Privacy Policy
Last updated: 2026-06-17
This policy covers the Mandate Companion and Receipted Memory browser extensions.
Plain-language boundary
- The extensions are designed to run without Flow Memory servers.
- We do not build in telemetry, analytics, crash reporting, advertising SDKs, or third-party tracking SDKs.
- We do not escrow extension keys, vault passphrases, provider API keys, recovery sheets, ledgers, receipts, or exports.
- Data you release to a BYO model provider, Claude, ChatGPT, or another website is governed by that service after release.
Data stored locally
Mandate Companion
Mandate Companion may store these items in browser extension storage on your device:
- Local signing key material or key metadata protected by the extension vault.
- Encrypted BYO OpenAI or Anthropic API keys, if you choose to save them.
- Active and historical mandates, revocations, local ledger entries, receipt hashes, and export metadata.
- Local settings such as selected provider, model field values, unlock state metadata, and first-run/onboarding acknowledgements.
- Optional local hints or suggestions used to help the user draft a mandate. If a feature suggests names, domains, subjects, or other personal information, those suggestions are local UI assistance unless the user sends them to a provider or website.
Receipted Memory
Receipted Memory may store these items in IndexedDB and browser extension storage on your device:
- User-defined memory fields encrypted in the local AES-GCM vault.
- Vault metadata, passphrase/recovery acknowledgement metadata, and a short recovery-code hash prefix when a recovery sheet is generated.
- Non-extractable signing keys or signing-key metadata used for disclosure receipts.
- Local receipt log entries, previous-receipt hashes, field commitments, withheld field ids, and export metadata.
- Optional local PII suggestions or labels used to help the user decide what to release. These are not a confidentiality classification and may be incomplete or wrong.
Data sent off device
The extensions do not send data to Flow Memory servers.
Data can leave your device through user-directed actions:
- Mandate Companion BYO-provider runs send the goal, mandate wording, page snapshot, proposed action text, step history/result data, and the selected provider API key to the selected OpenAI or Anthropic API. Use the manual JSON tester for a no-provider local demo.
- Receipted Memory inserts selected field values into the Claude or ChatGPT composer. The provider can see those values when the user sends the prepared prompt.
- Websites can receive normal browser interactions that the user routes through Mandate Companion or manually sends after Receipted Memory prepares a prompt.
- Export files leave your control if you email, upload, paste, or otherwise share them.
Export contents
Mandate Companion redacted export
A Mandate Companion export is intended for offline verification. It can include signed mandates, revocations, signed receipts, receipt hashes, chain data, public keys, verifier-facing metadata, verifier results, and redacted summaries. It is not a promise that every underlying page value is absent; inspect exports before sharing.
Receipted Memory compliance export
A Receipted Memory compliance ZIP can include `receipts.jsonl`, `public_key.txt`, `README.txt`, and an offline `verifier.html`. Receipts include released field ids and commitments, withheld field ids, input hashes, timestamps asserted by the client, public keys, signatures, and chain data. Released values are inserted into the provider prompt, not intentionally stored in portable receipts, but prompts, field ids, filenames, or user-added context can still contain personal or sensitive data.
Verifier distribution details are documented in `docs/VERIFIER_DISTRIBUTION.md`; coverage gaps and non-claims are documented in `docs/COVERAGE_GAPS.md`.
Recovery and escrow
There is no Flow Memory account recovery or server escrow for either extension.
- If you lose the relevant browser profile, vault state, passphrase, recovery code, or local export, Flow Memory cannot reconstruct it.
- A recovery sheet is user-held material. It should be saved offline and never pasted into a model provider, website, or support channel.
- Browser sync, profile backup tools, enterprise management, malware, other extensions, or operating-system compromise can affect local data outside these extensions' control.
Permissions
The extensions request browser permissions to store local data, display extension UI, and interact with the websites or origins needed for the feature. Host access is used to read the current page context or insert user-approved content. Review the store listing and browser install prompt before enabling a site.
Children's data
These extensions are not directed to children. Do not use them to collect, store, or disclose data from children unless you have the required authority and have evaluated the receiving websites and providers yourself.
No professional advice
The extensions and their receipts, mandates, suggestions, verifier output, and examples are not legal, compliance, investment, financial, tax, medical, or security advice. You are responsible for deciding whether a release, mandate, export, or provider use is appropriate for your situation.
Changes
If this policy changes, the updated file should ship with the extension package and the Web Store listing should point to the current version. Continued use after an update means you accept the updated policy.
Contact
Use the support path in `SUPPORT.md`. Do not include provider API keys, vault passphrases, recovery codes, or unredacted exports in support requests.