Privacy policy - Sovara browser extension
- The policy check happens on your machine. Your message text is never transmitted to be checked - not to us, not to anyone.
- On the free tier there is no backend: nothing is sent anywhere at all.
- If your organisation connects the extension to its Sovara workspace, the extension sends audit metadata only - what was decided, never what you wrote - to your organisation's dashboard.
- We do not sell data. We do not use data for advertising. There is no analytics or tracking in the extension.
What the extension does with your data
When you press Send on a supported AI chat site (ChatGPT, Claude, Gemini, Copilot, Perplexity), Sovara reads the draft message inside your browser and evaluates it against a policy. The result is one of: allow, warn, redact, or block. That evaluation is local. The draft text is not sent over the network for the check, and the extension only runs on the supported chat sites listed in its permissions - no other browsing is read.
What is stored, and where
On your device (browser extension storage): your settings, the active policy, and a local buffer of recent audit events (what was decided and why - rule id, site, timestamp). You can clear this at any time by removing the extension.
Free tier: that is everything. There is no account, no signup, and no server.
Connected mode (Team/Enterprise plans): if your organisation has connected the extension to its Sovara workspace (directly or via managed IT configuration), the extension additionally:
- fetches your organisation's policy and site-selector updates from the Sovara backend; and
- sends audit events to your organisation's workspace. An audit event contains: an event id, the decision (allow/warn/redact/block), the rule that fired, the site, a timestamp, and a user identifier your organisation uses to attribute the event. The current connected browser client sends metadata only; it does not send your message text or a message snippet.
Audit events are stored in the Sovara backend, hosted on Microsoft Azure in the UK South region, encrypted at rest, and automatically deleted after the organisation's retention window (by default: 30 days on free workspaces, 90 days on Team, 365 days on Enterprise).
Who is responsible for what
For connected organisations, your organisation is the data controller of its audit trail; we process it on the organisation's behalf to provide the service. Questions about how your employer uses the audit trail (including the user identifier it assigns) go to your employer. For anything we hold, contact us at the address below.
What we never do
- We never receive, store, or transmit your chat message text for policy checks.
- We do not sell personal data, share it with advertisers, or use it to train AI models.
- The extension contains no third-party analytics, tracking pixels, or ad code.
- The extension does not execute remotely loaded code. Policy and site-selector updates are data, not code.
Enterprise-managed installations
If your IT department installed Sovara via managed policy (Intune, Group Policy, Google Admin), the backend connection and settings are controlled by your organisation and the options page will say so. The privacy properties above are unchanged: checks stay local; only audit metadata leaves the machine.
Your rights
If you are in the UK/EEA, you have rights under data-protection law (access, correction, erasure, objection) over personal data we hold. For audit data held in an organisation's workspace, direct requests to that organisation (the controller); we support them in fulfilling requests. You can complain to the ICO (UK) or your local supervisory authority.
Changes and contact
We will update this page when the product's data handling changes and adjust the effective date. Material changes to what is collected will be called out in the extension's release notes.
Contact: sales@weldonweb.co.uk · Weldon Web Ltd, United Kingdom.