Privacy Policy

Last updated: April 01, 2026

At ChatGPT Toolbox ("we", "us", "our"), operated by Infi Developments, we are committed to protecting your privacy. This Privacy Policy comprehensively explains what data we collect, how we collect it, how we handle, store, and share it, and your rights — in plain language.

1. Data Controller

Infi Developments is the data controller responsible for your personal data. For any privacy-related inquiries, contact us at support@infi-dev.com.

2. What Data We Collect

We collect only the minimum data needed to provide our service. Below is a complete list of every category of data we handle:

2.1 Account information

To authenticate you with the extension and verify your subscription, we collect your email address. Your email is derived from your existing ChatGPT session token (see Section 3 for details) and is used solely for authentication and subscription verification. We do not collect your name, password, physical address, or any other personal identifiers.

2.2 Data stored locally in your browser (never sent to our servers)

The following data is stored entirely on your device and is never transmitted to our servers:

• Your ChatGPT conversation content and message text
• Your ChatGPT session token (used to communicate with ChatGPT on your behalf)
• Extension settings and preferences
• Local search history and recent searches within the extension
• Conversation cache (stored in your browser's IndexedDB for faster search)
• Smart tag computation results (tag matching is performed entirely in your browser — conversation content is never sent to our servers for tagging)

2.3 Data synced to our servers (encrypted)

When cloud sync is enabled, the following data is transmitted over HTTPS and stored in encrypted form on our servers. We cannot read or access the content of this data:

• Folder names, folder structure, and folder color preferences
• Saved prompts and prompt chain definitions
• Conversation IDs (for pinned chats and folder assignments)
• Message IDs (for bookmarked messages)
• Message labels (label text, color, and associated conversation/message IDs)
• Smart tag rules (custom tag names, matching patterns, and colors — not conversation content)
• Usage tracker data: message counts, input/output character counts, ChatGPT model used, session counts, session durations, and hourly activity patterns. This data is synced automatically every 30 minutes when cloud sync is enabled

2.4 Data processed temporarily (not stored on our servers)

When you use the Context Mentions feature (@@), conversation excerpts (message role and text) and the conversation title are sent to our server to generate a summary. This data is processed in real time and immediately discarded — it is never stored, logged, or used for any other purpose.

2.5 Payment data

Payments are processed by LemonSqueezy (our payment provider). We do not store your credit card details. LemonSqueezy provides us with your email address and payment status so we can verify your subscription. LemonSqueezy's privacy policy governs how they handle your payment information.

2.6 Install and uninstall information

When you install the extension, a welcome page is opened in your browser. When you uninstall the extension, a feedback page may be opened that includes an authentication token so we can process any associated account deletion requests. No additional data is collected during install or uninstall beyond what is described in this policy.

2.7 Analytics

We use Google Analytics on our Chrome Web Store listing page only. We do not use third-party analytics within the extension itself or on our website.

2.8 Cookies

We do not use cookies on our website or within the extension.

3. How We Collect Your Data

We collect data through the following methods:

• Session authentication: The extension reads the authorization header from your existing ChatGPT browser session (via the browser's webRequest API) to authenticate you. This is how we derive your email address and enable the extension to interact with ChatGPT on your behalf. We do not intercept, read, or store the content of your ChatGPT messages through this mechanism.
• Activity detection: The extension monitors ChatGPT network requests (via the browser's webRequest API) to detect when you send a new message. This is used solely to trigger local usage tracking (counting messages and sessions). The extension does not read or store the content of these requests.
• Your actions in the extension: When you create folders, save prompts, bookmark messages, apply labels, or configure smart tag rules, these are synced to our servers if cloud sync is enabled.
• Automatic usage tracking: The extension locally records usage metrics (message counts, session times, model used) as you use ChatGPT. If cloud sync is enabled, these metrics are synced to our servers every 30 minutes. You can disable cloud sync in the extension settings to keep all data local.

4. How We Use Your Data

We use the data we collect for the following purposes only:

• Provide our service: Enable folder sync, prompt access, bookmarks, labels, smart tags, pinned chats, context mentions, and usage analytics across your devices.
• Authenticate your account: Verify your identity using your email address to provide personalized access to your synced data.
• Verify subscriptions: Check your payment status via LemonSqueezy to unlock Premium features.
• Generate conversation summaries: When you use Context Mentions (@@), we process conversation excerpts temporarily to generate a summary, then immediately discard the data.
• Respond to support requests: If you contact us, we use your email to respond.
• Improve the extension: Aggregated, non-personal usage patterns help us understand which features are most valuable so we can improve the experience.

