Declared in the Extension
| Permission | Why It Is Needed |
|---|---|
activeTab |
To identify and interact with the currently active tab when you trigger a feature |
tabs |
To query the active tab's URL for platform detection and to manage tab switching during the API key setup flow |
storage |
To save your API key, session token, memory data, credit cache, and theme preference using Chrome's extension storage APIs |
sidePanel |
To display the extension's main interface in Chrome's side panel |
identity |
To support Google OAuth sign-in using Chrome's identity API |
scripting |
To dynamically inject the API key detection script on Google AI Studio when you have explicitly granted the optional host permission |
optional: aistudio.google.com |
Requested only if you choose the auto-detect API key feature - Chrome displays a native permission prompt and this is never active by default |
host: google-analytics.com |
To send anonymised feature usage events via the GA4 Measurement Protocol. No
cookies are set in your browser - only a client ID in
chrome.storage.local. See ยง7b |
Host permissions are declared for each of the supported websites listed in ยง8, plus
api.promptaura.in (our backend server),
generativelanguage.googleapis.com (Google's Gemini API endpoint, used for direct
Gemini requests when a user-provided API key is available), and google-analytics.com (for anonymised feature usage analytics -
see ยง7b).
Data Storage and Security
On Your Device
| Data | Storage Mechanism | Syncs Across Devices? |
|---|---|---|
| API key | Secure extension storage + local browser storage backup | Yes (via secure extension storage) |
| Session token | Secure extension storage | Yes |
| User profile (name, email) | Secure extension storage | Yes |
| Memory data (prompts, preferences, projects) | Secure extension storage + local browser storage backup | No |
| Usage credit cache | Secure extension storage | No |
| Theme preference | Secure extension storage | Yes |
| Button position | Local browser storage (per-site) | No |
| Auto-detect permission flag | Secure extension storage | No |
| Analytics client ID (random UUID) | Secure extension storage | No |
| Analytics session ID | Secure extension storage | No |
| Fallback session & memory data (when extension storage unavailable) | window.localStorage - used as a last-resort fallback within the active tab context only |
No |
On Our Servers
- Account data (email, hashed password, name, subscription status) is stored in a secure cloud database
- Usage credits are tracked server-side per account
- API keys (when passed to our backend) are held in server memory only for the duration of each request and are discarded immediately after the response is returned. They are never written to disk or database.
- Text prompts โ A portion of each prompt session is logged to our database for service improvement and retained for 90 days, then automatically and permanently deleted. See ยง3.4a for full details.
Security Measures
- Encryption in transit โ All communication between the extension, our backend services, and Google's Gemini API is encrypted using HTTPS/TLS
- Password security โ Passwords are hashed server-side using an industry-standard cryptographic algorithm with a unique random salt per user before storage. Plain-text passwords are never written to disk or logs
- Session tokens โ Cryptographically signed by our server and verified on each request
- Access control โ Access to stored user data is restricted to authorised personnel only
- Content Security Policy โ Extension pages enforce strict Content Security Policies to prevent unauthorized script injection
No system is completely secure. If you believe your account has been compromised, please contact us immediately at promptaura.contact@gmail.com.
