Effective date: 2026-01-18 Applies to: The Editcred Chrome Extension and related Editcred web services (together, the “Service”). Controller/Operator: [Legal Entity Name] (“Editcred,” “we,” “us,” “our”) Contact: [hey@editcred.com]

Editcred is a browser-based editing tool that captures AI-generated drafts into a structured side-panel editor and helps verify human authorship using proof-of-effort metadata and provenance signing. This policy explains what data we collect, why we collect it, how we protect it, and the choices you have.

1. Key Definitions

• Triad: (1) the AI prompt, (2) the full AI response, and (3) your edited version (the keptText).
• Proof-of-Effort Metadata: Interaction signals used to compute authorship/effort indicators (e.g., time-on-task, edit counts, typing rhythm metrics).
• Human Agency Score (HAS): A score derived from Proof-of-Effort Metadata to support authorship verification.
• Provenance Record: A cryptographically signed record associated with a finalized document (e.g., a C2PA-compatible provenance manifest), used to verify authenticity.

2. What We Collect and Why

2.1 Content You Capture (Triads)

What we collect

• AI prompt text (as captured by you / your browser actions)
• AI response text (as captured by you / your browser actions)
• Your edited text (keptText) and document structure (blocks, ordering)

Why we collect it

• To populate the side-panel editor and let you build a structured document
• To compute editing/relevance metrics (e.g., what was kept vs. removed)
• To support document export (e.g., DOCX, static webpage) and sync (if enabled)
• To generate provenance records for finalized documents (if you choose to finalize/sign)

Notes

• You control what you capture. Editcred is designed to capture content from supported AI/chat pages when you explicitly select/copy/highlight or otherwise invoke capture features.

2.2 Proof-of-Effort Metadata (Authorship Verification)

What we collect

• Time-on-task within the editor (active editing time)
• Edit operations (e.g., insert/delete counts, block moves, revisions)
• Keystroke rhythm signals such as timing, velocity, and counts (metadata only)

What we do not collect for this purpose

• We do not record the actual characters you type as “keystroke logs” for password harvesting or surveillance.
• We do not attempt to detect or capture passwords, payment data, or unrelated sensitive inputs.

Why we collect it

• To compute the HAS and related proof-of-effort indicators
• To produce authenticity reporting (private by default; public only if you opt in)

Important

• If you plan to edit sensitive content (e.g., credentials, financial identifiers) exclude that content from the document.

2.3 Professional Identity (Optional)

What we collect (only if you consent via LinkedIn)

• Basic profile data such as name, profile identifier, email, job title, and industry (depending on the scopes you authorize)

Why we collect it

• To associate documents with your account (cloud sync, access control)
• To provide industry-specific benchmarks and optional “Verified Expert” indicators (where offered)
• To show authorship attribution on documents you publish (only if you choose to publish)

What we do not do

• We do not request access to your private messages.
• We do not post to social networks without your explicit, separate action/consent (where sharing features exist).

2.4 Device and Extension Telemetry (Operational)

What we collect

• Extension and app version, browser version, OS type, basic performance data (e.g., errors, crash logs)

Why we collect it

• To maintain reliability, troubleshoot bugs, prevent abuse, and improve performance

Controls

• Where feasible, telemetry is configurable in settings, and non-essential analytics can be disabled.

3. Permissions and Access (Chrome Extension)

Editcred requests only the permissions needed to provide user-facing features. Depending on your build and configuration, this may include:

• Storage: to save documents and settings locally
• Active tab / host access: to capture content you explicitly select/copy on supported pages
• Scripting: to enable the side-panel editing experience and capture actions on supported sites
• Identity (optional): to support Google sign-in if you choose to sign in

We do not collect your general browsing history. We access page content only to the extent required to capture the content you instruct Editcred to capture and to provide the editor features on supported pages, consistent with Chrome Web Store requirements. ([Chrome for Developers][3])

4. How We Use Data

We use the data described above to:

1. Provide core functionality (capture → edit → reorder → export)
2. Compute editing and relevance metrics
3. Compute HAS and related authorship verification indicators
4. Generate provenance records (signing) for finalized documents
5. Provide optional cloud sync and account-based access
6. Secure the Service (fraud prevention, abuse detection, operational monitoring)
7. Provide support and debugging (e.g., investigating crashes)

We do not sell your personal data.

