Privacy Policy

We collect information you provide directly to us and information generated through your use of our Service:

Account Information:

• Email address (required for registration)
• Password (stored as a secure cryptographic hash, never in plaintext)
• Account creation date and last login timestamp

Usage Data (Chrome Extensions):

• Company names queried via CompanyInsight (for quota tracking only)
• Daily usage counts for quota enforcement
• Extension version and Chrome version (for compatibility diagnostics)
• Language/region preferences saved for Language Switcher

Payment Information:

• We do NOT store your credit card or payment details
• All payment processing is handled by Lemon Squeezy (PCI-DSS compliant)
• We only receive transaction confirmations and subscription status updates

Automatically Collected Data:

• IP address (for rate limiting and fraud prevention)
• Browser type and operating system
• Referring URLs and page visit timestamps
• Error logs and performance metrics

We use the collected information to:

• Provide, maintain, and improve our Service
• Process transactions and manage your subscriptions
• Enforce API quotas and usage limits
• Send transactional emails (account confirmation, billing receipts)
• Respond to your support inquiries
• Detect and prevent fraudulent or abusive activity
• Analyze aggregate usage patterns to improve the product (anonymized)
• Comply with legal obligations

We do NOT use your data for advertising purposes. We do NOT sell your personal information to third parties. We do NOT use AI to make automated decisions that significantly affect you.

We share your information only with:

• Lemon Squeezy — our payment processor. Necessary for transaction processing. Subject to Lemon Squeezy's privacy policy.
• OpenAI / LLM Providers — company names you analyze via CompanyInsight are sent to our AI provider for analysis. No personally identifiable information is included in these requests.
• Cloud Infrastructure — our servers are hosted on industry-standard cloud platforms with appropriate security measures.
• Legal Requirements — we may disclose information if required by law, court order, or governmental authority.

Our Chrome extensions are designed with privacy as a core principle:

• Extensions only request the minimum necessary browser permissions
• We do NOT read, collect, or transmit your browsing history
• We do NOT access the content of web pages you visit unless you explicitly trigger a feature
• Language Switcher preferences are stored locally in Chrome's sync storage
• FocusPet focus sessions and pet data are stored entirely locally on your device
• CompanyInsight only sends the specific company name you highlight — not the surrounding page context

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Account data is retained while your account is active
• After account deletion, personal data is purged within 30 days
• Anonymized aggregate analytics may be retained indefinitely
• Payment records are retained for 7 years for tax and legal compliance
• Log data is automatically deleted after 90 days

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access — Request a copy of the personal data we hold about you
• Right to Rectification — Request correction of inaccurate personal data
• Right to Erasure ("Right to be Forgotten") — Request deletion of your personal data
• Right to Data Portability — Request your data in a structured, machine-readable format
• Right to Object — Object to processing of your personal data
• Right to Withdraw Consent — Withdraw previously given consent at any time

To exercise any of these rights, please email us at [email protected]. We will respond within 30 days.

We use strictly necessary cookies for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies by default.

Session cookies are automatically deleted when you close your browser. Authentication tokens may be stored in localStorage with appropriate security measures.

We implement industry-standard security measures to protect your personal data:

• All data transmitted over HTTPS/TLS encryption
• Passwords hashed using bcrypt with appropriate salt rounds
• API authentication via JWT tokens with expiry
• Regular security audits and vulnerability assessments
• Infrastructure access controls and audit logging

While we implement strong security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately and we will take steps to delete such information.

We may update this Privacy Policy periodically. We will notify you of any significant changes by email or by posting a prominent notice on our website at least 14 days before the changes take effect.

We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices. The "Last Updated" date at the top of this page indicates when this policy was last revised.

For any privacy-related inquiries, data access requests, or concerns, please contact our Data Protection team:

• Email: [email protected]
• Subject line: "Privacy Request — [Your Request Type]"
• Website: picobox.app/legal/contact