Privacy Policy

Last updated: March 9, 2026

This Privacy Policy describes how Alterra Horizons, LLC ("we," "us," or "our") collects, uses, stores, and shares information when you use the Contact Scout Chrome extension ("Extension") and related services. By installing or using the Extension, you agree to the practices described in this policy.

1. Information We Collect

We collect only the minimum data necessary to provide and operate the Extension. The table below summarizes all data types we collect:

Data Type	What We Collect	Purpose	Stored?
Google Email Address	Your Google account email, obtained via Chrome Identity API (`chrome.identity`)	Identify your account for subscription billing and usage tracking	Yes — in our database
Usage Counts	Number of AI Scout and Offline Mode operations performed	Enforce subscription plan limits	Yes — in our database
Subscription Status	Your plan type (Free, Standard, Pro), billing period dates	Determine feature access and quotas	Yes — in our database
User-Selected Text	Text you explicitly highlight on a web page for contact extraction	Parse contact information (name, email, phone, etc.)	No — processed in memory only, never stored
User-Selected Images	Images you explicitly right-click for AI contact extraction (e.g., business card photos)	AI-powered contact extraction via Google Gemini	No — processed in memory only, never stored
OAuth Token	Google OAuth 2.0 access token	Authenticate requests to our backend and to Google People API	No — held in browser memory only, managed by Chrome
Extension Settings	Your theme preference and display settings	Customize the Extension UI to your preference	Yes — locally in `chrome.storage.sync` (synced across your Chrome browsers)

1.1 Information We Do NOT Collect

Contact Data: The contact information you extract (names, phone numbers, email addresses, etc.) is processed in your browser or in transient server memory and saved directly to your Google Contacts. We never store extracted contact data in our database or on our servers.
Browsing History: We do not track, collect, or store your browsing history or the URLs of pages you visit.
Web Browsing Activity: We do not monitor which websites you visit. The Extension only activates when you explicitly select text or right-click an image.
Page Content: We do not access or store the content of web pages you visit, except for the specific text or images you explicitly select for contact extraction.
Payment Card Information: All payment processing is handled by Stripe. We never see, receive, or store your credit card numbers, bank account details, or other financial information.

2. Chrome Extension Permissions

The Extension requests the following Chrome permissions. Each permission is used solely for the purpose described:

Permission	Why It Is Needed
`activeTab`	Access the currently active tab to read user-selected text for contact extraction. Only activates when you click the Extension or use the context menu.
`identity` / `identity.email`	Obtain your Google email address for subscription billing and authenticate with Google APIs (People API for saving contacts, OAuth for backend requests).
`storage`	Temporarily store parsed contact data between the content script and popup UI, and cache subscription status and Extension settings (theme preference).
`scripting`	Inject the content script that captures user-selected text and displays the contact review panel on the active page.
`contextMenus`	Add right-click menu options ("Scout Text (Offline)," "Scout Text (AI)," and "Scout Image (AI)") for triggering contact extraction on selected text or images.
Host permissions (`people.googleapis.com`, `contact-scout-chrome-ext.vercel.app`)	Communicate with Google People API to save contacts to your Google Contacts, and with our backend server for AI-powered contact extraction and subscription management.

3. How We Handle Your Data

This section describes how your data flows through the Extension for each operation:

3.1 Offline Mode (Regex-Based Parsing)

You highlight text on a web page and use "Offline Mode."
The Extension reads the selected text from the active tab.
Contact information is parsed locally in your browser using pattern matching (regex). No data leaves your device.
Parsed contact fields are displayed in the Extension panel for your review and editing.
If you click "Save to Google Contacts," the contact is sent directly from your browser to Google People API using your OAuth token.

3.2 AI Scout (AI-Powered Extraction)

You select text or right-click an image and choose "AI Scout."
The selected text or image is sent from your browser to our backend server (contact-scout-chrome-ext.vercel.app) over HTTPS.
Our backend forwards the text or image to Google Gemini API for AI-powered contact extraction.
Google Gemini returns structured contact data to our backend.
Our backend relays the extracted contact data back to your browser. Neither our backend nor Google Gemini stores the text, image, or extracted contact data.
Parsed contact fields are displayed in the Extension panel for your review and editing.
If you click "Save to Google Contacts," the contact is sent directly from your browser to Google People API.

