Legal
Privacy Policy
Last updated: March 16, 2026
1. About This Policy
This Privacy Policy describes how Alchemist ("we", "our", "us") collects, uses, and shares information about you when you use our Chrome extension and website at try-alchemist.com. Alchemist is a prompt enhancement tool that helps you write better prompts for AI platforms including ChatGPT, Claude, Gemini, Perplexity, DeepSeek, and Grok.
By installing the extension or creating an account, you acknowledge this policy. If you do not agree with these practices, do not use the service.
2. Data We Collect
We collect the following categories of personal data:
Account information
- Email address (provided at signup or via Google OAuth)
- User ID — a unique identifier assigned to your account
- Password hash (when using email/password signup; plaintext passwords are never stored)
- Google profile information (name, email address, profile picture) when you use Sign in with Google
Prompt content
- Prompt text you submit through the extension is transmitted to our backend server and forwarded to an AI language model provider for processing. Prompts are processed in real time and are not retained on our servers after a response is returned.
- If you use the Save Prompt feature, the refined or compiled prompt output and a brief summary (the first 100 characters of your original input) are stored in our database, linked to your account.
Usage data
- Feature used (e.g., Quick Polish, Analyze, Compile, Coding Generate)
- Number of input and output tokens consumed per request
- Credits used and credit balance
- Request timestamps
Subscription and billing data
- Subscription plan (Free, Pro, or Power) and status
- Stripe Customer ID and Stripe Subscription ID
- Billing period start and end dates
- Card number, CVV, and full payment details are handled exclusively by Stripe and are never transmitted to or stored on our servers.
Technical data
- IP address — logged by our backend on each authenticated request for rate limiting and abuse prevention
- HTTP request metadata (timestamp, endpoint, response status)
Locally stored data (on your device only)
- Authentication tokens (access token, refresh token, expiration timestamp) stored in Chrome's extension storage API
- Your email address and user ID, cached locally for session management
- Theme preference (light, dark, or system)
3. How We Use Your Data
We use the data we collect for the following purposes:
- Providing the service — processing your prompts through AI models, displaying your saved prompts, and managing your account.
- Authentication — verifying your identity on API requests and maintaining your login session.
- Billing and usage enforcement — tracking credit consumption to enforce plan limits and process subscription payments.
- Transactional communications — sending signup confirmations, password reset emails, and billing receipts. We do not send marketing emails without your explicit consent.
- Security and abuse prevention — rate limiting, bot detection, and disposable email filtering to protect the service.
- Legal compliance — retaining records as required by applicable law.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases:
- Contract performance (Article 6(1)(b)) — processing your prompts, managing your account, and fulfilling your subscription are necessary to deliver the service you have contracted for.
- Legitimate interests (Article 6(1)(f)) — IP logging for rate limiting and security, and usage analytics for service improvement. Our legitimate interests do not override your fundamental rights.
- Legal obligation (Article 6(1)(c)) — retaining billing and transaction records as required by applicable law.
- Consent (Article 6(1)(a)) — any optional data collection or marketing communications, where we have obtained your explicit consent.
5. Third-Party Services and Data Sharing
We share personal data with third-party services only as necessary to operate Alchemist. The following table lists every third party that receives user data, what data they receive, and why:
| Service |
Data shared |
Purpose |
| Supabase |
Email, password hash, user profile, session tokens |
User authentication and account management. Hosted in the United States. Supabase privacy policy. |
| Stripe |
Email, subscription plan, billing details |
Payment processing and subscription management. Hosted in the United States. Stripe privacy policy. |
| OpenAI / Anthropic |
Prompt text submitted for processing |
AI language model processing to refine and enhance your prompts. Hosted in the United States. OpenAI privacy policy and Anthropic privacy policy. |
| Google (OAuth 2.0) |
Email, name, profile picture |
Enabling Sign in with Google. OAuth scopes: openid, email, profile. Google privacy policy. |
| hCaptcha |
Bot verification tokens, IP address |
Bot prevention on login and signup forms. hCaptcha privacy policy. |
| Google Fonts |
IP address (standard CDN request) |
Loading typefaces used in the extension interface. Google privacy policy. |
We do not sell, rent, or trade your personal data. We do not share data with advertising platforms, data brokers, or information resellers.
6. International Data Transfers
Alchemist is operated from outside the United States, but all of our core third-party service providers (Supabase, Stripe, OpenAI, Anthropic) are based in the United States. If you are located in the EEA or UK, your personal data is transferred to and processed in the United States, which may not offer the same level of data protection as your home jurisdiction.
