# CourseIQ Extension Privacy Policy Last updated: 2026-01-04 ## Summary - Captured Eval25 reports stay in Chrome storage by default; guest mode never uploads them. - Public library contributions (opt-in via Cloud Config) send only course/instructor/term metadata, ratings, sample size, and the ratings report URL—no raw comments. - Private sync (opt-in login) sends structured ratings and normalized comments to your Supabase project using your Supabase access token. - Raw report HTML is sent to the processor you configure (default `https://courseiq-processor.fly.dev` or your own) only to parse structured results. - We do not sell data or use it for advertising; we use it solely to provide capture, parsing, and sync features. ## Data We Collect ### Information you provide - Email address when you request or verify a Supabase magic-link/OTP. - Cloud config you enter: Supabase project URL, anon key, optional public web URL, and optional processor URL. - Authentication tokens returned by Supabase (access/refresh tokens) to keep you signed in; stored in Chrome `storage.local`. ### Data captured from Eval25 when you click Capture - The extension fetches the Eval25 Comments Report and Ratings Summary HTML using your current session. The HTML contains course metadata, ratings, and student comments shown on those pages, plus the page URL and browser user agent. - The raw HTML is posted to the configured processor to generate structured data. Parsed bundles keep only offering metadata, ratings, sample size, and up to 120 comments trimmed to 800 characters each. Raw HTML is not persisted in extension storage. - If the processor is unavailable, the extension falls back to parsing ratings only; comments are then not processed or synced. ### Data synced or shared (optional) - **Public library contribution (best-effort):** When Cloud Config has a Supabase project URL, the extension enqueues a payload to `courseiq_public_ingest` containing course/instructor/term metadata, ratings, sample size, ratings report URL, a non-personal client instance ID, and capture timestamp. No raw comments are included. - **Private library sync (logged-in):** When you sign in, structured bundles (ratings, sample size, normalized comments, offering metadata) are written to your Supabase tables (`user_offerings`, `user_offering_aggregates`, `user_comments`) using your Supabase access token with RLS. - **Web app sign-in bridge:** After OTP verification, you may choose to open `https://courseiq.vercel.app/auth/extension-login` and pass your Supabase tokens so the web app can set your session. ### Diagnostics - Standard HTTP request logs from Supabase, the processor host, or the CourseIQ config endpoint may include IP address, timestamps, and error strings for troubleshooting. ## How We Use Data - Capture Eval25 reports on your behalf and let you view/export/delete them locally. - Parse captured reports into structured offerings, ratings, and (when available) comments. - Sync private data to your Supabase project when you request it. - Contribute aggregate, non-comment data to the public CourseIQ library when enabled. - Authenticate you via Supabase OTP and keep your session current. ## Where Data Is Stored - **Local (browser):** Chrome `storage.local` holds captures, indexes, client instance ID, public ingest queue, cloud config, session tokens, and popup/library form drafts. - **Supabase (your project):** Auth, private library tables, and the public ingest Edge Function. Data stored there is governed by your Supabase project settings and RLS policies. - **Processor:** If you set a processor URL, the extension posts raw report HTML to that endpoint (default Fly.io-hosted processor). Retention and logging at that endpoint are controlled by its operator. - **CourseIQ web:** The extension reads a public config from `https://courseiq.vercel.app/api/config`; no personal data is sent with that request. ## Sharing and Disclosure - Public ingest submissions become part of the public CourseIQ library. - We do not sell personal data and do not use advertising trackers. - Service providers used to deliver the features: Supabase (auth, database, Edge Functions) and the configured processor host (default Fly.io). Tokens and captures are not shared beyond these services. ## Retention and Deletion - Local captures, config, and tokens remain until you delete them (Local Library page, popup delete buttons) or uninstall the extension (Chrome clears extension storage on uninstall). - Public library submissions remain in the backing Supabase project until removed there. - Private sync data remains in your Supabase project until you delete it. - Processor endpoints may retain logs per their own policies; clear your processor URL to avoid sending data there. ## Your Choices and Controls - Use Guest Capture to keep data local; leave the processor URL empty to skip remote parsing. - Remove the Supabase project URL to skip public ingest; log out to stop private sync. - Delete individual captures or export/delete all from the Local Library page. - Revoke Supabase tokens by logging out; you can also clear Chrome’s site data or uninstall the extension. ## Children The extension is not intended for children under 16. ## Contact Please direct privacy questions or requests to paulchen9698@gmail.com. Replace this placeholder with your support/privacy email before distributing the extension. ## Changes We will update this page when the policy changes. Your continued use of the extension after updates means you accept the revised policy.