Privacy Policy

Leafy is a collaborative web annotation Chrome extension. This Privacy Policy explains what data Leafy collects, how it is used, and the choices you have. By installing and using the Leafy extension, you agree to the practices described here.

1. Information We Collect

Leafy collects only the information necessary to provide the annotation service. We do not passively scan, read, or transmit the contents of pages you browse. Data is sent to our servers only when you take an action that requires it (signing in, creating an annotation, inviting a teammate, etc.).

• Account information: Your name, email address, and profile picture, obtained from Google OAuth when you sign in.
• Annotation content: The comment text you write, any @mentions, and the URL of the page the annotation is attached to.
• Anchor data:To re-locate an annotation on a page, Leafy stores a small snippet of technical context for the element you annotated: a CSS selector, an XPath, the exact text you highlighted, a short text excerpt of the surrounding content (up to 500 characters), and a short snippet of the element's HTML (up to 500 characters) used as a fuzzy fallback when the selector or XPath no longer match. The HTML snippet may include attribute values from the annotated element, such as image source URLs or link targets. This is stored only for pages where you explicitly create an annotation.
• Team data: Names of the gardens (teams) you create, membership lists, and the identifiers of teammates.
• Pending invitations: When you invite a teammate by entering their email, Leafy stores that email address alongside the garden it was invited to, until the invite is accepted or revoked. We do this so that when the invitee later installs Leafy and signs in with that email, we can add them to the garden. If you are a non-user who has received an invite and wants it removed, contact us at the address below.
• Notifications: Records of @mentions (who mentioned whom, in which comment, on which page URL) so we can notify the recipient.
• Feedback and support messages:If you send feedback through the extension's Help & Feedback form, we store the message text, your user ID, and your email address so we can read and respond.

Leafy does not collect: your browsing history, page contents of pages you have not annotated, form inputs, passwords, financial information, health information, personal communications, keystrokes, mouse movement, or location data.

2. Why Leafy Needs Access to All Websites

Leafy requests host permission for https://*/* and runs a content script on every page so that you can annotate any webpage you visit. The content script renders the Leafy floating bubble and, when you select an element to annotate, captures the anchor data described above. No page content is transmitted unless you explicitly create or view an annotation on that page.

3. How We Use Your Information

• To provide annotation and collaboration features.
• To deliver notifications when a teammate @mentions you in a comment.
• To manage your gardens (teams) and memberships.
• To authenticate you via Google sign-in and keep you signed in across sessions.

4. Limited Use Disclosure

Leafy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data collected by Leafy is never sold, never used for advertising, never used to train generalized machine-learning or AI models, and never transferred to third parties except as required to provide the service (our hosting provider) or comply with applicable law.

5. Data Storage and Security

Your data is stored in Google Cloud Firestore (Firebase), a managed database service operated by Google. All data is encrypted in transit (HTTPS) and at rest. Access to the database is controlled by Firestore security rules that restrict each record to its owner or the members of the garden it belongs to.

6. International Data Transfers

Leafy is operated from India. However, because our data is stored with Google Firebase, your personal data may be stored on, processed by, and transferred to servers located outside of India, including in the United States or other countries where Google operates its data centres. By using Leafy, you consent to such cross-border transfer, storage, and processing of your data. We take reasonable steps to ensure that any such transfer is carried out in accordance with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and that the receiving party provides an adequate level of protection.

7. Data Sharing

Your annotations are visible only to the members of the garden (team) you posted them in. We do not sell your personal data. We do not share your data with any third party except:

• Google Firebase, which acts as our data processor for storage and authentication.
• When required by law, valid legal process, or to protect our rights and the safety of our users.

8. Data Retention

We retain your account and annotation data for as long as your account is active. When you delete an annotation, it is removed from our database. If you request account deletion, all of your personal data and annotations will be permanently deleted within 30 days.

9. Your Rights Under Indian Law

If you are located in India, the Digital Personal Data Protection Act, 2023 gives you the following rights with respect to the personal data we hold about you, as a “Data Principal”:

• Right to access: A summary of the personal data we hold about you and how we process it.
• Right to correction and erasure: You may request that we correct inaccurate data or erase data that is no longer necessary for the purpose it was collected.
• Right to grievance redressal: You may raise a complaint with our Grievance Officer (see Section 13) and expect a response within a reasonable timeframe.
• Right to nominate: You may nominate another individual who can exercise these rights on your behalf in the event of your death or incapacity.
• Right to withdraw consent: You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at the address in Section 13 below.

10. Your Choices

You may at any time:

• Sign out of Leafy from the extension popup.
• Delete individual annotations you have created.
• Leave or delete any garden you own.
• Request full deletion of your account and all associated data by emailing us at [email protected].
• Uninstall the extension at any time via chrome://extensions. Uninstalling stops all further data collection immediately.

11. Children's Privacy

Leafy is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the new policy on this page and update the “Last updated” date above. Material changes will be communicated through the extension or via email where appropriate.

13. Grievance Officer and Contact

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the contact details of the Grievance Officer are provided below. The Grievance Officer is responsible for addressing any questions, complaints, or requests relating to your personal data or the operation of Leafy.

• Name: Karan Mannan
• Email: [email protected]

We will acknowledge grievances within a reasonable timeframe and work to resolve them in accordance with applicable law.