5. Provenance Signing, C2PA-Compatible Records, and Public Verification

When you finalize a document, you may choose to generate and store a Provenance Record (e.g., a C2PA-compatible provenance manifest and signature).

5.1 What gets stored as part of provenance

Depending on the feature you use and your settings, we may store:

• A cryptographic hash (or similar digest) of the finalized content
• A provenance manifest describing the document’s creation context (e.g., “AI draft edited by a human,” plus relevant metadata you allow)
• A cryptographic signature and related verification material (e.g., signing certificate/public key info)
• Timestamps and integrity metadata

5.2 What is public vs. private

• Private by default: Provenance and HAS details are available only to you when stored in your account.
• Public only if you opt in: If you publish a “Public Authenticity Report” or a public webpage export, certain provenance fields and verification endpoints may be publicly accessible to enable third-party verification (including search engine crawlers).

5.3 What we do not publish by default

• We do not publish your full document text or Triads unless you explicitly choose a public export/publish option.

6. Where Data Is Stored

6.1 Local-First Storage (Default)

• Documents, blocks, and settings are stored locally in your browser using Chrome extension storage for immediate use.

6.2 Cloud Sync (Optional)

If you opt in to cloud sync:

• Your documents, Triads, metrics, and provenance records are transmitted to our servers over secure connections.
• We use encryption in transit (TLS/HTTPS). Where offered, content is encrypted at rest.
• Cloud sync enables multi-device access and generation of authenticity reports.

7. Data Sharing and Disclosure

7.1 Service Providers (Processors)

We may use vetted service providers to operate the Service (e.g., hosting, storage, analytics, error monitoring). They process data only on our instructions and only as needed to provide the Service.

7.2 Legal Requirements

We may disclose information if required by law, lawful process, or to protect rights, safety, and security.

7.3 Business Transfers

If we undergo a merger, acquisition, or asset sale, user data may be transferred subject to this policy (with notice where required).

7.4 No Sale of Personal Data

We do not sell personal data to third parties.

8. Data Minimization and Limited Use Disclosure

8.1 Chrome Web Store Limited Use

We comply with the Chrome Web Store User Data policy requirements, including limiting collection and use of data to what we disclose and what is necessary for user-facing features. (Chrome for Developers)

8.2 Google API Services User Data (If Google Sign-In / Google APIs Are Used)

If Editcred accesses Google user data via Google APIs (e.g., for sign-in):

• Editcred’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.
• We use such data only to provide or improve user-facing features in Editcred and do not use it for advertising or sell it. (Google for Developers)

9. Data Retention

• Local data: retained until you delete it via extension controls or uninstall the extension (which removes local extension storage).
• Cloud data (if enabled): retained while your account is active and as needed to provide the Service.
• Deletion: when you delete documents or your account, we delete associated data from active systems and remove it from backups on a rolling basis consistent with security and integrity needs.

If you publish public content (e.g., a static webpage export), deletion may not immediately remove third-party cached copies (e.g., search engine caches), though we will remove public access on our systems when you request deletion.

10. User Controls and Choices

You can control Editcred’s behavior in Extension Settings, including:

• Disable auto-capture / limit capture to supported sites
• Enable Private Mode (to restrict donation/export/public sharing features where offered)
• Redact sensitive information using built-in redaction tools (e.g., emails, phone numbers, IDs) before exporting or syncing
• Export or download your documents
• Delete specific documents, Triads, metrics, and provenance records
• Delete your account and associated cloud data (if you created an account)

11. Security

We implement technical and organizational measures designed to protect data, including (where applicable):

• Secure transport (TLS/HTTPS)
• Access controls and least-privilege practices
• Monitoring for abuse and operational security events
• Separation of public verification endpoints from private document content

No system can be guaranteed 100% secure. You are responsible for keeping your device secure and using the Service appropriately for your risk level.

12. International Transfers

If you use cloud sync, your data may be processed in countries other than where you live. We take steps designed to ensure appropriate safeguards for cross-border transfers where required by law.

13. Children’s Privacy

The Service is not directed to children under 13 (or the minimum age required by your jurisdiction). We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this policy to reflect changes in features, legal requirements, or security practices. We will update the “Effective date” and, where required, provide additional notice through the extension UI or our website.

15. Contact

For privacy questions, requests, or complaints:

• Email: [hey@editcred.com]
• Address: [Postal Address]

If you want to exercise access/deletion rights for cloud data, include the account identifier you used to sign in (e.g., email), and specify the documents or data categories you want removed.