ByteThirst Privacy Policy

Last updated: March 3, 2026 · Version 2.0

Data Controller

ByteThirst is operated by:

ByteThirst
109 Yorkshire Dr PMB 1006
Princeton, TX 75407
United States
hello@bytethirst.com

We are the data controller responsible for your personal data under the GDPR and applicable data protection laws.

What We Collect

Data stored locally on your device (chrome.storage.local):

• Platform identifier (e.g., ChatGPT, Claude, Gemini, Copilot, Perplexity, Poe, Grok, DeepSeek, Mistral, HuggingChat, Google AI Studio, Figma AI, Lovable.dev, Bolt.new)
• Estimated input and output token counts per interaction
• Model tier (e.g., "standard", "large", "reasoning", "code generation")
• Date of interaction (YYYY-MM-DD format only — no time of day)
• Daily query count per platform
• Aggregated daily environmental impact estimates (water, energy, CO₂)
• User preferences (unit system, display mode)
• Achievement badge progress
• Social card generation count (for rate limiting)

AI code builder platforms (Lovable.dev, Bolt.new)

For AI code builder platforms, ByteThirst estimates the environmental impact of the AI model powering the code generation (e.g., Claude Opus 4.5 for Lovable.dev, Claude 3.5 Sonnet for Bolt.new). ByteThirst does not monitor, access, or collect any data from the code execution environment (such as WebContainers or preview sandboxes). Only the AI conversation panel is observed for token estimation, using the same DOM metadata approach as all other platforms.

This data is stored in Chrome's local extension storage and is not accessible to any website, server, or third party — unless you explicitly opt in to Community Benchmarks (see below).

Community Benchmarks (opt-in, all tiers):

Users on any tier (Free, Premium, Teams, and Enterprise) may opt in to Community Benchmarks from the extension settings. The setting description reads: “Shares query counts and calculated impact estimates (water mL, energy Wh, CO₂ g). No personal information or conversation content is ever collected. Enables Community Benchmarks in Analytics.”

When enabled, the following is transmitted:

• A random, non-reversible device identifier (not your email or Google account)
• Query counts per platform
• Calculated impact estimates (water mL, energy Wh, CO₂ g)
• Date (YYYY-MM-DD only)

Community Benchmarks never collects personal information, conversation content, prompts, responses, browsing activity, or any data that could identify you. You may opt out at any time from the extension settings. Opting out permanently deletes your anonymous benchmark data from our servers.

Data transmitted for premium subscribers only:

• Email address (via Google Sign-In) — used for account creation, authentication, and subscription management
• Subscription status — synced between your device and our server (Firebase/Google Cloud) to verify premium access

Premium network calls are limited to:

1. Firebase Authentication (Google Sign-In on initial upgrade; periodic silent token refresh to maintain your session)
2. Stripe payment processing (on initial upgrade and subscription renewal, managed by Stripe's PCI-compliant infrastructure)
3. Firestore subscription status verification (on extension popup open, maximum once per 24 hours, to confirm active premium access)
4. Stripe Customer Portal (when you click "Manage Subscription")

Data transmitted for Teams subscribers:

In addition to the premium data above, Teams members who opt in share the following with their team admin via the ByteThirst team dashboard:

• Daily aggregate QueryWeight per platform (total estimated water, energy, CO₂ by platform by day)
• Team membership status

Admins never see individual prompts, responses, conversation content, detailed usage patterns, exact timestamps, or per-query breakdowns. By default, only daily aggregate totals are shared. Team members may voluntarily opt in to share per-member usage breakdowns with admins. Team members are informed of data sharing through an employee monitoring disclosure during onboarding, as required by applicable labor laws.

