Privacy Policy

Introduction

M5 Chat ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how our Chrome extension collects, uses, and protects your information when you use M5 Chat to generate smart, natural, and auto-translated messages for Indonesian freelancers.

1. Information We Collect

Data Collection Principle: We only collect data that is necessary for the extension to function properly and provide you with the best possible experience. All data collection is transparent and serves a specific purpose.

1.1. Personal Information

1. Google Account Information
   We collect your email address, name, and profile picture when you sign in using Google OAuth 2.0. This information is used to authenticate your identity, personalize your experience, and synchronize your preferences across devices. We only request the email and profile scopes, and we do not access your Google Drive, Gmail, or any other Google services.
2. User Preferences
   We collect your language settings (Indonesian/English), tone preferences (formal/casual), and maximum word count for generated messages. This information is used to customize message generation according to your communication style and needs. Your preferences are stored locally in your browser and may be optionally synced to our servers to enable cross-device access.
3. API Keys
   We collect user-provided API keys for AI services (only if you choose to use your own). These keys are required to access AI services on your behalf for message generation. For security, your keys are encrypted and stored locally in your browser and are never transmitted to our servers.

1.2. Usage Data

1. Selected Text
   We collect text you highlight on web pages when using the extension. This allows us to understand context and generate appropriate responses or translations. The highlighted text is processed temporarily for message generation and is not permanently stored. Our extension works across WhatsApp, Slack, Discord, Telegram, Upwork, and other supported platforms.
2. Generated Content
   We collect messages and translations created by the extension. This information is used to improve AI model performance and provide better suggestions. All content is temporarily processed and is not permanently stored unless you explicitly choose to save it.
3. Extension State
   We collect information about which features you use, how frequently you use them, and error logs. This data helps us improve extension performance and fix bugs. All information is aggregated and anonymized to protect your privacy.

1.3. Technical Data

1. Extension Version
   We collect the current version number of the installed extension. This allows us to ensure compatibility and provide appropriate updates.
2. Browser Storage
   We collect local storage data, including preferences, authentication tokens, and temporary data. This is necessary to maintain extension functionality between browser sessions. You remain in control — you can clear this data anytime through your browser settings.
3. Device Information
   We collect your browser type and version to ensure the extension works properly on your device. No personal device identifiers are collected.

1.4. Data We Do NOT Collect

Important: We want to be transparent about what we do not collect. Our extension does not access or store:

1. Your browsing history or the websites you visit
2. Content of your private messages or emails
3. Passwords or other sensitive authentication information
4. Financial information or payment details
5. Location data or GPS coordinates
6. Contacts or address book information
7. Files or documents from your device

2. How We Use Your Information

Data Usage Principle: We use your information solely to provide and improve our services. We never use your data for advertising, marketing to third parties, or any purpose unrelated to the extension's functionality.

2.1. Core Functionality

1. Authentication and Account Management
   Authentication is handled securely to protect your privacy. The primary purpose is to verify your identity and provide secure access to the extension. During this process, Google OAuth tokens are used for authentication, ensuring that your password is never stored. The data used for this purpose includes your email address and profile information from Google. For your security, authentication tokens are refreshed automatically and expire according to Google’s security policies.
2. Message Generation and AI Processing
   The purpose of this feature is to analyze the text you select and generate contextually appropriate responses. In this process, the selected text is sent to AI services—using your API key if you provide one—in order to generate professional and natural responses. The data used for this functionality includes the selected text along with your preferences such as tone, language, and word count. To achieve this, we rely on advanced language models that are designed to understand context and produce human-like responses. For quality control, all generated content is filtered for appropriateness and professionalism before being presented to you.
3. Translation Services
   The purpose of this feature is to provide real-time translation between Indonesian and English. In the process, the selected text is sent to the Google Translate API to ensure accurate and reliable translation. The data used includes the selected text and your target language preferences. This functionality is seamlessly integrated with message generation, enabling smooth and effective multilingual communication.

