This page describes how the Rephrase Chrome extension (“the extension”) collects, uses, stores and shares the data of its users. It supplements the general privacy policy of Rephrase.fr and applies exclusively to the extension distributed on the Chrome Web Store.
Data controller: Beva Agency, publisher of Rephrase.fr, reachable at contact@rephrase.fr.
1. What data we collect
1.1 Data you actively provide
- Selected text: when you click “Humanize with Rephrase” in the context menu or “Rewrite” in the side panel, the text you have selected is sent to the Rephrase API for processing.
- Usage preferences: chosen stylistic preset, selected custom voice, intensity of the “Add typos” mode, enabled typo types, “Preserve formatting” option.
1.2 Data generated by the extension
- Personal API key (token starting with
rph_live_): generated by our server upon the first authorization of the extension, at the end of thechrome.identity.launchWebAuthFlowflow. It identifies your Rephrase account to the API.
1.3 Data we do NOT collect
- The extension does not read the content of the pages you browse. It only accesses the text you explicitly select and submit.
- No tracking, analytics or advertising script is embedded in the extension’s code.
- The extension collects no browsing data: visited URLs, history, bookmarks, third-party cookies, tab openings.
- The extension captures no keystrokes outside the side panel itself.
- No content is processed automatically in the background: only the text you explicitly select and submit is sent to our API.
2. How we use this data
The data collected is used only for the following purposes:
- Primary purpose: to humanize the text you submit to us and return it to you through the extension’s side panel.
- Authentication: the API key allows the extension to prove that it acts on your behalf with our server, without needing to store your password.
- Personalization: to display your remaining credits balance, your voices and presets in the panel’s interface.
- Security and anti-abuse: to log, in our internal audit logs, critical actions (creation of a key, humanization performed) in order to detect fraudulent uses.
The data is never used for advertising, marketing profiling, resale to third parties, training of machine learning models, or any use unrelated to the functionality described above.
3. How we store this data
3.1 Local storage in your browser
- The API key and your usage preferences are stored in
chrome.storage.local, on your machine only, never synchronized between installations. - This data is automatically erased when you uninstall the extension or click “Log out” in the panel.
- The API key is isolated from the DOM of the web pages you visit, and is therefore never exposed to a third-party script.
3.2 Server-side storage
- The original texts and the humanized texts are stored on our servers only if you have enabled history in your Rephrase account settings. Otherwise, they are deleted immediately after the result is returned.
- When they are kept, these texts are encrypted at rest with the AES-256-GCM algorithm. The encryption key is stored outside the database.
- The API key is stored server-side as a SHA-256 hash. The cleartext secret exists nowhere on our servers after its initial generation.
- The servers are hosted in Germany (Contabo), within the European Union.
3.3 Retention period
- Humanized texts: kept as long as history is enabled on your account; deleted at your request from your dashboard, or immediately if history is disabled.
- API key: valid until manually revoked from your API Keys dashboard or until the extension is uninstalled.
- Local preferences: erased when the extension is uninstalled.
- Internal audit logs: kept 30 days by default, or longer if required by law.
- Rephrase account and associated data: erased immediately and completely upon your deletion request from your Settings area, with the exception of invoices kept for 12 months for accounting obligations.
4. Who we share this data with
We do not sell and never rent your data to third parties. Your data is shared only with the sub-processors strictly necessary to provide the service:
| Sub-processor | Country | Role | Data shared |
|---|---|---|---|
| OpenAI | United States | Generation of the humanized text via their API | The text you submit. We request the “Zero Data Retention” arrangement, which excludes your texts from OpenAI’s monitoring systems. |
| Contabo | Germany (EU) | Hosting of our servers | All data stored server-side, encrypted at rest. |
| Recalled | European Union | Internal audit log | Action metadata (who did what, when). Not the textual content. |
No data is transmitted to advertisers, data brokers, advertising platforms, or any third party for marketing profiling purposes.
5. Limited Use and compliance with Google APIs
The extension Rephrase’s use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
Concretely, this means that data collected via Google APIs or via any other user source:
- Is used only to provide or improve the functionality visible to the user within the extension (humanizing the selected text).
- Is not transferred to third parties for advertising or unrelated commercial uses.
- Is not used or transferred to determine creditworthiness, nor for lending purposes.
- Is not accessed by humans, except: (a) with the user’s explicit consent, (b) for security reasons (fighting abuse), (c) to comply with a legal obligation, (d) for a strictly operational purpose where the data is anonymized and aggregated.
6. Security
- All communications between the extension, the Rephrase API and our sub-processors take place over TLS 1.3 (HTTPS only).
- The original and humanized texts are encrypted at rest with AES-256-GCM.
- The API key stored locally is isolated from the DOM of the visited pages (separation enforced by the Chrome extensions engine).
- The authentication flow uses
chrome.identity.launchWebAuthFlow, a secure mechanism provided by Chrome that prevents malicious sites from intercepting the token. - Access to our systems is protected by multi-factor authentication and logged in Recalled.
7. Your rights
In accordance with the GDPR, you have the following rights over your data:
- Access: export all of your data from your Settings area.
- Rectification: edit your profile from the dashboard.
- Erasure: delete your account and all associated data in one click from the Settings area.
- Objection: disable the history of humanizations at any time.
- Portability: retrieve a complete JSON export of your data.
- Revoking the extension: remove the extension’s access to your account without uninstalling it, by revoking the “Chrome Extension” key from your API Keys dashboard.
You can exercise these rights or ask a question at contact@rephrase.fr.
8. Chrome permissions requested
The extension requests the following permissions, each directly tied to its visible functionality:
contextMenus: to add the “Humanize with Rephrase” entry to the right-click context menu, only when text is selected.storage: to keep your API key and your usage preferences locally.sidePanel: to display the side panel where the loading animation and the humanized result appear.identity: to open the secure sign-in flow viachrome.identity.launchWebAuthFlowtorephrase.fr/extension/connect.- Host access to
https://api.rephrase.frandhttps://rephrase.fr: to send the text to humanize to our API and enable the authentication flow. No other domain is accessible to the extension.
9. Changes to this policy
We may update this policy to reflect changes in the extension, the sub-processors or the regulations. Any substantial change will be announced on the Chrome Web Store listing and in the extension’s release notes. The date of the last update is shown at the top of this page.
10. Contact and complaint
For any question or to exercise your rights, contact us at contact@rephrase.fr.
If you believe that your rights are not being respected, you may file a complaint with the CNIL, the French data protection authority: www.cnil.fr.