GPTPowerUps
fr

Privacy Policy

2026-05-13

We built GPTPowerUps on a simple principle: your data is yours. We only collect what we absolutely need to run this service — nothing more. Here is exactly what that means.

GPTPowerUps adds a productivity sidebar to ChatGPT, Claude, and Grok. This policy explains what information we collect to run this service — and nothing more.

What we will never do:

  • No email address required to install or use the extension.
  • Your conversations, folders, prompts, and settings stay on your device — never sent to our servers.
  • No account required to browse or use any feature. Zero mandatory sign-in.
  • No tracking cookies. No ad networks. No telemetry unless you turn it on yourself.

Who we are

Legal entityElPi Corp
RoleData Controller / Responsable de traitement
Registered office[TBD — pending confirmation]
SIREN[TBD — pending registration]
JurisdictionFrance — Strasbourg courts
Privacy contactdpo@elpicorp.com
Governing lawFrance (GDPR)
Supervisory authorityCNIL https://www.cnil.fr
Book a direct support slotBook a direct support slot

What we will never do:

  • No email address required to install or use the extension.
  • Your conversations, folders, prompts, and settings stay on your device — never sent to our servers.
  • No account required to browse or use any feature. Zero mandatory sign-in.
  • No tracking cookies. No ad networks. No telemetry unless you turn it on yourself.

Chrome Web Store Limited Use compliance

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

In practice, this means any data received via Google APIs will be used only for the purposes strictly necessary to run the extension — never resold, never shared with third parties for commercial purposes, never used to target you with advertising. Your use of the extension stays under your control, not Google's or ours beyond the service provided.

What data we collect

GPTPowerUps declares its position below for each of the 9 sensitive data categories defined by the Chrome Web Store.

Personally identifiable information (PII)
Your email address is collected only if you complete the sign-up form on /beta. It is stored in Convex (EU region). It is not sold. It is not shared with third parties.
Health information
None collected. The extension does not access, read, or store any health-related content.
Financial information
None collected. The extension does not process any payments in V1 — all features are free. If subscription billing ships in a future version, it will be handled entirely by an external payment provider with its own privacy policy. We will never store or process your card details.
Authentication information
No credentials, passwords, or session tokens are collected or transmitted to our servers. The extension uses the storage permission to save your preferences locally in your browser. It does not intercept session cookies from AI host pages.
Personal communications
No conversations collected. The extension injects its interface into AI host pages but does not read, capture, or transmit your conversation content to our servers. Your conversations remain between you and the AI host.
Location
None collected. No geolocation API is requested or used.
Web history
None collected. host_permissions are scoped strictly to chatgpt.com, claude.ai, grok.com, and the Convex backend. No cross-site browsing activity is recorded.
User activity in the extension
Anonymous usage signals, opt-in only. If you enable this in the extension settings, aggregated events (e.g., power-up viewed, power-up installed, search performed, host switched) are sent to Convex. No individual identifier is attached. These signals are GDPR-safe (no consent withdrawal burden since no personal data is linked).
Website content
No website content is scraped or stored on our servers. The extension reads the DOM of host pages only to inject its sidebar. No page content is transmitted to GPTPowerUps.

Browser permissions

host_permissions — chatgpt.com, claude.ai, grok.com
Required to inject the productivity UI (sidebar, prompt library, Power-Up scores) into the AI host pages. No content from these pages is transmitted to our servers.
host_permissions — Convex backend
Required to communicate with the Convex backend: waiting list sign-up, anonymous usage signals (when opt-in is enabled), and Power-Up catalog data. This is the only outbound data connection GPTPowerUps controls.
storage
Required to save your data locally in the browser: folders, saved prompts, settings, theme preference, and language preference. All data is stored using the browser's native storage (IndexedDB / chrome.storage). It is not transmitted externally.
scripting
Required to inject the sidebar React component into AI host pages at page load.
alarms
Required for scheduled local tasks (e.g., periodic sync checks, Power-Up score refresh). No user data is transmitted via alarms.

We do not request tabs, history, cookies, webRequest, notifications, or identity permissions. We do not read your conversations.

We do not request the following permissions: tabs, history, cookies, webRequest, notifications, or identity. We do not read your browser tabs, your history, or your cookies. We do not intercept network traffic.