3.3 Subscription and Billing

When you subscribe, you are redirected to a Stripe-hosted checkout page. We never handle your payment information.
After payment, Stripe sends a webhook notification to our backend with your subscription details.
Our backend stores your email address, plan type, and usage counts in our database (Supabase) to manage your subscription.

Data Processing Guarantee

Google Gemini Only — All AI processing is performed exclusively by Google's Gemini API. We do not use any other third-party AI providers.
Stateless Processing — Your text and images exist in server memory only for the duration of the API call (typically 2–10 seconds). No text or images are persisted on any server or disk.
No Training Data — Data sent via the Gemini API with an API key is not used to train Google's models, per Google's API Terms of Service.
Google Ecosystem — The entire AI data path stays within Google infrastructure: Google Identity (authentication) → Google Gemini (AI processing) → Google People API (contact saving).
No Contact Data Storage — Our database stores only your email address and usage counts for billing. Extracted contact data is never written to our database.

4. Data Storage

We store only the minimal data required to operate the subscription and billing system:

4.1 What We Store

Data	Where Stored	Encryption
Email address, subscription plan, usage counts	Supabase (PostgreSQL database hosted on AWS in the United States)	Encrypted at rest (AES-256) and in transit (TLS 1.2+)
Extension settings (theme preference)	Locally in your browser via `chrome.storage.sync`	Managed by Google Chrome (synced via your Google account)
Temporary contact data (between parsing and display)	Locally in your browser via `chrome.storage.local`	Stored only in your browser; cleared after use
Payment and billing details	Stripe (PCI DSS Level 1 certified)	Managed by Stripe; we never access or store payment card data

4.2 What We Do NOT Store

Extracted contact information (names, phone numbers, email addresses, addresses)
Selected text or images from web pages
Browsing history or page URLs
Credit card numbers or bank account details
Passwords or authentication credentials

5. Data Sharing

We do not sell, rent, or trade your personal information to any third party. We share data only with the following service providers, and only as necessary to operate the Extension:

Service Provider	Data Shared	Purpose	Privacy Policy
Google Gemini API	User-selected text or images (only when AI Scout is used)	AI-powered contact extraction	Google Privacy Policy
Google People API	Extracted contact data (only when you click "Save to Google Contacts")	Save contacts to your Google Contacts	Google Privacy Policy
Stripe	Email address (for billing); payment info handled directly by Stripe	Payment processing and subscription management	Stripe Privacy Policy
Supabase	Email address, subscription status, usage counts	Database hosting for billing records	Supabase Privacy Policy
Vercel	Server request logs (IP address, timestamps); text/images pass through transiently	Backend hosting (serverless functions)	Vercel Privacy Policy

We may also disclose information if required by law, legal process, or to protect the rights, property, or safety of Alterra Horizons, LLC, our users, or the public.

6. Google Contacts Integration

The Extension uses the Google People API to save contacts to your Google Contacts. This requires you to grant permission via OAuth 2.0. We only access Google Contacts to create new contacts or update duplicate contacts on your behalf. We do not read your full contact list, and we do not delete your existing contacts.

7. Data Retention and Deletion

7.1 Retention Periods

Account data (email, subscription status, usage counts): Retained for as long as your account is active and for up to 12 months after subscription cancellation for accounting and legal purposes.
Transient data (selected text, images, extracted contacts): Not retained. Exists only in memory during processing and is discarded immediately after.
Extension settings: Stored locally in your browser until you uninstall the Extension or clear browser data.
Server logs: Vercel server logs (which may include IP addresses) are automatically deleted after 30 days per Vercel's retention policy.

7.2 Data Deletion

You may request deletion of all your personal data at any time by emailing privacy@contactscout.app. Upon receiving your request, we will:

Delete your account record, subscription data, and usage counts from our database within 30 days
Confirm deletion via email

You can also uninstall the Extension at any time, which removes all locally stored settings and cached data from your browser.