Data Retention
| Data Type | Where Stored | Retention Period |
|---|---|---|
| Gemini API key | Device (Secure extension storage + local browser storage) and server memory per request | Device: until you delete it, clear extension data, or uninstall. Server: discarded after each request completes |
| Text prompts (service improvement logs) | Server database | Retained for 90 days, then automatically and permanently deleted. See ยง3.4a. |
| Text prompts (truncated, 120 chars) | Device memory system (Secure extension storage) | Periodically pruned based on usage and storage limits (45-day relevance window) |
| Local memory (preferences, projects, files) | Device only (Secure extension storage) | Until storage exceeds limits, manually cleared, or extension is uninstalled |
| Account data | Secure cloud database | Until you request account deletion |
| Session tokens | Device (Secure extension storage) | Until sign-out or token expiry |
| Usage credit count | Device (Secure extension storage) + server | Device: reset daily. Server: per account lifecycle |
| Payment/subscription data | Secure cloud database + Razorpay | Per Razorpay's retention policy and until account deletion |
| Theme preference | Device (Secure extension storage) | Until changed or extension uninstalled |
| Analytics client ID | Device (Secure extension storage) | Until extension uninstalled or storage cleared |
| Analytics session ID | Device (Secure extension storage) | Refreshed every 30 minutes of inactivity |
Your Rights
Under GDPR (EEA and UK Users)
- Right of Access โ Request a copy of data we hold about you
- Right to Erasure โ Request deletion of your account and all associated server data
- Right to Portability โ Export your local memory data via the built-in Export feature (JSON format)
- Right to Object โ Object to processing for certain purposes
- Right to Rectification โ Request correction of inaccurate data
Under CCPA (California Users)
- Right to Know โ Know what personal data is collected and how it is used
- Right to Delete โ Request deletion of your personal information
- Right to Opt-Out โ We do not sell personal data, so this right is already fulfilled
Under India DPDP Act (Indian Users)
- Right to Information โ Know what data is processed and for what purpose
- Right to Correction and Erasure โ Request correction or deletion of your personal data
- Right to Grievance Redressal โ Contact us to raise any data-related grievance
- Right to Nominate โ Nominate another person to exercise your rights in case of death or incapacity
To exercise any of these rights, contact us at promptaura.contact@gmail.com. We will respond to all privacy-related requests within 30 days.
Your Controls & Choices
You have direct control over your data at all times. Here is exactly what you can do and how:
| What You Can Do | How To Do It |
|---|---|
| Request deletion of your prompt logs | Email us at promptaura.contact@gmail.com โ we will delete all stored prompt logs associated with your account within 30 days |
| Export your local memory data | Open the extension ' Memory panel ' Export. Downloads a readable JSON file containing all locally stored memory, projects, and preferences |
| Delete your local memory data | Open the extension ' Memory panel ' Delete All. Immediately clears all locally stored memory from your device |
| Revoke the optional Google AI Studio permission | Chrome Settings ' Extensions ' PromptAura ' Permissions ' Remove aistudio.google.com. Revocation takes effect immediately and does not affect any other feature |
| Sign out of PromptAura | Open the extension side panel ' Settings ' Sign Out. This revokes your session token and clears account data from the device |
| Delete your PromptAura account | Contact us at promptaura.contact@gmail.com. We will permanently delete your account and all associated server-side data |
| Remove your Gemini API key | Open the extension side panel โ Settings โ Sign Out. Signing out securely clears your custom API key and session data from local device storage |
| Block analytics collection | Use any ad blocker or privacy extension (e.g., uBlock Origin) to block requests to google-analytics.com. The extension continues to function normally |
Legal Basis for Processing (GDPR)
For users in the EEA, UK, and similar jurisdictions, we rely on the following legal bases depending on the processing activity:
- Performance of a Contract โ Processing your text via our backend and Google's Gemini API, managing your account, authenticating sessions, maintaining subscription status, and delivering AI-generated results
- Consent โ Accessing text on supported websites when you explicitly trigger a feature; optionally accessing Google AI Studio for API key auto-detection when you grant the permission
- Legitimate Interests โ Operating, securing, maintaining, and improving PromptAura, including service improvement logging (ยง3.4a), anonymised product analytics (ยง7b), fraud and abuse prevention, usage enforcement, and service reliability โ provided these interests are not overridden by your rights and freedoms
When we rely on Legitimate Interests for service improvement logging, we apply safeguards including limited 90-day retention, pseudonymisation, access restrictions, and data minimisation to reduce privacy impact. You may contact us at any time to object to this processing.
Children's Privacy
PromptAura is not directed at children under the age of 13 (or 16 under GDPR). We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child under the applicable age, we will delete that data promptly.
Contact Information
PromptAura
Email: promptaura.contact@gmail.com
Website: https://promptaura.in
We aim to respond to all privacy-related requests within 30 days.
Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our extension's features, data practices, or legal requirements. When we make significant changes, we will:
- Update the "Last Updated" date at the top of this policy
- Provide notice through the extension or Chrome Web Store listing where feasible
Continued use of the extension after changes constitutes acceptance of the updated policy.
Governing Law
This Privacy Policy is governed by the laws of India. For users in other jurisdictions, applicable local data protection laws including GDPR (for EEA/UK users) and CCPA (for California users) also apply where required.