How we use your data

  • Deliver the product: your local data (folders, prompts, settings) lets the extension work without connecting to an account.
  • Notify you at launch: if you signed up on /beta, your email will be used only to let you know when GPTPowerUps is publicly available.
  • Improve Power-Ups: if you have enabled anonymous signals, we use that aggregated data to improve the ordering of Power-Ups and to detect bugs. No individual profile is created.
  • Nothing else. We do not use your data for advertising. We do not sell it. We do not analyze it for profiling.

Who we share your data with

Nobody, for commercial purposes.

Technical sub-processors only:

  • Convex (database, EU region) — stores the waiting list email and anonymous opt-in signals.
  • Vercel (site hosting) — standard server logs, 30-day retention, covered by EU Standard Contractual Clauses (SCC).
  • No analytics provider. No ad networks. No data brokers.

DPA signed with Convex Inc., EU Standard Contractual Clauses (SCC) in place.

Where your data is stored

LocationDetail
Browser-local dataYour folders, prompts, settings, theme, and language preference are stored in IndexedDB on your device. This data never leaves your device.
Convex (backend, EU region)Your waiting list email and anonymous opt-in signals are stored in Convex, hosted in the EU region. No transfers to countries without adequate protection without SCC in place.
Vercel server logsStandard server logs (IP address, HTTP request) are processed by Vercel. Retention: 30 days. Covered by Vercel's EU Standard Contractual Clauses.

Your GDPR rights

If you are located in the EU, EEA, or UK, the GDPR gives you the following rights over your personal data held by ElPi Corp (data controller).

Right of access (Art. 15)
You may request a copy of all personal data we hold about you (waiting list email + opt-in timestamp). Response within 30 days. Contact: dpo@elpicorp.com
Right to rectification (Art. 16)
You may request correction of your waiting list email address. Contact: dpo@elpicorp.com
Right to erasure / "right to be forgotten" (Art. 17)
You may request deletion of your waiting list entry at any time. Deletion executed within 30 days. Browser-local data is under your direct control (delete via browser data clearing or extension uninstall).
Right to restriction of processing (Art. 18)
You may request that we cease processing your data while a dispute is being resolved.
Right to data portability (Art. 20)
You may request your waiting list data in a portable format (JSON/CSV).
Right to object (Art. 21)
You may object to processing based on legitimate interest (Vercel server logs). We will comply unless overriding legitimate grounds exist.
Right to withdraw consent (Art. 7.3)
You may withdraw consent at any time: unsubscribe link in the waiting list confirmation email, or email dpo@elpicorp.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Legal basis for processing

  • Waiting list email: Consent (Art. 6(1)(a)) — explicit opt-in action on the /beta page.
  • Anonymous usage signals: Consent (Art. 6(1)(a)) — opt-in toggle in extension settings.
  • Vercel server logs: Legitimate interest (Art. 6(1)(f)) — security monitoring; narrowly scoped, 30-day retention, no individual profiling. Compliant with EDPB Guidelines 1/2024 (three-part test: purpose, necessity, balancing).

Supervisory authority

CNIL (Commission Nationale de l'Informatique et des Libertés), France.
https://www.cnil.fr/en
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
You have the right to lodge a complaint with CNIL if you believe your rights have been violated (Art. 77 GDPR).

To exercise any of these rights, contact us at dpo@elpicorp.com. For urgent matters or if you prefer a direct conversation, book a slot: https://calendar.app.google/Rs9VYwJXmwL6vPd99

Your CCPA rights (California)

If you are a California resident, the CCPA/CPRA (including new regulations effective January 1, 2026) gives you the following rights.

45 days for any request.

Categories of personal information collected

  • Identifiers (email address — only on /beta opt-in)
  • Internet activity (IP address, browser metadata via Vercel server logs, 30-day retention)
  • No sensitive personal information collected
  • No biometric, geolocation, health, financial, or commercial information collected
Right to know
You may request disclosure of the categories and specific pieces of personal information collected, their sources, their purposes, and the third parties involved. Contact: dpo@elpicorp.com
Right to access
You may request a copy of personal information collected in the preceding 12 months (extended to January 1, 2022 under 2026 regulations). Contact: dpo@elpicorp.com
Right to deletion
You may request deletion of your personal information. We will delete it from our systems and instruct our service providers to do the same. Contact: dpo@elpicorp.com
Right to correction
You may request correction of inaccurate personal information about you. Contact: dpo@elpicorp.com
Right to opt out of sale or sharing
We do not sell your personal information and do not share it with third parties for advertising or commercial purposes. No opt-out mechanism is required, but we state this explicitly.
Right to non-discrimination
Exercising any CCPA right will not result in denial of service, price differences, or reduced quality of service. This right is guaranteed.
Right to limit use of sensitive personal information
We do not collect sensitive personal information as defined by CPRA.

