Privacy Policy Addendum - Browser Extension

Effective Date: January 27, 2026
Last Updated: January 27, 2026
Applies To: Porcia Browser Extension for Chrome and Edge

1. Introduction

This Privacy Policy Addendum supplements the Porcia Privacy Policy and applies specifically to the Porcia Browser Extension. This addendum describes what data the browser extension collects, how we use it, and your rights regarding this data.

Scope: This addendum applies only to data collected by the Porcia Browser Extension. For information about other Porcia services, please refer to our main Privacy Policy at porcia.org/privacy.

2. Data Collection

2.1 What We Collect

The Porcia Browser Extension collects the following information:

Activity Data:

• Domain names - The parent domain of websites you visit (e.g., "slack.com", "github.com")
• Timestamps - When you start and stop viewing a page
• Duration - How long you spend on each domain (in seconds)
• User identifier - Your Porcia user ID (internal identifier)
• Workspace identifier - Your organization's workspace ID

Settings Data:

• Tracking status - Whether tracking is enabled or paused
• Pause duration - How long tracking is paused (if applicable)
• Excluded domains - List of domains you've chosen not to track

2.2 What We DO NOT Collect

We are committed to your privacy. The extension does not collect:

• Full URLs - We never collect query parameters, paths, or fragments
• Page content - We never read or store the text, images, or content of pages
• Form data - We never capture what you type in forms or search boxes
• Passwords - We never access or store your passwords or credentials
• Personal messages - We never read your emails, chats, or direct messages
• Files or documents - We never access files you view or download
• Screenshots - We never capture images of your screen
• Clipboard data - We never access what you copy or paste
• Browsing history - We only track domains while extension is active
• Incognito browsing - Extension does not run in incognito mode

2.3 Example of Data Collected

What we collect:

Domain: slack.com
Start: 2026-01-27 10:00:00 UTC
End: 2026-01-27 10:15:00 UTC
Duration: 900 seconds (15 minutes)
User ID: usr_abc123
Workspace ID: wks_xyz789

What we DO NOT collect:

❌ Full URL: https://slack.com/messages/C123456/details?thread_ts=1234567890
❌ Page content: "Hey team, let's meet at 3pm..."
❌ Form inputs: "password123"
❌ Personal data: Names, emails, phone numbers in page content

3. How We Use Your Data

We use the collected data for the following purposes:

3.1 SaaS Application Discovery

• Identify which business applications your team uses
• Match domains to known SaaS vendors
• Build a comprehensive inventory of your software stack

3.2 Usage Analytics

• Calculate time spent on each application
• Generate usage reports and trends
• Identify most-used and least-used applications

3.3 Shadow IT Identification

• Detect unapproved applications being used
• Alert administrators to potential security risks
• Help maintain compliance with IT policies

3.4 Cost Optimization

• Identify unused or underutilized subscriptions
• Recommend cost-saving opportunities
• Support license optimization decisions

3.5 Compliance Monitoring

• Track application usage for audit purposes
• Ensure compliance with organizational policies
• Support security and risk assessments

3.6 Workspace-Level Insights

• Provide aggregated team usage statistics
• Identify trends and patterns
• Support data-driven decision making

We do NOT use your data for:

• Advertising or marketing
• Selling to third parties
• Tracking personal browsing habits
• Monitoring individual productivity
• Any purpose unrelated to SaaS management

4. Data Storage & Security

4.1 Where Data is Stored

Geographic Location:

• Primary: AWS US-East-1 (Virginia, USA)
• Backup: AWS US-West-2 (Oregon, USA)
• Data residency options available for enterprise customers

Storage Duration:

• Raw events: 90 days, then automatically deleted
• Aggregated statistics: Retained longer (anonymized)
• Settings: Retained while account is active

4.2 Security Measures

Encryption:

• In transit: TLS 1.3 encryption for all data transmission
• At rest: AES-256 encryption for database storage
• Backups: Encrypted with separate keys

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) required for admin access
• Audit logging of all data access
• Regular security audits and penetration testing

Infrastructure Security:

• AWS security best practices
• SOC 2 Type II compliant infrastructure
• Regular vulnerability scanning
• Automated security updates

4.3 Data Retention

Automatic Deletion:

• Browser activity data is automatically deleted after 90 days
• You can delete your data manually at any time
• Deleted data is permanently removed within 30 days

Aggregated Data:

• Anonymized, aggregated statistics may be retained longer
• Used for product improvement and benchmarking
• Cannot be traced back to individual users

5. Data Sharing

5.1 Who Can See Your Data

Within Your Workspace:

• You - Always have access to your own data
• Workspace Administrators - Can see aggregated team data
• Team Members - Can see shared workspace insights (not individual activity)

Workspace Isolation:

