Privacy Policy
1. Introduction
GamPacto ("we", "our", "the Extension") is a Chrome browser extension that helps users reduce exposure to gambling content online. This Privacy Policy explains what data GamPacto collects, how it is used, and your rights regarding that data.
GamPacto is designed with privacy as a core principle. The vast majority of processing happens locally on your device, and we only transmit data to our servers when you explicitly opt in to AI-powered classification or accountability partner features.
2. Data We Collect
2.1 Data stored locally on your device
The following data is stored in your browser using Chrome's local storage APIs and never leaves your device unless you choose to export it:
- Detection event log: URLs, hostnames, timestamps, detection method (blocklist or smart detection), result, confidence score, and up to three evidence strings for each detection. Capped at 500 entries.
- Intervention log: Records of when block overlays were shown and what action you took (e.g. went to homepage, added to blocklist). Capped at 500 entries.
- URL whitelist: Pages that the AI classified as non-gambling, so they are not re-scanned. Capped at 500 URLs.
- Custom blocklist and safe sites: Domains you have manually added or marked as safe.
- User preferences: Intervention toggle, evidence visibility toggle, custom reminder message.
- Notification log: Timestamps and types of accountability partner notifications sent. Used for rate limiting. Capped at 200 entries.
2.2 Data transmitted to our servers
Only if you create a GamPacto account and sign in, the following data may be sent to our backend (hosted on Supabase):
- AI classification requests: When the heuristic layer flags a page as suspicious, a short text excerpt (up to ~500 characters), the page URL, hostname, and heuristic score are sent to our Supabase Edge Function, which forwards them to the Claude API for classification. The response (classification label, confidence, reasoning) is returned to the extension and stored locally.
- Authentication data: Your email address and a hashed password are stored by Supabase Auth. Access tokens and refresh tokens are stored locally in your browser to maintain your session.
- Usage counts: We track the number of AI classification requests per day per account to enforce rate limits. No page content or URLs are retained on the server after classification.
2.3 Accountability partner data
Only if you choose to add an accountability partner, the following additional data is processed:
- Your partner's name and email address are stored locally on your device and in our database (for sending emails).
- A 6-digit verification code is stored temporarily in the database and expires after 10 minutes.
- Notification emails are sent via Resend (our email provider) to your partner's email address. These emails contain only the date and time of the detection — no URLs, page content, or browsing details are shared.
3. Data We Do NOT Collect
- We do not collect or transmit your browsing history.
- We do not track which websites you visit beyond what is needed for detection at the moment of analysis.
- We do not sell, rent, or share any data with advertisers or third parties for marketing purposes.
- We do not use cookies or tracking pixels.
- We do not retain page content on our servers after AI classification completes.
4. How We Use Your Data
All data collected is used solely for the following purposes:
- Detecting and blocking gambling content as you browse (local processing).
- Providing AI-powered classification for pages that the local heuristic flags as suspicious (requires sign-in).
- Sending accountability notifications to a partner you have explicitly designated and verified.
- Enforcing per-account usage limits on AI classification.
- Allowing you to export your own detection logs as CSV.
5. Third-Party Services
GamPacto uses the following third-party services:
- Supabase (supabase.co): Hosts our authentication system, database, and Edge Functions. Supabase processes data in accordance with their privacy policy.
- Anthropic Claude API: Provides AI classification of suspicious pages. Page excerpts sent for classification are processed in accordance with Anthropic's usage policies and are not used to train models.
- Resend (resend.com): Sends transactional emails (verification codes and accountability notifications). Resend processes only the recipient email address and email content.
6. Data Retention
- Local data (event logs, intervention logs, notification logs) is capped and automatically rotated. Older entries are removed when the cap is reached.
- Partner verification codes expire and are deleted after 10 minutes.
- Authentication tokens are stored locally and removed when you log out.
- AI classification requests are not stored on our servers after the response is returned.
- You can clear all local data at any time by removing the extension or clearing extension storage via Chrome settings.
7. Your Rights and Choices
- Use without an account: The blocklist and on-device smart detection work entirely offline with no data leaving your device. You are not required to create an account.
- Export your data: You can export your full detection log as a CSV file from the Export tab in the extension popup.
- Delete your data: Removing the extension deletes all locally stored data. To delete your account and any server-side data, contact us at the email address below.
- Remove your partner: You can remove your accountability partner at any time from the Partner tab, which stops all notification emails immediately.
- Manage the AI whitelist: You can view and remove individual URLs from the AI whitelist in the Blocklist tab.
8. Security
We take reasonable measures to protect your data:
- All communication between the extension and our backend uses HTTPS/TLS encryption.
- Authentication tokens are stored in Chrome's local storage, accessible only to the extension.
- Our Supabase Edge Functions use Row Level Security and service-role keys are never exposed to the client.
- Partner verification codes are short-lived (10 minutes) and single-use.
9. Children's Privacy
GamPacto is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Browser Permissions Explained
GamPacto requests the following Chrome permissions:
- storage: To save your settings, detection logs, blocklists, and authentication tokens locally on your device.
- activeTab: To read the content of the currently active tab for gambling content detection.
- host_permissions (<all_urls>): Required because gambling content can appear on any website. The extension's content scripts need to run on every page to perform blocklist matching and heuristic analysis. No data is sent externally unless you are signed in and a page triggers AI classification.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Effective date" at the top of this document. We encourage you to review this policy periodically.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:
Email: privacy@gampacto.com