Privacy Policy
SpedaxAI Chrome Extension
Last Updated: May 23, 2026
1. Introduction
SpedaxAI ("we," "us," or "our") operates the SpedaxAI Chrome Extension (the "Extension"), which provides users with a persistent browser-side interface for interacting with their custom Web3 AI agents. This Privacy Policy describes, in full, how we collect, handle, store, and share your information when you use the Extension. It has been prepared to meet the disclosure requirements of the Chrome Web Store Developer Programme Policies.
By installing or using the Extension, you agree to the practices described in this policy. If you do not agree, please uninstall the Extension and contact us to delete your data.
2. User Data Collection
We collect only the data that is strictly necessary to operate the Extension's features. The following table describes every category of data collected, why it is collected, and the legal basis for processing it.
| Data Category | Specific Data Points | Purpose | Legal Basis |
|---|---|---|---|
| Browser Content | Visible page text, page title, and URL of the active tab | Powers the Screen Context feature — enables the AI agent to analyse, summarise, or answer questions about the page the user is currently viewing | Explicit user consent (feature is opt-in and toggled per session) |
| Authentication Data | Session / authentication token issued upon login | Keeps the user securely logged in across Extension sessions without requiring repeated credential entry | Contract performance (necessary to provide the service) |
| User Preferences | Selected AI agent ID; Screen Context toggle state; last UI state | Restores the user’s configuration each time the Extension is opened, providing continuity of experience | Legitimate interest (UX continuity) |
| User Inputs | Text prompts submitted to AI agents; any voice-to-text transcriptions | Transmitted to AI models to generate the requested response; not stored beyond the active session unless conversation history is enabled | Contract performance / explicit user action |
| Account Information | Email address; public Web3 wallet address | Manages AI agent ownership, authentication, usage-credit accounting, and Stripe/crypto billing | Contract performance |
| Conversation History (optional) | Full transcript of user–agent exchanges | Stored only if the user opts in; used to provide continuity across sessions and to power user-controlled knowledge bases | Explicit user consent (opt-in only) |
2.1 Data We Do NOT Collect
- Private cryptographic keys or seed phrases
- Passive browsing history (tabs are only read when Screen Context is explicitly activated)
- Microphone, camera, location, or any sensor data
- Data from pages the user has not actively opened the Extension on
- Any data from users who have not created a SpedaxAI account
3. Data Handling
3.1 Processing Principles
All data collected by the Extension is processed in accordance with the following principles:
- Purpose limitation: Data is used exclusively for the function that necessitated its collection. Browser content read via Screen Context is used only to formulate the AI response and is not retained, indexed, or analysed for any other purpose.
- Data minimisation: Only the minimum data necessary to fulfil each function is collected. For example, only the visible text of the active tab is read — not browser history, cookies, passwords, or form data.
- Transparency: All data-collection events are triggered by an explicit user action (opening the Extension, activating Screen Context, or submitting a prompt). No background data collection occurs.
- Security in transit: All data transmitted between the Extension and SpedaxAI servers is encrypted using TLS 1.2 or higher. No unencrypted channels are used.
3.2 AI Model Processing
When a user submits a prompt (with or without Screen Context), the prompt — and any captured page text — is sent to our backend, which routes the request to the appropriate large language model (LLM) provider. Data sent to LLM providers is governed by API-tier data-handling agreements that explicitly prohibit the provider from using your data to train or improve their base models.
Current LLM providers used (subject to change; this policy will be updated accordingly):
- OpenAI, Inc. — governed by the OpenAI API Data Processing Addendum
- Anthropic, PBC — governed by the Anthropic API Usage Policy
- Google LLC (Gemini API) — governed by the Google Cloud Data Processing Addendum
3.3 Web3 & Blockchain Interactions
When a user authenticates via their Web3 wallet, we receive only the user’s public wallet address. We do not request, handle, or store private keys, seed phrases, or signing permissions beyond what is required for the specific authenticated session. Smart-contract interactions (e.g., minting agents, managing credits) are performed client-side and only broadcast to the BNB Smart Chain network — they are not intermediated by SpedaxAI servers.
4. Data Storage
4.1 Local Device Storage (chrome.storage.local)
The following data is stored exclusively on the user’s local device using Chrome’s secure storage API. This data does not leave the device unless the user explicitly triggers a sync or account action:
| Data Stored Locally | Retention Period | Deletion Method |
|---|---|---|
| Authentication token | Until the user logs out or the token expires (typically 30 days) | Cleared automatically on logout; user can also clear via Chrome extension settings |
| Selected agent ID | Indefinite (until changed or extension is uninstalled) | Removed on uninstall or manual reset in Extension settings |
| Screen Context toggle state | Per session; persisted across browser restarts for convenience | Cleared on extension uninstall |
| Last UI state | Per session | Cleared on uninstall |
4.2 Cloud / Backend Storage
The following data is stored on SpedaxAI’s backend infrastructure, hosted on enterprise-grade cloud servers with encryption at rest (AES-256) and in transit (TLS 1.2+):
| Data Stored in Cloud | Retention Period | Deletion Method |
|---|---|---|
| Email address | For the lifetime of the account | Deleted within 30 days of account deletion request |
| Public wallet address | For the lifetime of the account | Deleted within 30 days of account deletion request |
| Conversation history (opt-in only) | Until the user deletes it or closes their account | Deletable at any time via the SpedaxAI dashboard |
| Usage / billing records | 7 years (legal / financial compliance requirement) | Anonymised after account deletion; full deletion upon legal retention expiry |
| AI agent configuration | Until the agent is deleted by the user | Deletable via the SpedaxAI dashboard |
4.3 Decentralised Storage — BNB Greenfield (Optional)
Users may optionally store their AI agent interaction logs and personal knowledge bases on the BNB Greenfield decentralised storage network. When this option is enabled:
- Data is encrypted client-side before upload, using keys controlled solely by the user’s wallet.