• Your data is isolated to your workspace
• Other Porcia workspaces cannot see your data
• Strict access controls prevent cross-workspace access

5.2 Who We DO NOT Share With

We never share your browser activity data with:

• Third-party advertisers
• Marketing companies
• Data brokers
• Other Porcia customers
• Social media platforms
• Analytics services (except anonymized, aggregated data)
• Government agencies (except as required by law)

5.3 Service Providers

We may share data with trusted service providers who help us operate the service:

• AWS - Cloud infrastructure and database hosting
• Monitoring services - Error tracking and performance monitoring (anonymized)

Requirements for Service Providers:

• Sign data processing agreements
• Comply with GDPR and CCPA
• Use data only for specified purposes
• Maintain equivalent security standards

5.4 Legal Requirements

We may disclose data if required by law:

• Valid court order or subpoena
• Legal obligation to prevent harm
• Protection of our rights or property

We will:

• Notify you if legally permitted
• Challenge overly broad requests
• Provide minimum necessary data

6. Your Rights

6.1 Right to Access

You can:

• View all your browser activity data in the Porcia dashboard
• Export your data in JSON format
• Request a copy of all data we hold about you

How to Exercise:

1. Go to Settings → Integrations → Browser Extension
2. Click "Export Data"
3. Download JSON file with all your activity

6.2 Right to Delete

You can:

• Delete all your browser activity data
• Request deletion of your entire Porcia account
• Have data permanently removed

How to Exercise:

1. Go to Settings → Integrations → Browser Extension
2. Click "Delete All Data"
3. Confirm deletion (cannot be undone)

What Happens:

• All browser events deleted immediately
• Aggregated statistics anonymized
• Data permanently removed within 30 days

6.3 Right to Opt-Out

You can:

• Pause tracking temporarily (1 hour, 4 hours, indefinite)
• Exclude specific domains from tracking
• Uninstall the extension completely

How to Exercise:

Pause Tracking:

1. Click extension icon
2. Click "Pause Tracking"
3. Choose duration

Exclude Domains:

1. Go to Settings → Browser Extension
2. Add domains to exclusion list
3. Save changes

Uninstall:

1. Go to chrome://extensions/
2. Find Porcia Browser Extension
3. Click "Remove"

6.4 Right to Portability

You can:

• Export your data in machine-readable format (JSON)
• Transfer data to another service
• Use exported data for your own purposes

Data Format:

{
  "events": [
    {
      "domain": "slack.com",
      "startTime": "2026-01-27T10:00:00Z",
      "endTime": "2026-01-27T10:15:00Z",
      "duration": 900
    }
  ],
  "stats": {
    "totalApps": 25,
    "totalDuration": 86400
  }
}

6.5 Right to Object

You can:

• Object to processing of your data
• Request restriction of processing
• Withdraw consent at any time

How to Exercise:

• Email: privacy@porcia.org
• Subject: "Data Processing Objection"
• Include your user ID and workspace ID

7. Privacy Controls

7.1 Pause Tracking

Feature: Temporarily stop all tracking

Options:

• 1 hour - Short break
• 4 hours - Half day
• Until I resume - Indefinite

Effect:

• No domains tracked while paused
• Existing data remains
• Resume anytime

7.2 Excluded Domains

Feature: Permanently exclude specific domains

Use Cases:

• Personal email (gmail.com)
• Social media (facebook.com)
• News sites (cnn.com)
• Personal projects

Effect:

• Excluded domains never tracked
• Applies even when not paused
• Can add/remove anytime

7.3 Per-User Settings

Feature: Each user controls their own settings

Privacy:

• Settings are per-user, not workspace-wide
• Administrators cannot override your privacy settings
• You control what's tracked

7.4 Workspace-Level Controls

Feature: Administrators can set workspace policies

Examples:

• Require minimum tracking hours
• Mandate certain domains be tracked
• Set data retention policies

Balance:

• Workspace policies respect individual privacy
• Users can still pause or exclude domains
• Transparency in policy enforcement

8. Compliance

8.1 GDPR Compliance (EU)

Legal Basis for Processing:

• Legitimate Interest - SaaS management and cost optimization
• Contractual Necessity - Providing the service you signed up for
• Consent - Where required, we obtain explicit consent

Your GDPR Rights:

• Right to access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

Data Protection Officer:

• Email: dpo@porcia.org
• Phone: +91 8097907763
• Response time: 30 days

8.2 CCPA Compliance (California)

Your CCPA Rights:

• Right to know what data we collect
• Right to delete your data
• Right to opt-out of sale (we don't sell data)
• Right to non-discrimination

We Do NOT:

• Sell your personal information
• Share for cross-context behavioral advertising
• Discriminate based on privacy rights exercise

How to Exercise Rights:

• Email: privacy@porcia.org
• Phone: +91 8097907763
• Online: porcia.org/privacy-request