2.2. Personalization and User Experience

1. Preference Management
   The purpose is to customize the extension according to your communication style and needs. In this process, your settings are saved locally and optionally synced across devices. The data used includes language preferences, tone settings, and word count limits. This provides consistent experience across different platforms and devices.
2. Context-Aware Suggestions
   The purpose is to provide more relevant and appropriate message suggestions. In this process, the extension analyzes the platform you're using (WhatsApp, Slack, etc.) to adjust tone and style. The data used includes platform detection, conversation context, and user preferences. For your privacy, context analysis happens locally in your browser.

2.3. Service Improvement and Analytics

1. Performance Optimization
   The purpose is to improve extension speed, reliability, and user experience. In this process, we collect anonymized usage statistics and error reports. The data used includes feature usage frequency, error logs, and performance metrics. For your privacy, all analytics data is aggregated and cannot be traced back to individual users.
2. Feature Development
   The purpose is to understand which features are most valuable and develop new ones. In this process, we analyze anonymized usage patterns and user feedback. The data used includes feature usage statistics and user preferences trends. This results in better features and improved user interface based on real usage data.

2.4. Security and Compliance

1. Fraud Prevention
   The purpose is to protect against unauthorized access and misuse. In this process, we monitor for unusual activity patterns and potential security threats. The data used includes authentication logs and usage patterns. We implement automatic security measures and provide user notifications when necessary.
2. Legal Compliance
   The purpose is to comply with applicable laws and regulations. In this process, we handle data according to GDPR, CCPA, and other privacy laws. The data used is only what's necessary for legal compliance. We maintain clear documentation of all data processing activities for transparency.

2.5. Data Processing Workflow

Typical Data Flow:

1. Text Selection: You select text on a webpage
2. Context Analysis: Extension analyzes the platform and context locally
3. Preference Application: Your saved preferences are applied
4. AI Processing: Text is sent to AI services for generation (using your API key)
5. Response Generation: AI generates appropriate response based on context and preferences
6. Quality Check: Generated content is reviewed for appropriateness
7. Delivery: Final message is presented to you for review and use
8. Cleanup: Temporary data is cleared after processing

3. Data Storage and Security

Security First Approach: We implement multiple layers of security to protect your data, following industry best practices and compliance standards. Your privacy and data security are our top priorities.

3.1. Local Storage (Browser-Based)

Primary Storage Location: Most of your data is stored locally in your browser using Chrome's secure storage API.

1. User Preferences and Settings
   Storage Method: Chrome's sync storage API (encrypted by Google). Data Included: Language preferences, tone settings, word count limits. Security: Encrypted and synchronized across your devices using your Google account. Access Control: Only accessible by the M5 Chat extension.
2. Authentication Tokens
   Storage Method: Chrome's local storage with encryption. Security Features: Automatic expiration, secure token refresh. Protection: Tokens are never exposed to web pages or other extensions.
3. API Keys (User-Provided)
   Encryption: AES-256 encryption before storage. Access: Only decrypted when needed for API calls. Isolation: Stored separately from other data. Control: You can delete or change API keys anytime.

3.2. External Services and Cloud Infrastructure

1. Supabase (Backend Services)
   Purpose: User profile management and preference synchronization. Security: SOC 2 Type II compliant, ISO 27001 certified. Data Location: Servers located in secure data centers. Encryption: Data encrypted in transit and at rest. Access Control: Role-based access with multi-factor authentication.
2. Google OAuth and APIs
   Authentication: Industry-standard OAuth 2.0 protocol. Security: Google's enterprise-grade security infrastructure. Scope Limitation: Only 'email' and 'profile' scopes requested. Token Management: Automatic token refresh and expiration.
3. Google Translate API
   Data Processing: Text processed temporarily for translation. Privacy: Google's privacy policies apply to translation data. Retention: Translation requests not permanently stored.

3.3. Comprehensive Security Measures

1. Data Transmission Security
   Encryption: All data transmitted using TLS 1.3 encryption. Certificate Validation: Strict SSL certificate validation. HSTS: HTTP Strict Transport Security enabled. API Security: Secure API endpoints with authentication.
2. Access Control and Authentication
   Multi-Factor Authentication: Supported through Google OAuth. Session Management: Secure session handling with automatic timeout. Permission Model: Minimal permissions requested from browser. API Rate Limiting: Protection against abuse and unauthorized access.
3. Data Protection Practices
   Data Minimization: Only collect data necessary for functionality. Encryption at Rest: All stored data encrypted using industry standards. Secure Deletion: Proper data wiping when information is deleted. Regular Security Audits: Periodic security assessments and updates.
4. Monitoring and Incident Response
   Security Monitoring: 24/7 monitoring for security threats. Anomaly Detection: Automated detection of unusual activity. Incident Response: Established procedures for security incidents. User Notification: Prompt notification of any security issues.