- The resulting storage bucket is owned by the user’s wallet address. SpedaxAI does not hold the encryption keys and cannot access this data without an explicit, user-initiated authorisation transaction.
- Data stored on BNB Greenfield is governed by the BNB Greenfield network protocol and is outside SpedaxAI’s direct control once stored.
- Retention is determined by the user’s own storage configuration and the Greenfield network’s storage lease terms.
5. Data Sharing
5.1 No Sale of Personal Data
SpedaxAI does not, and will never, sell, rent, lease, or trade your personal data to any third party for commercial purposes. Your data is not an asset or a product.
5.2 Third-Party Sub-Processors
We share limited, purpose-specific data with the following categories of third-party sub-processors. In each case, data sharing is governed by a Data Processing Agreement (DPA) or equivalent contractual safeguard:
| Sub-Processor Category | Named Providers | Data Shared | Purpose |
|---|---|---|---|
| AI / LLM Providers | OpenAI, Anthropic, Google (Gemini) | User prompts; page context (if Screen Context active) | Generating AI responses. API-tier DPAs prohibit training on user data. |
| Cloud Infrastructure | AWS / GCP (or equivalent) | Account data; conversation history | Hosting SpedaxAI backend services with encryption at rest |
| Payment Processors | Stripe, Inc. | Email; billing details for Stripe transactions | Processing fiat subscription and one-time payments securely |
| Blockchain Network | BNB Smart Chain (public) | Public wallet address; on-chain transaction data | Agent minting, token transfers, and credit management. Inherently public by design. |
| Decentralised Storage | BNB Greenfield (opt-in) | Encrypted interaction logs / knowledge base (user-controlled) | Optional user-sovereign storage. SpedaxAI cannot read this data. |
5.3 Legal Disclosure
We may disclose your data if required to do so by applicable law, court order, or valid request from a governmental or law enforcement authority. We will notify you of such a request to the extent permitted by law before disclosing any data.
5.4 Business Transfers
In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity. You will be notified via email and/or a prominent notice in the Extension at least 30 days before any such transfer, with the option to delete your account before the transfer takes effect.
6. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of all personal data we hold about you | Email support@spedaxai.com with subject “Data Access Request” |
| Rectification | Correct inaccurate or incomplete data | Update directly in the SpedaxAI dashboard, or email support |
| Erasure (“Right to be Forgotten”) | Request deletion of your account and all associated personal data | SpedaxAI dashboard → Account Settings → Delete Account, or email support |
| Portability | Receive your conversation history in a machine-readable format (JSON) | Email support@spedaxai.com with subject “Data Portability Request” |
| Restriction | Request that we restrict processing of your data pending a dispute | Email support@spedaxai.com |
| Objection | Object to processing based on legitimate interest | Email support@spedaxai.com |
| Withdraw Consent | Revoke consent for optional features (e.g., conversation history, Greenfield storage) | Toggle off in the SpedaxAI dashboard at any time |
We will respond to all data rights requests within 30 calendar days. For requests that are complex or numerous, we may extend this period by a further 60 days, but we will notify you within the initial 30 days.
7. Cookies & Tracking
The Extension itself does not set browser cookies and does not use cross-site tracking technologies. The SpedaxAI web dashboard (spedaxai.com) uses strictly necessary session cookies and, where consented, analytics cookies governed by a separate Cookie Policy on that website. The Extension does not inject tracking scripts into third-party web pages.
8. Children’s Privacy
The Extension is not directed at, and is not intended for use by, individuals under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal data from children. If we become aware that a child under the applicable age has provided us with personal data, we will take immediate steps to delete that information and terminate the associated account.
9. International Data Transfers
SpedaxAI operates globally. Your data may be transferred to and processed in countries other than the country in which you reside. When transferring data from the European Economic Area, United Kingdom, or Switzerland to a third country, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms, to ensure an adequate level of data protection.
10. Security
We implement the following technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest on SpedaxAI servers is encrypted using AES-256.
- Authentication tokens are stored in Chrome’s sandboxed local storage, inaccessible to other extensions or web pages.
- Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
- Security practices are reviewed periodically; significant incidents will be disclosed to affected users within 72 hours of discovery.
Despite these measures, no system is 100% secure. If you believe your account has been compromised, please contact us immediately at support@spedaxai.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this document.
- Display a prominent notice in the Extension and/or on our website for at least 30 days.
- Send an email notification to registered users (where feasible).
Continued use of the Extension after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree with a change, you may delete your account and uninstall the Extension before the change takes effect.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data-handling practices, please contact us:
This policy was prepared to comply with the Chrome Web Store Developer Programme Policies, GDPR, and CCPA requirements.