8.3 SOC 2 Compliance

Type II Certification:

• Security controls audited annually
• Availability and confidentiality verified
• Processing integrity confirmed

Audit Reports:

• Available to enterprise customers
• Request via: compliance@porcia.org

8.4 Data Processing Agreements

For Enterprise Customers:

• Standard Contractual Clauses (SCCs) available
• Data Processing Addendum (DPA) upon request
• Business Associate Agreement (BAA) for HIPAA

Contact:

• Email: legal@porcia.org
• Subject: "DPA Request"

9. Children's Privacy

Age Requirement:

• Porcia is not intended for users under 13 years old
• We do not knowingly collect data from children under 13
• If we learn we have collected such data, we will delete it immediately

Parental Consent:

• Users aged 13-18 may require parental consent (jurisdiction-dependent)
• Parents can request deletion of their child's data

How to Report:

• Email: privacy@porcia.org
• Subject: "Child Privacy Concern"

10. Changes to Privacy Policy

10.1 Notification of Changes

How We Notify:

• Email to all users
• In-app notification
• Banner on website
• Update "Last Updated" date

Advance Notice:

• 30 days notice for material changes
• Immediate notice for legal requirement changes

10.2 Effective Date

Material Changes:

• Take effect 30 days after notification
• You can opt-out before effective date
• Continued use = acceptance of changes

Non-Material Changes:

• Take effect immediately
• Clarifications or administrative updates
• No action required

10.3 Version History

Current Version: 1.0.0 (January 27, 2026)

Previous Versions:

• None (initial version)

View History:

• Available at: porcia.org/privacy/history

11. Contact Information

11.1 Privacy Officer

Email: privacy@porcia.org
Phone: +91 8097907763
Mail: Porcia Privacy Officer
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India

Response Time: Within 30 days

11.2 Data Protection Officer (EU)

Email: dpo@porcia.org
Phone: +91 8097907763
Mail: Porcia DPO
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India

Response Time: Within 30 days

11.3 Support

General Questions:

• Email: support@porcia.org
• Chat: porcia.org/chat
• Help Center: help.porcia.org

11.4 Legal

Legal Inquiries:

• Email: legal@porcia.org
• Phone: +91 8097907763
• Mail: Porcia Legal Department
  C/13 Mangalmurti Society, Ghatkopar West
  Mumbai, Maharashtra, India

11.5 Filing Complaints

Supervisory Authority (EU):

• Contact your local data protection authority
• List: edpb.europa.eu/about-edpb/board/members_en

California Attorney General:

• Website: oag.ca.gov/privacy
• Phone: 1-800-952-5225

12. Legal Basis for Processing

12.1 Legitimate Interest

Our Legitimate Interests:

• Providing SaaS management services
• Improving product functionality
• Ensuring security and preventing fraud
• Complying with legal obligations

Balancing Test:

• Your privacy rights vs. our legitimate interests
• Minimal data collection necessary
• Strong security measures in place
• Transparency in data use

12.2 Contractual Necessity

Service Provision:

• Browser extension is part of Porcia service
• Data collection necessary to provide features
• Cannot provide service without this data

Your Agreement:

• By using extension, you agree to data collection
• Can opt-out by uninstalling extension
• Can delete data at any time

12.3 Consent

Where Required:

• Explicit consent for sensitive processing
• Opt-in for marketing communications
• Consent for cookies (where applicable)

Withdrawal:

• Can withdraw consent anytime
• Email: privacy@porcia.org
• Effect: Processing stops immediately

13. International Data Transfers

13.1 Data Transfer Mechanisms

EU to US:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where available
• Additional safeguards as required

Other Jurisdictions:

• Appropriate safeguards in place
• Compliance with local laws
• Data localization where required

13.2 Data Residency Options

Enterprise Customers:

• EU data residency available
• UK data residency available
• Custom regions upon request

Contact:

• Email: enterprise@porcia.org
• Subject: "Data Residency Request"

14. Automated Decision-Making

We Do NOT:

• Use browser data for automated decisions affecting you
• Use AI/ML for individual profiling
• Make employment decisions based on browser data

We DO:

• Use algorithms for SaaS detection (not about you)
• Aggregate data for workspace insights
• Provide recommendations (you decide)

Your Rights:

• Right to human review of any decision
• Right to contest automated decisions
• Right to explanation of logic used

15. Acknowledgment

By installing and using the Porcia Browser Extension, you acknowledge that you have read, understood, and agree to this Privacy Policy Addendum.

Last Updated: January 27, 2026
Effective Date: January 27, 2026
Version: 1.0.0

© 2026 Porcia. All rights reserved.

For questions about this Privacy Policy Addendum, please contact:
Email: privacy@porcia.org
Phone: +91 8097907763
Website: porcia.org/privacy