Legal Basis for Processing

Under the GDPR, we rely on the following lawful bases for processing personal data:

Processing Activity	Data Involved	Legal Basis (GDPR Art. 6)
Local usage estimation (free tier)	Platform identifiers, token counts, model tier, dates, daily aggregates	Legitimate interest — providing the core extension functionality you installed. Data never leaves your device.
AI platform domain detection	Whether you visit a supported AI platform domain (domain-level only, not full URLs)	Legitimate interest — required to activate the extension on supported platforms. No browsing history is collected or transmitted.
Beta email signup	Email address, optional survey responses	Consent — given when you submit the beta signup form. Withdrawable at any time.
Premium subscription (authentication & access)	Email address, subscription status, authentication tokens	Contract — necessary to authenticate your identity, verify your subscription, and provide the premium features you purchased.
Payment processing (via Stripe)	Payment details (handled entirely by Stripe)	Contract — necessary to process your subscription payment.

Beta Signup & Email Communications

When you sign up for the ByteThirst beta on our website, we collect:

• Email address — stored in Firebase (Google Cloud) Firestore
• Optional survey responses — whether you are a power user and whether you would share impact cards (stored alongside your email)
• Signup timestamp — generated server-side

How we use your email

We use your email address exclusively for:

• Beta access confirmation and onboarding
• Product launch announcements
• New feature updates

We will never sell, share, or provide your email address to third parties for marketing purposes.

Lawful basis (GDPR)

Our lawful basis for processing your email is consent, given when you submit the beta signup form. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting hello@bytethirst.com.

Email data retention

Beta signup emails are retained until you unsubscribe or request deletion. Upon unsubscribe or deletion request, your email and associated data are permanently removed from our database within 30 days.

What We NEVER Collect

Under any circumstance, ByteThirst never collects, stores, processes, or transmits:

• Your AI conversations, prompts, or responses (we structurally cannot — the extension only reads DOM metadata like model selector labels, never conversation content)
• Per-query records on any server (all usage data stays in local storage)
• Exact timestamps of your AI usage (we store only the date, never the time)
• URLs you visit (the extension activates only on supported AI platform domains: chat.openai.com, chatgpt.com, claude.ai, gemini.google.com, copilot.microsoft.com, bing.com/chat, perplexity.ai, poe.com, grok.com, chat.deepseek.com, chat.mistral.ai, huggingface.co/chat, aistudio.google.com, figma.com, lovable.dev, and bolt.new)
• Browsing history or activity outside of supported AI platforms
• Browser fingerprinting data (canvas fingerprints, WebGL hashes, audio context data, etc.)
• Cookies or tracking identifiers from any source
• Content of files you upload to AI platforms
• IP addresses — our application code never logs or stores IP addresses. However, Firebase and Stripe may process IP addresses as part of their standard infrastructure operations (e.g., fraud detection, abuse prevention). This processing is governed by their respective privacy policies and Data Processing Agreements, and we do not have access to these IP logs.

Third-Party Services (Premium Subscribers Only)

Firebase (Google Cloud)

We use Firebase Authentication for Google Sign-In (to authenticate your identity and maintain your premium session) and Cloud Firestore to store your subscription status. Firebase processes your email address, a unique user identifier, and authentication tokens. Firebase's data handling is governed by Google's Privacy Policy. We have a Data Processing Agreement with Google that governs Firebase's handling of personal data on our behalf. Our Firestore database contains only your email, subscription tier, and subscription expiration date — no usage data.

Stripe

Payment processing is handled entirely by Stripe. ByteThirst never sees, stores, or has access to your credit card number, bank account details, or full payment information. Stripe is PCI DSS Level 1 certified. Stripe's data handling is governed by Stripe's Privacy Policy. We have a Data Processing Agreement with Stripe that governs their handling of personal data on our behalf.

International Data Transfers

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States through our use of Firebase (Google Cloud) and Stripe. These transfers are protected by:

• Firebase (Google Cloud): Google maintains Standard Contractual Clauses (SCCs) approved by the European Commission and participates in the EU-U.S. Data Privacy Framework. Google's Data Processing Terms are available at firebase.google.com/terms/data-processing-terms.
• Stripe: Stripe relies on Standard Contractual Clauses and participates in the EU-U.S. Data Privacy Framework. Stripe's Data Processing Agreement is available at stripe.com/legal/dpa.

Free tier users are not affected by international data transfers, as all data remains locally on your device.