8. Data Security

We implement the following technical and organizational measures to protect your information:

Encryption in transit: All data transmitted between your browser, our backend, and third-party services uses HTTPS (TLS 1.2 or higher). No data is ever sent over unencrypted HTTP.
Encryption at rest: Database records are encrypted at rest using AES-256 encryption via Supabase's infrastructure on AWS.
Authentication: Backend API requests are authenticated using Google OAuth 2.0 tokens, verified against Google's token validation endpoint.
Rate limiting: API endpoints are rate-limited to prevent abuse.
Content Security Policy: The Extension enforces a strict Content Security Policy (CSP) to prevent cross-site scripting (XSS) and code injection attacks.
Minimal permissions: The Extension requests only the Chrome permissions necessary for its core functionality.
No PII in logs: Email addresses are redacted in server logs to prevent accidental exposure of personal information.
SSRF protection: Backend endpoints that process URLs block requests to private/internal IP ranges.

While we take these precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Limited Use Disclosure

The use and transfer of information received from Google APIs to any other app will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

Specifically, we certify that:

We only use data obtained through Chrome APIs for the Extension's primary purpose of extracting and saving contact information.
We do not sell user data or use it for advertising purposes.
We do not transfer user data to third parties except as described in this policy (service providers necessary for operation).
We do not use user data for creditworthiness determinations or lending purposes.
Human employees do not read user content (selected text or images) unless explicitly authorized by the user for support purposes, required for security investigation, or required by law.

10. Your Rights

Depending on your location, you may have the right to:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information (see Section 7.2).
Restriction: Object to or restrict certain processing of your data.
Portability: Request your data in a structured, machine-readable format.
Withdraw consent: Revoke consent at any time by uninstalling the Extension and requesting data deletion.

To exercise any of these rights, contact us at privacy@contactscout.app. We will respond within 30 days.

11. Children's Privacy

The Extension is not intended for children under 13 (or under 16 in the European Economic Area). We do not knowingly collect information from children. If we learn that we have collected personal information from a child, we will delete it promptly.

12. International Data Transfers

Our backend servers and database are hosted in the United States. If you are accessing the Extension from outside the United States, please be aware that your information (email address and usage data) may be transferred to and processed in the United States. By using the Extension, you consent to this transfer. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also provide notice through the Extension. Your continued use of the Extension after changes are posted constitutes acceptance of the updated policy.

14. California Privacy Disclosures

14.1 California Residents — CCPA/CPRA

Contact Scout is a small, independent product operated by Alterra Horizons, LLC. At the time of this writing, we do not meet the revenue or data volume thresholds that trigger mandatory CCPA/CPRA business obligations (annual gross revenue of $26.625M+, or personal information of 100,000+ California residents). Accordingly, we are not currently a "business" subject to CCPA as defined in California Civil Code § 1798.140.

That said, we voluntarily extend the following rights to all California residents:

Right to Know: You may request a description of the categories of personal information we collect and the purposes for which we use it. See Section 1 of this policy.
Right to Delete: You may request deletion of your personal information. See Section 7.2.
Right to Non-Discrimination: We will not discriminate against you for exercising any privacy rights.
No Sale of Personal Information: We do not sell, share, or rent your personal information to any third party for monetary or other consideration.

To submit a request, contact us at privacy@contactscout.app. We will respond within 30 days.

14.2 Do Not Track / Cross-Site Tracking (CalOPPA)

Contact Scout does not track users across third-party websites or online services, and does not permit any third party to do so through the Extension, except as described in this policy for necessary service-provider processing (Google Gemini, Supabase, Stripe, Vercel).

The Extension does not respond to browser Do Not Track (DNT) signals because it does not engage in cross-site behavioral tracking in the first place. The Extension only activates when you explicitly select text or right-click an image — it never passively monitors your browsing activity, and it has no access to your browsing history or other tabs.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@contactscout.app
Company: Alterra Horizons, LLC
Website: https://contactscout.app/