Kitestring Browser Extension — Privacy Policy

Last updated: June 13, 2026

Overview

The Kitestring browser extension is a workplace analytics tool deployed by organizations to their teams. It helps organizations understand how their people use web-based AI tools, and helps individuals improve their own AI use by learning from peers. This policy explains what the extension processes, what it transmits, and what it deliberately does not.

Kitestring is provided to you by your organization. Your organization is the controller of the data the extension produces; Kitestring operates as its processor.

What the extension does

When you use a supported web-based AI tool (currently ChatGPT, Claude.ai, and Gemini) in a browser where the extension is installed, the extension processes your interactions locally in order to generate de-identified usage signals.

What is processed on your device, and what leaves it

Your prompts are processed locally before anything is transmitted. The extension removes common personal identifiers from your prompt text on your device, including email addresses, web addresses (URLs), phone numbers, payment card numbers, government identification numbers such as Social Security numbers, street addresses, dates, and multi-word capitalized names.

This identifier removal is automated and rule-based — it uses pattern matching for structured identifiers (such as emails, URLs, phone numbers, and dates) and a capitalization heuristic for multi-word names. It does not use machine learning or named-entity recognition. As a result, it may not detect names written in lowercase, single-word names, or identifiers in unusual formats. You should not assume that every piece of personal information will be removed in all cases.

After this processing, what is transmitted to Kitestring is a de-identified skeleton of the prompt — a reduced representation with recognized identifiers removed — together with lightweight metadata.

Your AI responses are not transmitted. The content of the responses you receive from AI tools is not sent to Kitestring. Only a count of the response length (number of characters) is recorded.

Your raw conversations are never stored or transmitted. Kitestring does not retain or receive the original text of your prompts or responses.

What information Kitestring receives

• De-identified prompt skeletons (with recognized identifiers removed as described above)
• A classification label describing the type of work an interaction supported (for example, writing, research, analysis) and its subject domain
• Usage counts and estimated token and cost figures
• A character count of each response (not its content)
• Which supported AI tool was used
• Identifiers needed to associate usage with your account within your organization (for example, your organizational user identity)
• Sign-in credentials — when you sign in to the extension, your work email address and password are sent to Kitestring’s authentication service to verify your identity. Kitestring stores only the resulting session token on your device; your password is never stored by the extension.

What Kitestring does not do

• It does not store or transmit the raw content of your prompts or responses
• It does not record your AI responses beyond their length
• It does not access your activity on websites other than the supported AI tools
• It does not sell your data
• It does not use your data for advertising

How the information is used

The de-identified signals are used to give your organization’s leadership visibility into AI adoption and spend at an aggregate level, and to power a coaching experience that helps team members improve how they use AI by learning from anonymized peer patterns. People administering Kitestring see patterns, classifications, and totals — not the content of what you typed.

Permissions

The extension requests only the access it needs to do the above:

• Access to the supported AI tool sites (chatgpt.com, chat.openai.com, claude.ai, and gemini.google.com) — so it can process your interactions with those tools. The extension runs only on these sites; it does not read your activity on other websites.
• Network access to Kitestring’s servers — to send the de-identified signals described in this policy.
• Local storage — to hold your sign-in token and to queue usage signals while your device is offline, so none are lost.
• Script injection — to re-activate the capture component in already-open AI tabs after the extension updates, so capture resumes without a page reload.

Data sharing

Kitestring shares the processed signals with your organization, which deployed the extension. Kitestring does not sell your information or share it with third parties for their own purposes, except service providers acting on Kitestring’s behalf under contract, or where required by law.

Data retention

Kitestring retains the de-identified information it receives only as long as needed for the purposes described in this policy, applying different periods by data type:

• Usage signals and classifications — counts, work-type and subject-domain labels, token and cost estimates, response character counts, which AI tool was used, and your organizational user identity. Retained for the duration of your organization’s subscription so the dashboard and coaching views can show trends over time, and deleted or returned within 90 days after the subscription ends. Your organization may configure a shorter retention window.
• De-identified prompt skeletons — retained for up to 90 days solely to measure and improve classification quality, then deleted. Skeletons are used only to improve Kitestring’s classification; they are not shared with your organization (your organization sees labels, subjects, and totals — not skeletons) and are not shared with any third party.
• Measured active-time durations — retained on the same schedule as usage signals above.

Aggregated or anonymized statistics that cannot be linked to an individual may be retained beyond these periods.

Your choices and rights

Kitestring is deployed by your organization, which decides whether and how it is used; your use may be governed by your organization’s workplace and monitoring policies. Because your organization is the controller of this data:

• Questions and requests — about what is collected, how it is used, or to access or delete information associated with you — should be directed to your organization first. Kitestring supports your organization in responding to these requests as its processor.
• Seeing your own usage — if your organization has enabled the coaching experience, you can view your own usage summary and classifications in the Kitestring dashboard.
• Legal rights — depending on your location you may have rights over your personal data (such as to access, correct, or delete it). Where these apply, they are exercised through your organization as controller, and Kitestring assists as required by law.

Contact

Questions about this policy can be directed to help@getkitestring.com.

Changes

We may update this policy. Material changes will be reflected by the “Last updated” date above.