3.4. Privacy by Design

3.5. Data Breach Prevention and Response

1. Prevention Measures
   Regular security assessments and penetration testing. Employee security training and background checks. Secure development practices and code reviews. Infrastructure hardening and network security.
2. Response Protocol
   Immediate containment and assessment of any security incident. Notification to affected users within 72 hours. Cooperation with relevant authorities as required. Post-incident analysis and security improvements.

4. Data Sharing and Disclosure

No Sale Policy: We do not sell, trade, or otherwise transfer your personal information to third parties for commercial purposes.

4.1. Service Providers

1. Google Services
   We share data with Google for authentication and translation services. This includes your email address and profile information for OAuth, and selected text for translation. Google's privacy policies apply to this data sharing.
2. Supabase (Backend Services)
   We share user profile data and preferences with Supabase for backend services. This enables cross-device synchronization and account management. Supabase is SOC 2 compliant and follows strict security standards.

4.2. Legal Requirements

We may disclose your information when required by law or to protect our rights, including:

1. Compliance with legal obligations
2. Protection against fraud or security threats
3. Enforcement of our terms of service

4.3. Business Transfers

In case of merger, acquisition, or sale of assets, your information may be transferred to the new entity. We will notify you of any such transfer and ensure your privacy rights are maintained.

5. Your Rights and Choices

Your Privacy Rights: We respect your privacy rights and provide you with comprehensive control over your personal data.

5.1. Access and Control

1. Data Access
   You can request a copy of all personal data we hold about you by contacting team@95w.dev.
2. Data Correction
   You can update your preferences and profile information directly in the extension settings.
3. Data Deletion
   You can delete your account and all associated data by contacting us or uninstalling the extension.

5.2. Extension Controls

1. Disable specific features in extension settings
2. Clear local storage through browser settings
3. Revoke Google OAuth permissions
4. Uninstall the extension to remove all data

6. Data Retention

1. Local Data: Stored until you uninstall the extension or clear browser data
2. Account Data: Retained while your account is active
3. Usage Data: Processed temporarily and not permanently stored

7. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the "Last updated" date.

8. Third-Party Services

8.1. Google Services

1. Google OAuth: Subject to Google's Privacy Policy
2. Google Translate API: Subject to Google Cloud Terms of Service

8.2. Supabase

1. Backend services are provided by Supabase
2. Subject to Supabase Privacy Policy

9. Permissions Explained

Our extension requests the following permissions:

1. activeTab: To interact with the current webpage for text selection
2. storage: To save your preferences and settings locally
3. clipboardWrite: To copy generated messages to clipboard
4. sidePanel: To display the extension interface
5. identity: For Google OAuth authentication

10. Children's Privacy

Our extension is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data during such transfers, in compliance with applicable data protection laws.

12. Legal Compliance

12.1. GDPR Compliance (EU Users)

For users in the European Union, we comply with the General Data Protection Regulation (GDPR). This includes:

1. Lawful basis for processing personal data
2. Data subject rights (access, rectification, erasure, portability, etc.)
3. Data protection by design and by default
4. Appropriate technical and organizational measures

12.2. CCPA Compliance (California Users)

For users in California, we comply with the California Consumer Privacy Act (CCPA). This includes:

1. Right to know what personal information is collected
2. Right to delete personal information
3. Right to opt-out of the sale of personal information
4. Right to non-discrimination for exercising privacy rights

12.3. Chrome Web Store Compliance

This extension complies with Google Chrome Web Store policies, including:

1. Limited use of permissions
2. Transparent data collection practices
3. Secure handling of user data
4. Clear privacy disclosures

12.4. Google API Services User Data Policy

Our use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

1. Email: team@95w.dev
2. Website: https://www.m5.chat
3. Privacy Policy: https://www.m5.chat/privacy-policy

This Privacy Policy was last updated on October 2025