Privacy Policy

Privacy-First Personal Session Sync

Choco is designed for personal use to synchronize your sessions across your own devices with end-to-end encryption. We do not store browsing data, credentials, or monitor domains on our servers.

1. Introduction

Choco ("we", "our", "us", "Company") operates a privacy-first browser extension and web dashboard (collectively, the "Service") designed for personal session synchronization across your own devices. This Privacy Policy explains our data practices and your privacy rights.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information (email address, password, name)
  • Team configuration settings
  • Dashboard preferences and settings
  • Support communications and feedback

2.2 Session Data (Personal Devices Only)

Critical: We do NOT store, monitor, or have access to your session data, browsing activity, or website domains. We function as an encrypted transport pipe only.

User Control: Data collection only occurs when you explicitly opt-in and configure specific data types through your dashboard settings. By default, no data is collected until you choose to enable it.

When you choose to sync data between your personal devices and configure data collection in your dashboard, the extension may collect and handle:

  • Browser cookies (specific cookies or all cookies based on configuration)
  • localStorage data (specific keys or full localStorage based on configuration)
  • sessionStorage data (specific keys or full sessionStorage based on configuration)
  • Browser fingerprint (canvas, screen resolution, timezone, language preferences)
  • Geolocation data (latitude, longitude, accuracy if permission granted)
  • IP address (local network IP via WebRTC)
  • User agent string (browser and OS information)
  • Platform information (operating system details)
  • Browser details (name, version)
  • Device identifiers (for sync coordination)
  • Sync timestamps (when data was last synchronized)

2.3 Automatically Collected Information

  • Log data (IP addresses, browser type, access times)
  • Usage analytics (feature usage, error reports)
  • Device information (operating system, browser version)
  • Performance metrics (load times, error rates)

3. How We Use Your Information

3.1 Primary Purposes

  • Provide encrypted sync functionality across your personal devices
  • Authenticate your individual account access to our sync service
  • Enable personal session continuity between your devices
  • Process and respond to your support requests and communications

3.2 Secondary Purposes

  • Improve and optimize our Service performance
  • Detect, prevent, and address technical issues
  • Analyze usage patterns to enhance user experience
  • Provide customer support and technical assistance
  • Send important service notifications and updates

3.3 Data Processing Limitations

Due to our privacy-first architecture and end-to-end encryption design:

  • We cannot access or decrypt synchronized session data
  • We do not store browsing history or website information
  • We cannot monitor user activity across websites
  • We do not have access to user credentials or authentication tokens

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data based on:

  • Consent: When you explicitly opt-in to data collection features
  • Contract: To provide the sync services you've requested
  • Legitimate Interest: To improve our services and ensure security
  • Legal Obligation: To comply with applicable laws and regulations

You may withdraw consent at any time through the dashboard or by contacting us directly.

5. Data Storage Options

🔐 Bring Your Own Database (Maximum Privacy)

For users who want complete control over their data storage, you can configure the extension to use your own database:

  • Your own Supabase instance
  • Your own cloud database
  • Our managed service (encrypted, we cannot access)

When using your own storage: Your data remains entirely under your control and we have no access to it.

5.1 Storage Options

5.2 Service Providers (Infrastructure Only)

We may use trusted service providers only for basic infrastructure:

  • Cloud hosting for the extension and dashboard (no session data stored)
  • Email delivery for account notifications
  • Error monitoring (no personal data included)
  • Customer support platforms (only for your direct communications)

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal requests from government authorities
  • Court orders or subpoenas
  • Legal proceedings or investigations
  • Protection of our rights, property, or safety
  • Prevention of fraud or illegal activities

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6. Data Security

6.1 Technical Safeguards

  • End-to-end encryption for data in transit (TLS 1.3)
  • AES-256 encryption for data
  • Secure authentication protocols (OAuth 2.0, JWT)
  • Regular security assessments and penetration testing

6.2 Operational Safeguards

  • Multi-factor authentication for accounts
  • Regular security updates and monitoring
  • Incident response procedures
  • Secure development practices

7. Data Retention

7.1 Retention Periods

  • Account Data: Retained while your account is active and for 30 days after deletion
  • Sync Data: Retained as configured in your dashboard settings (default: 90 days)
  • Log Data: Retained for 12 months for security and troubleshooting purposes
  • Support Communications: Retained for 3 years for quality assurance

7.2 Data Deletion

You can request or delete data through:

  • Dashboard → Credentials tab (Individual or bulk delete stored credentials)
  • Dashboard → Teams tab (Delete team configurations via team management)
  • Dashboard → Members tab (Remove member data and permissions)
  • Dashboard → Profile tab (Update account information or request account deletion)
  • Email request to privacy@usechoco.com

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

When we transfer your personal information to other countries, we implement appropriate safeguards including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for transfers to countries with adequate protection
  • Binding Corporate Rules for intra-group transfers
  • Your explicit consent for specific transfers

9. Cookies and Tracking Technologies

9.1 Our Use of Cookies

We use cookies and similar technologies for:

  • Essential Cookies: Required for basic functionality (authentication, security)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use our Service
  • Performance Cookies: Monitor and improve Service performance

9.2 Third-Party Cookies

We may use third-party services that set cookies:

  • Google Analytics (with IP anonymization)
  • Error tracking services (Sentry, Bugsnag)
  • Customer support platforms

9.3 Cookie Control

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

10. Your Privacy Rights

10.1 General Rights

  • Access: Request a copy of your personal information
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal information
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your information
  • Objection: Object to processing based on legitimate interests

10.2 GDPR Rights (EEA/UK Users)

  • Right to withdraw consent at any time
  • Right to lodge a complaint with supervisory authorities
  • Right to automated decision-making protection
  • Right to be informed about data processing

10.3 CCPA Rights (California Users)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

10.4 Exercising Your Rights

To exercise your privacy rights, contact us at privacy@usechoco.comor use the data management tools in your dashboard. We will respond within 30 days (or as required by applicable law).

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to remove that information immediately.

12. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those external sites or services.

We encourage you to review the privacy policies of any third-party sites or services before providing them with your personal information.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours (where required)
  • Inform affected users without undue delay
  • Provide clear information about the nature and scope of the breach
  • Describe measures taken to address the breach and prevent future incidents
  • Offer guidance on steps you can take to protect yourself

14. Privacy Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

  • Notify you via email (to the address associated with your account)
  • Display a prominent notice in our dashboard
  • Update the "Last Updated" date at the top of this policy
  • Provide at least 30 days notice before material changes take effect

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

15. Contact Information

15.1 Data Controller

Choco
Email: privacy@usechoco.com
Legal: legal@usechoco.com

15.2 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at:
Email: dpo@usechoco.com

15.3 Supervisory Authority

EEA/UK users have the right to lodge a complaint with their local data protection authority if they believe we have not addressed their privacy concerns adequately.

This Privacy Policy was last updated on January 1, 2025. Previous versions are available upon request.

For questions about this Privacy Policy or our privacy practices, please contact us at privacy@usechoco.com.