5. How We Store Your Data

Local storage (your browser)

The majority of extension data — including your conversation content, search history, settings, and session tokens — is stored locally on your device using Chrome's built-in storage APIs (chrome.storage.local) and IndexedDB. This data never leaves your browser unless you enable cloud sync for supported features.

Server storage (our infrastructure)

Synced data (folders, prompts, bookmarks, labels, smart tag rules, pinned chats, and usage metrics) is stored on our secure servers hosted on industry-standard cloud infrastructure. All synced data is encrypted at rest, meaning we cannot read or access the content of your folders, prompts, labels, or any other synced data. Data in transit is protected with HTTPS/TLS encryption.

Temporary processing

Context Mentions conversation data is processed in server memory only and is never written to disk, databases, or logs. It is discarded immediately after the summary is generated.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following parties, and only as described:

• Our backend servers (api.infi-dev.com): Your email address (for authentication), encrypted synced data (folders, prompts, bookmarks, labels, smart tag rules, pinned chats, usage metrics), and temporarily processed conversation excerpts for Context Mentions summaries. All synced data is encrypted and unreadable by us.
• LemonSqueezy (payment processor): Payment processing and subscription management. They receive your email and payment details directly. We only receive your email and payment status from them.
• OpenAI / ChatGPT (chatgpt.com): The extension communicates with ChatGPT's existing APIs using your active browser session to provide its features (e.g., fetching conversations for search, exporting chats). This is the same data ChatGPT already has access to — we do not send any additional personal data to OpenAI.
• Google Analytics: Anonymous, aggregated usage data on our Chrome Web Store listing page only. No analytics are collected within the extension.
• Legal obligations: We may disclose data if required by law or in response to a valid legal request from a government authority.

We do not share your data with any other third parties, advertisers, data brokers, or AI model training services.

7. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds under GDPR Article 6:

• Contract performance: Processing necessary to provide the services you signed up for (e.g., syncing folders across devices, authenticating your account, verifying your subscription).
• Legitimate interest: Processing necessary for the operation and improvement of our services (e.g., aggregated usage analytics to improve features), provided it does not override your rights.
• Consent: Where applicable, we process data based on your explicit consent (e.g., enabling cloud sync, using Context Mentions). You may withdraw consent at any time by disabling the relevant feature or contacting us.

8. Data Security

We take the security of your data seriously and implement multiple layers of protection:

• Encryption at rest: All synced data stored on our servers is encrypted. We cannot read the content of your folders, prompts, bookmarks, labels, or usage data.
• Encryption in transit: All communication between the extension and our servers uses HTTPS/TLS encryption.
• Minimal data collection: We follow the principle of data minimization — we only collect what is necessary to provide our service.
• Local-first architecture: The majority of your data (including all conversation content) never leaves your browser, reducing exposure risk.
• Secure infrastructure: Our servers are hosted on industry-standard cloud infrastructure with regular security updates.
• No plaintext logging: We do not log synced data content on our servers.

9. Your Rights

Under GDPR and applicable data protection laws, you have the following rights. To exercise any of these rights, contact us at support@infi-dev.com:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your personal data from our servers.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: You can disable cloud sync at any time in extension settings to stop data transmission to our servers. For other consent-based processing, contact us.
• Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.

We will respond to all data rights requests within 30 days.

10. Data Retention

We retain your synced data (folders, prompts, conversation IDs, message IDs, labels, smart tag rules, usage statistics) for as long as your account is active and cloud sync is enabled.

• Local data: Usage events older than 7 days are automatically pruned from your browser. Daily summaries are retained locally for up to 365 days.
• Server data: Synced data is retained until you request deletion or your account is removed.
• Temporary data: Context Mentions conversation data is discarded immediately after processing — it is never retained.

If you wish to have your server-side data deleted, contact us at support@infi-dev.com and we will remove all associated data from our servers within 30 days.

Uninstalling the extension removes all locally stored data from your browser immediately. Server-side data requires a separate deletion request.

11. International Data Transfers

Our services are available worldwide. Your data may be processed in countries outside your country of residence. Where we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in compliance with GDPR requirements.

12. Children's Privacy

Our free extension does not have age restrictions. However, purchasing a paid plan requires a valid credit card, which is limited to individuals of legal age in their jurisdiction. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at support@infi-dev.com and we will promptly delete it.

13. Enterprise Data Handling

For Enterprise plans, the organization admin can view aggregated usage statistics (e.g., total messages, sessions, active members). Individual conversation content is never accessible to admins or our servers. Each team member's data remains encrypted and private, consistent with the same privacy protections applied to all ChatGPT Toolbox users.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For significant changes, we will make reasonable efforts to notify you via the extension or email.

15. Contact Us

If you have any questions about this Privacy Policy, your data, or your rights, contact us at: support@infi-dev.com