We do not sell or share your personal information. No opt-out link is required.

We honor Global Privacy Control (GPC) signals. If a GPC signal is detected, no optional tracking will be initiated.

Per CPPA 2026 regulations: if you submit a deletion request, we will confirm completion in writing within 45 days. California residents may designate an authorized agent to submit requests on their behalf (authorization verification required before responding).

Cookies and local storage

Third-party cookies

None.

Essential items stored locally (no consent required)

  • Language preference (localStorage) — required for next-intl routing (FR/EN).
  • Theme preference (localStorage) — required for next-themes (Light / Dark / System).

Both items are strictly necessary for the service to function as requested by the user. Under the ePrivacy Directive (Art. 5(3)) and CNIL/EDPB guidelines, strictly necessary storage does not require consent.

Analytics

None in V1. No Google Analytics, Mixpanel, Amplitude, or equivalent.

No consent banner required in V1 (CNIL/EDPB guidelines — no third-party tracking cookies).

How long we keep data

DataRetention periodRationale
Waiting list email (Convex, EU)Until public launch + 90-day opt-out window post-launchUsers who opted in deserve a clean off-ramp after launch
Anonymous usage signals (if opted in)Aggregated with no individual retention, archive period limited to 24 monthsNo individual is identifiable in aggregates
Vercel server logs30 days (Vercel standard)Security monitoring, standard server log practice
Browser-local data (folders, prompts, settings)Controlled by you — persists until you clear browser data or uninstall the extensionData never leaves your device
Deletion request records3 years (legal compliance, GDPR Art. 5(2) accountability obligation)Demonstrates compliance if audited

Data deletion requests

V1 mechanism (current)

To delete your data, email dpo@elpicorp.com with subject "Data Deletion Request". We verify your identity by matching your email to our waitlist record, execute deletion within the statutory GDPR / CCPA deadlines, and send you written confirmation. Prefer a direct conversation? Book a slot at https://calendar.app.google/Rs9VYwJXmwL6vPd99 — we handle deletion requests live.

V2 mechanism (Sprint 2 — planned)

Automated self-service form on the website. Immediate confirmation email. Automated deletion from Convex with audit log.

Children's privacy

This service is intended for users 13 years of age and older (16 years in the EU per GDPR Art. 8; France applies age 15 per loi Informatique et Libertés). We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has submitted an email address on our waiting list, we will delete it immediately upon discovery.

If you are a parent or guardian and believe your child has provided us with personal information, contact us at dpo@elpicorp.com or book a call at https://calendar.app.google/Rs9VYwJXmwL6vPd99 — we will delete that information without delay.

Service not intended for children under 13.

Updates to this policy

Notification mechanism

  • In-extension banner (dismissible) displayed on next launch after a policy update.
  • Email to beta waiting list subscribers.

30 days before any material change takes effect (new data type collected, new sharing partner, new purpose). Non-material changes (clarifications, typo fixes, contact updates) are effective immediately with the date updated at the top of the policy.

Each version of the policy includes its effective date and a summary of changes from the previous version.

Contact + governing law

Privacy contact / DPOdpo@elpicorp.com
Response SLA30 days (GDPR) / 45 days (CCPA)
Legal entity (data controller)ElPi Corp
Registered officePending registration — will be updated as soon as finalized.
Governing lawFrench law, with GDPR as the primary data protection framework
Supervisory authorityCNIL (France)https://www.cnil.fr/en
CNIL address3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07

The consumer-facing brand is GPTPowerUps. ElPi Corp is the legal entity and data controller under GDPR.

What we will never do

  • We will never require your email to install or use the extension.
  • We will never require you to connect a Google account or any third-party account.
  • We will never add you to a marketing list without your explicit opt-in.
  • We will never sell, rent, or broker your data to any third party.
  • We will never run usage telemetry by default. Tracking is off unless you explicitly enable it in Settings.
  • We will never inject third-party trackers, analytics SDKs, or advertising scripts into any page.
  • We will never add a watermark to your AI conversations.
  • We will never auto-increase prices on your subscription without your consent.