← Home

Privacy Policy

KeySona is a text expander. We built it to be useful, not to harvest your data. This page explains, in plain English, exactly what happens to your snippets, your account, and your typing.

Last updated · May 20, 2026 · Version 1.0

TL;DR

✓Your snippets live in your browser by default. We can't see them.
✓Cloud sync is opt-in. You flip it on; we don't.
✓AI rewrites only run when you press the hotkey. Text isn't stored.
✗We don't read password fields. Ever.
✗We don't track which sites you visit.
✗We don't run analytics or telemetry in v1.
✗We never see your credit card. Stripe handles payments.

01Who we are

KeySona is a Chrome browser extension (Manifest V3) that expands typed shortcuts into longer text. This policy covers the extension, our marketing site, and our optional Pro and Team cloud services.

"We", "us", and "our" refer to the KeySona team. "You" means anyone who installs the extension or signs up for an account.

02What lives on your device

Out of the box — and on the Free tier always — KeySona stores all of your data locally in your browser's IndexedDB:

Your snippets (triggers and the text they expand into)
Your profiles (Work, Personal, Freelance, or whatever you name them)
Variable definitions and default values
Extension settings and keyboard shortcuts

None of this is transmitted anywhere. If you uninstall the extension without exporting first, the data is gone. We have no copy on our end to send you.

Free tier is fully offline. If you never enable cloud sync and never trigger an AI rewrite, KeySona sends zero data anywhere — to us or to anyone else.

03Cloud sync (Pro & Team, opt-in)

Pro and Team subscribers can turn on cloud sync to share snippets across devices. Cloud sync is off until you flip the switch in Settings → Sync. You can turn it off at any time, which stops further uploads but leaves whatever you've already synced in place until you delete it.

Where it's stored

Synced data lives in a Supabase Postgres database hosted on AWS. Supabase is our infrastructure provider; their privacy and security practices are at supabase.com/privacy.

What gets synced

Snippets, profiles, and variable definitions
Your account email and subscription status
Timestamps needed for conflict resolution between devices

What does not get synced

Anything you type outside of a snippet trigger
Page content from the sites you visit
Your browsing history

04Accounts and sign-in

Authentication is handled by Supabase Auth. You can sign in two ways:

Email and password — we store your email and a salted, hashed password (we never see the plaintext).
Google OAuth — we receive your email and Google account ID. We do not receive your Google password, your contacts, your calendar, or anything else from your Google account.

You can delete your account at any time from Settings → Account → Delete. Deletion removes your email, your synced snippets, and your subscription record within 7 days.

05Payments

Pro and Team subscriptions are processed by Stripe. When you enter a card, that information goes directly to Stripe — it never touches our servers. We can't see it, store it, or leak it because we literally never receive it.

What we do receive from Stripe is the minimum needed to manage your subscription: a customer ID, the plan you're on, the renewal date, and the last four digits of the card (for display purposes only). Stripe's privacy policy is at stripe.com/privacy.

06AI rewrite with Claude

The AI rewrite feature sends selected text to Anthropic's Claude API so it can be rephrased in your profile's voice. A few important details:

It only runs when you explicitly trigger it — via the hotkey or the rewrite menu option. Nothing is sent automatically.
Only the specific text you select is sent. Surrounding page content is not included.
We do not store the input or the rewritten output on our servers after returning it to you.
Anthropic processes the request under its commercial API terms and does not use your inputs to train its models.

Anthropic's policies are at anthropic.com/legal/privacy. If you don't want any text leaving your device, simply don't use the AI rewrite feature — every other feature works fully offline.

07What the extension can and cannot see

To expand snippets, KeySona needs to watch what you type and write text back into input fields. That's a meaningful permission, so we want to be precise about how we use it.

Reads keystrokes

Only to detect when you've typed a trigger. Keystrokes are matched in memory and discarded.

Writes to input fields

Only at the moment of expansion, and only into the field you're typing in.

Password fields

Never read. The extension explicitly skips any <input type="password">.

Browsing history

Never read or tracked. We don't know which URLs you visit.

Page content

Not collected. We don't read, copy, or transmit the content of pages you visit.

Ads / injected content

None. We do not inject ads, affiliate links, or third-party scripts into any page.

08Analytics and telemetry

Version 1.0 of KeySona collects no analytics and no telemetry. We don't know how often you expand snippets, which features you use, or whether the extension crashed.

We may add opt-in anonymous usage stats in a future version to help us prioritize improvements (e.g. aggregate counts of feature use, with no snippet content and no personal identifiers). If and when we do, it will be off by default and clearly labeled in Settings. We'll update this page and bump the "Last updated" date before turning anything on.

09Your rights (GDPR and friends)

Whether or not you're in the EU, you have the following rights over any data we hold about you:

Export — download all of your snippets, profiles, and account data as JSON from Settings → Data → Export.
Delete — wipe local data via Settings → Reset. Delete your cloud account and all synced data via Settings → Account → Delete account. We complete deletion within 7 days.
Correct — your snippets are yours to edit at any time. Email us if anything else needs correcting.
Object / restrict — turn off cloud sync, skip AI rewrites, or uninstall the extension. You're in control.
Complain — if we mishandle your data, you can lodge a complaint with your local data protection authority.

10Who we share data with

We share the minimum data necessary with a small set of named service providers, and no one else:

Supabase

Database and authentication for Pro/Team cloud sync.

Stripe

Payment processing for paid plans.

Anthropic

AI rewrite processing, only when you trigger it.

Google

Only if you choose Google OAuth to sign in. They receive nothing from us; we receive your email and account ID.

We do not sell, rent, or share your data with advertisers or data brokers. Full stop.

11Children

KeySona is not directed at children under 13, and we don't knowingly collect data from them. If you believe a child has created an account, please email us and we'll delete it.

12Changes to this policy

If we make meaningful changes — new data we collect, new services we share with, anything that affects what you've already agreed to — we'll update the "Last updated" date at the top and notify active users by email at least 14 days before the change takes effect.

13Contact us

Questions about this policy, requests to export or delete your data, or anything else privacy-related — write to us. A human will reply.

Privacy contact

privacy@keysona.app

← Back to site