Chrome Web Store Compliance

ByteThirst's use and transfer of information received from Google APIs adheres to the Chrome Web Store Limited Use Policy, including the Limited Use requirements.

Specifically, ByteThirst:

• Only uses data to provide and improve the extension's core user-facing features (environmental impact estimation)
• Does not transfer user data to third parties for advertising, data brokerage, or any purpose unrelated to the extension's single purpose
• Does not use user data for personalized or interest-based advertising
• Does not combine user data from this extension with data from other extensions or services

Web browsing activity

ByteThirst detects when you visit a supported AI platform domain (listed above) to activate its estimation features. This detection is limited to domain-level matching only — the extension does not read, record, or transmit the full URLs you visit, your search queries, or any page content beyond the metadata required for estimation (such as model selector labels and response character counts).

Data security

All data transmitted between the extension and our servers (premium subscribers only, including authentication and subscription verification) is encrypted in transit using HTTPS/TLS. Server-side data in Firebase is encrypted at rest by Google Cloud. Local data stored in chrome.storage.local is protected by Chrome's built-in extension sandboxing and your operating system's user-level access controls.

Data Retention

• Local usage data: Automatically pruned after 90 days. You can manually clear all local data at any time from the extension's settings panel.
• Premium account data: Your email and subscription status are retained in Firestore for the duration of your subscription. Upon cancellation, account records are deleted within 30 days of subscription expiration.
• Payment data: Retained by Stripe according to their data retention policies and applicable financial regulations. ByteThirst does not independently store any payment data.

Your Rights

For all users

• View all stored data directly in Chrome's extension storage (accessible via the extension's settings panel)
• Export your local data as a JSON file at any time
• Delete all local data with one click in the extension's settings panel
• Uninstall the extension at any time, which removes all locally stored data

For premium subscribers

• Request a copy of all server-side data associated with your account by emailing hello@bytethirst.com
• Request deletion of all server-side data by emailing hello@bytethirst.com (processed within 30 days)
• Cancel your subscription at any time via the Stripe Customer Portal

GDPR (EU/EEA users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15) — request a copy of all personal data we hold about you
• Right to rectification (Art. 16) — request correction of inaccurate personal data
• Right to erasure (Art. 17) — request deletion of your personal data
• Right to restriction (Art. 18) — request that we limit how we process your data
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (the extension's JSON export fulfills this for local data)
• Right to object (Art. 21) — object to processing based on legitimate interest

To exercise any right, contact hello@bytethirst.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

CCPA / CPRA (California residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know — request what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it
• Right to delete — request deletion of your personal information
• Right to correct — request correction of inaccurate personal information
• Right to opt-out — opt out of the sale or sharing of personal information
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right

We do not sell or share personal information as defined by the CCPA/CPRA. We do not use personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals.

Categories of personal information collected (per CCPA §1798.140):

• Identifiers: Email address (beta signup and premium subscribers only)
• Internet or electronic network activity: Which supported AI platform domains you visit (stored locally only, never transmitted for free tier)
• Inferences: Estimated environmental impact metrics derived from usage patterns (stored locally only)

Service providers: Firebase (Google Cloud) and Stripe process limited data on our behalf under written agreements that restrict them from using your data for any purpose other than providing their services to us.

To exercise any right, contact hello@bytethirst.com. We will confirm receipt within 10 business days and respond substantively within 45 calendar days.

Children's Privacy

ByteThirst is not intended for users under 16 years of age (or the minimum age established by applicable local law, which may be as low as 13 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data through the beta signup or premium subscription, please contact hello@bytethirst.com and we will promptly delete it.

Changes to This Policy

We will update this page when our privacy practices change. Material changes will be announced via the extension's update notes in the Chrome Web Store.

Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
• Notify affected users without undue delay if the breach poses a high risk to your rights and freedoms
• Provide details about the nature of the breach, the data affected, and the measures taken to address it

Free tier users are generally unaffected by server-side breaches, as their data is stored locally on-device and never transmitted to our servers.

Contact

For privacy questions or data requests: hello@bytethirst.com