Your prompts stay on your device.

Your prompts, your API keys, and anything you type into an AI chat stay on your device. The only data that leaves is anonymous usage metadata, and only if you have “Share anonymous feedback” enabled in the extension’s popup.

When “Share anonymous feedback” is enabled in the popup, the extension sends one small event per rating. Each event contains:

• A randomly generated install ID (a UUID, unlinked to any account or identifier)
• The extension version and the event timestamp
• Which AI platform you used (ChatGPT, Claude, or Gemini)
• Your rating (👍 / 👎 / skipped / cancelled)
• The numeric prompt score before and after enhancement (0 to 100)
• Word counts of the original, enhanced, and sent prompt
• Which enhancement rule identifiers fired (for example audience, format_spec)
• Whether your prompt contained placeholder text, and whether you edited the enhancement before sending
• The archetype our classifier inferred (code, design, writing, plan, analysis, or general)

• Your prompt text
• The AI’s responses
• API keys you paste into the popup
• Contents of the “References” field in Project Mode
• URLs of pages you visit
• Anything you type into any AI chat
• Any personal identifier (email, name, persistent IP, though Supabase may log request IPs briefly for rate limiting)

The ratings table is insert only at the database level. Nobody, including us, can update existing rows, and reads are restricted to our service role.

If you paste an OpenAI, Anthropic, or Google API key into the popup, it is stored in chrome.storage.local on your own machine. It never leaves your device except as requests to the respective provider’s official endpoint. We never see it. Provider traffic follows each provider’s privacy policy, not ours.

When Project Mode generates intake questions or a plan, your goal and intake answers are sent to whichever AI provider is configured: either Chrome’s local Gemini Nano (stays on your device) or your own API key’s provider. That traffic does not pass through our servers.

If you or someone you trust built the extension with npm run build:dev (which bakes API keys from a local .env file into the bundle for personal testing), the keys in that specific build are extractable by anyone with the extension files. Do not distribute such a build. Published builds on the Chrome Web Store are always built with npm run build and never contain baked keys.

Open the extension popup, expand “Help improve MaxOutput,” and uncheck “Share anonymous feedback.” Once off, no events leave your device. Events already queued locally remain on your device until you clear them via the Clear button. You can also export everything we’ve stored locally as JSON via Export JSON.

Server-side rating events are retained indefinitely for longitudinal analysis. Because events contain no personal identifiers, there is no mechanism to identify “your” events and delete them selectively. Future versions may let you rotate your install ID to cut the link. Locally stored data stays on your device until you remove the extension or clear it via the popup.

The canonical version of this policy lives in the public repository at PRIVACY.md. Changes are tracked via Git history. The “Last updated” date at the top reflects the most recent material change.

Open an issue on the public repository, or email the maintainer listed in the Chrome Web Store listing.