Company Portal User Portal
Chrome extension privacy

TraceProof Protect Privacy Policy

A direct, extension-specific policy for Chrome Web Store review and for operators using TraceProof Protect with Gmail.

Last updated: 16 May 2026

TraceProof Protect is a Chrome extension for approved TraceProof operators. It lets an authorised operator add independent TraceProof verification to Gmail drafts using organisation-approved profiles, purposes, senders, and templates.

This extension-specific policy explains what the extension handles, what is sent to TraceProof, and what stays local in the browser. It should be read together with the broader TraceProof Privacy Policy.

Single purpose

The extension has one purpose: to help an approved TraceProof operator protect a Gmail draft by creating a TraceProof reference, inserting a verification block, and finalising message fingerprints so the recipient can later check whether the received message matches the protected version.

What the extension handles locally

  • Gmail draft content: the extension reads the active Gmail draft locally in the browser so it can calculate SHA-256 fingerprints and insert the TraceProof verification block.
  • Compose-page content: the extension runs on mail.google.com to show the TraceProof Protect button, detect compose windows, insert approved text, and check whether the draft changed after protection.
  • Local extension settings: the extension may store the signed-in operator session, selected profile, selected purpose, selected language, and settings in Chrome storage.

What is sent to TraceProof

  • Operator authentication/session information needed to confirm the signed-in TraceProof operator.
  • Approved organisation configuration such as available profiles, purposes, sender identities, and templates.
  • Selected purpose/profile metadata, sender metadata, recipient count, public/private status, trace IDs, public references, verification URLs, timestamps, and audit events.
  • SHA-256 message fingerprints and related canonical fingerprints used to verify message integrity.

What is not sent to TraceProof by the extension

  • The Gmail draft body is not sent to TraceProof by the extension.
  • The extension does not send email. The operator reviews and sends email from Gmail.
  • Recipients do not need to install the extension to verify a protected message.

How TraceProof uses extension data

  • To authenticate the operator and confirm they are authorised to use the selected organisation, sender, profile, and purpose.
  • To create and finalise protected-message verification records.
  • To let recipients verify who issued the protected message, its declared purpose, and whether the received content matches the protected fingerprint.
  • To maintain audit records, protect the service, diagnose issues, prevent abuse, and support organisation administrators.

Google user data and Limited Use

TraceProof Protect uses access to Gmail only to provide its user-facing protected-message function. TraceProof's use and transfer of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

  • We do not use Gmail draft content, message content, or extension data for advertising, retargeting, or interest-based advertising.
  • We do not sell personal data.
  • We do not transfer personal or sensitive user data for unrelated purposes.
  • We do not use TraceProof Protect data to determine creditworthiness or for lending purposes.

Sharing and disclosure

TraceProof shares extension-related information only where needed to provide, secure, or administer the service, or where required by law. This may include cloud hosting, infrastructure, logging, security, email, payment, and support providers; the organisation that authorised the operator or sender; recipients or public verification pages for information intended to be shown; and authorities where required by law or needed to prevent abuse.

Security and retention

TraceProof uses HTTPS, access controls, audit records, least-privilege design, and operational safeguards. Extension data stored in Chrome storage remains local until the operator signs out, clears browser storage, uninstalls the extension, or the browser removes it. TraceProof retains trace, proof, audit, account, and security records for as long as needed to provide verification history, meet legal or contractual obligations, resolve disputes, and maintain security.

Questions

For privacy questions or requests, contact [email protected].