We rely on the following transfer mechanisms for EEA/UK residents:
- Standard Contractual Clauses (SCCs) incorporated in our service provider agreements
- EU-U.S. Data Privacy Framework (DPF) where providers are certified
You may contact us at hello@try-alchemist.com for more information about the safeguards we have in place.
7. Data Security
We implement the following technical and organizational measures to protect your data:
- All data transmitted between the extension, our backend, and third-party services uses HTTPS/TLS encryption in transit.
- Passwords are cryptographically hashed using industry-standard algorithms; plaintext passwords are never stored or transmitted.
- Authentication is managed via short-lived JWT tokens with automatic expiration and refresh.
- Per-IP rate limiting is enforced on authentication endpoints to prevent credential stuffing and brute-force attacks.
- The extension enforces a Content Security Policy (
script-src 'self') to prevent unauthorized code execution.
- All extension logic is bundled at build time; no remote code is loaded or executed at runtime.
In the event of a data breach that affects your personal data, we will notify you and any applicable supervisory authorities in accordance with applicable law.
8. Data Retention
- Account data — retained for the duration your account is active.
- Saved prompts — retained until you delete them or close your account.
- Usage logs — retained for up to 12 months for billing reconciliation and abuse prevention, then deleted.
- IP address logs — retained for up to 90 days for security purposes, then deleted.
- Account closure — upon account deletion, your personal data is removed within 30 days, except where retention is required by law. To close your account, email hello@try-alchemist.com.
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
All users
- Access — request a copy of the personal data we hold about you.
- Correction — request that inaccurate or incomplete data be corrected.
- Deletion — request that we delete your account and associated personal data.
- Portability — request a machine-readable export of your saved prompts and account information.
EEA and UK residents (GDPR / UK GDPR)
- Restriction of processing — request that we limit how we use your data in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Supervisory authority complaint — lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member state's DPA).
California residents (CCPA / CPRA)
- Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Delete — request deletion of personal information we have collected, subject to certain exceptions.
- Correct — request correction of inaccurate personal information.
- Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising. No opt-out mechanism is required, but you may contact us to confirm.
- Non-discrimination — we will not discriminate against you for exercising your CCPA rights.
To exercise any of these rights, email hello@try-alchemist.com. We will respond within 30 days (or within the period required by applicable law).
10. Chrome Extension Permissions
Alchemist requests the following Chrome permissions. Each permission is used only as described:
- activeTab — detects which AI platform you are on and injects the Alchemist toolbar into the active tab. This does not grant access to your browsing history or data on any other tab.
- storage — stores your login session tokens and theme preference locally on your device using
chrome.storage.local. This data does not leave your device except as described in Section 2.
- identity — enables the Sign in with Google authentication flow via
chrome.identity.launchWebAuthFlow.
Host permissions — the extension declares host permissions for the following AI platform domains in order to inject its toolbar interface:
- chatgpt.com / chat.openai.com
- claude.ai
- gemini.google.com
- aistudio.google.com
- perplexity.ai
- chat.deepseek.com
- grok.com
The extension injects its toolbar UI on these sites only. It does not read, collect, or transmit any content from these pages other than prompt text you explicitly submit through the Alchemist interface.
11. Cookies and Local Storage
The Alchemist Chrome extension does not use cookies. Session state is managed via JWT tokens stored in chrome.storage.local. Our website at try-alchemist.com uses Supabase authentication tokens stored in localStorage for web dashboard sessions. These tokens are functional, not tracking cookies, and are not used for advertising or cross-site tracking.
12. Children's Privacy
Alchemist is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you have reason to believe that a child under 13 has provided personal data to us, please contact us at hello@try-alchemist.com and we will promptly delete that information.
13. Data Practices We Do Not Engage In
For clarity, we do not:
- Sell, rent, or trade your personal data to any third party.
- Use your data for personalized advertising or retargeting.
- Use your prompt content to train AI models.
- Use third-party analytics, advertising SDKs, or behavioral tracking tools.
- Collect or access your browsing history.
- Read content from any website other than the supported AI platforms listed in Section 10.
14. Chrome Web Store User Data Policy Compliance
The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
Specifically:
- Data use is limited to providing and improving Alchemist's single stated purpose: prompt enhancement for AI tools.
- User data is not transferred to third parties except as necessary to deliver the service, comply with applicable laws, or protect against fraud and abuse.
- User data is not used or transferred for advertising purposes.
- User data is not sold to third parties, data brokers, or information resellers.
- Human access to user data is limited to circumstances where the user has given explicit consent, the data is aggregated and anonymized for internal operations, access is necessary for a security investigation, or access is required by law.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the date at the top of this page and notify affected users by email. Continued use of the service after changes take effect constitutes acceptance of the updated policy. We encourage you to review this page periodically.