Retrace's privacy commitment
Retrace never phones home.
This is the load-bearing claim that distinguishes Retrace from every other "AI for your browser." It is not marketing. It is a constraint we hold ourselves to in the code:
- The Retrace extension does not send your captured pages to any server we run.
- The Retrace extension does not send your queries to any server we run.
- The Retrace extension does not send your embeddings or any derived representation of your content to any server we run.
- The Retrace extension does not send your model invocations to any server we run.
What does cross the network:
- Authentication — when you sign in, the web app talks to our auth provider. No browsing data is involved.
- License verification — every six hours, the extension calls our backend to confirm your license is still active. The request contains your license token. It does not contain anything about what you've read or asked.
- Model artifacts — the first time you use Ask, the extension downloads the Qwen3-4B model weights (
Qwen3-4B-q4f16_1-MLC) and the WASM runtime from HuggingFace (huggingface.coand the HF CDN under*.hf.co), pinned to an immutable git revision. The request includes only the model URL — no account identifier and nothing about what you've read or asked. After the download, the model runs locally in your browser, on your machine, with no network calls. - Google Docs and Sheets content capture — Google renders the body of a Doc or Sheet onto a canvas, so the text is not in the page DOM where Retrace can read it. To capture it, the content script makes a single credentialed
GETto Google —docs.google.com/document/d/<id>/export?format=htmlfor Docs,docs.google.com/spreadsheets/d/<id>/export?format=csvfor Sheets — reusing your existing Google session, the same way File → Download does. The request goes to Google, not to us, and only fetches a document you are already signed in to and viewing. The returned text goes straight into your local on-device memory (IndexedDB); it is never sent to Sauvrn servers. (A reviewer with DevTools open on a Docs/Sheets tab will see this request.) - Opt-in feedback — if you click "Send feedback" inside the extension and type a message, that message is sent to us and forwarded to our help-desk provider (HubSpot, or Linear as a fallback) so we can reply. We sanitize it before it lands in our system to scrub tokens you may have pasted accidentally. The in-product feedback form tells you this before you submit.
That's the entire list. If you ever see network activity from Retrace that does not match the list above, that's a bug — please report it via the in-extension feedback form, or email support@sauvrn.ai.
Third-party processors
When you take specific actions inside Sauvrn or its web app, narrowly-scoped data crosses to these processors. None of them receive your browsing data, captured pages, queries, or anything Retrace has indexed:
| Processor | Data sent | When (trigger) | How you're told |
|---|---|---|---|
| Stripe (US) | Billing email, organization name, internal sauvrn_org_id metadata — not from the extension, only from the web app at checkout |
At checkout or subscription change on a paid plan | Stripe's hosted checkout page links to Stripe's privacy policy. |
| Resend (US) | Recipient email address, first/last name, body of the transactional email | When we send a transactional email (sign-in confirmation, license/subscription change, receipt) | Implicit in the account email setting. Resend's privacy policy. |
| HubSpot (US) | Your account email, the feedback body, sanitized diagnostic JSON (no tokens, no page contents) | When you submit the in-extension "Send feedback" form | The feedback form copy states the message is shared with our help-desk provider. HubSpot's privacy policy. |
| Linear (US) | Same payload as the HubSpot row | Fallback path when HubSpot is unreachable | Same in-product disclosure as HubSpot. Linear's privacy policy. |
The full list of processors (cloud host, auth provider, uptime monitor, DNS) is documented in the Sauvrn privacy policy.
Why this matters
Sending browsing data to a server "for AI" is a one-way trip. Once it lands somewhere we host, it sits in logs, backups, and shared dashboards forever. Even with the best intentions, that data can leak. Retrace is built so the leak surface does not exist.
It also means we can never read your data ourselves, even if we wanted to. We made that trade on purpose.
Open questions we're still working on
- Cross-device sync. Today, Retrace's memory is per-device. Syncing is technically hard to do without breaking the never-phone-home commitment. We're working on it.
- Workspace sharing. Team plans will eventually let you opt in to sharing specific pages or answers with your team. That sharing will be page-by-page and explicit — not bulk telemetry.