Extension privacy policy

The short version

The pattern scan runs locally in your browser. It does not transmit, log, or store the scanned text on any server. No account is required to use the pattern scan.

Your text only leaves your browser when you explicitly click the deep-audit or rewrite button. That sends the text to avoidaiwriting.com for a Claude-powered audit, which costs credits. To hold a credit balance and view your audit history, you can optionally sign in with an email magic link or a Solana wallet. Pattern scanning works fully without signing in.

What the extension does locally

• Pattern detection. When you click the scan button, the extension runs about 43 categories of regular expressions against the text in the focused text field. This happens entirely in your browser's JavaScript engine. No network call is made for the scan.
• Score and highlight rendering. Results are rendered inside a shadow-DOM panel next to the scanned field, or inside the popup if you scanned text pasted there.
• Per-tab badge. After a scan the extension icon shows the issue count for that tab. Each tab tracks its own count; switching tabs shows that tab's badge.

What the extension stores

The extension uses two storage areas, both scoped to your local browser profile. Nothing is synced across Chrome profiles, and the extension does not use any third-party storage.

• chrome.storage.local persists:
  • Options-page preferences — whether the floating scan button is shown, and a per-user list of domains where you've chosen to disable the extension.
  • For signed-in users only: a session token, your associated email, and your current credit balance. The session token is a random bearer string issued by avoidaiwriting.com at sign-in. It is sent only to avoidaiwriting.com, only on authenticated calls (deep audit, balance fetch, sign-out). It is removed when you click Sign Out.
  • Transient pair state while a sign-in is in progress — a poll token and deadline so that closing the popup mid-flow doesn't lose your sign-in. Cleared automatically when the sign-in completes, is cancelled, or times out (10 min).
• chrome.storage.session is used briefly when you click the deep-audit button on a page's floating panel (the in-page handoff to the web app — separate from the popup deep audit described below). The text is read by the web app immediately, the entry is removed within 60 seconds, and the entire session area is cleared when the browser session ends.

Nothing else is stored. Scanned text itself is never persisted to disk by the extension. It lives in memory while the results panel is open and is discarded when the panel closes.

Retention. Options preferences persist until you change them or uninstall the extension. Session token, email, and cached credit balance persist locally until you click Sign Out (the server invalidates the token at the same time) or until 90 days of inactivity, whichever is sooner. Pending pair-handshake state is cleared within 10 minutes (sooner if the handshake completes or you cancel). Audit history saved on avoidaiwriting.com/history is retained until you delete individual entries or close your account; you can also disable history retention from that page.

What the extension sends over the network

The extension makes network calls only in the following situations, all of which require explicit user action:

1. Deep audit and rewrite (the only paths that transmit your text)

There are two ways to start a deep audit, and they use different transports:

• From the extension popup. If you are signed in and click the deep-audit or rewrite button inside the popup, the extension sends an authenticated POST to avoidaiwriting.com/api/audit containing your text and your session token. The result is rendered back inside the popup. One audit credit is consumed.
• From the in-page floating panel. If you click the deep-audit button inside the results panel that appears on a page after a scan, the extension writes your text into chrome.storage.session and opens a new tab to avoidaiwriting.com/rewrite. The web app reads the stashed text via a same-origin postMessage, then clears the stash. Your text is not included in the URL. If chrome.storage.session is unavailable (rare), the extension falls back to a URL-fragment handoff (#text=...); URL fragments are not sent over the network and don't appear in access logs or Referer headers.

In both paths your text is sent only to avoidaiwriting.com (which is Fernwillow Holdings LLC's server, the publisher of this extension). avoidaiwriting.com forwards the text to Anthropic's Claude API for the audit under Anthropic's data-processing terms. Anthropic does not use the text to train models. The audit input and result are saved to your account history at avoidaiwriting.com/history if you are signed in, so you can revisit past audits. You can delete individual entries or disable history retention from that page.

2. Sign-in (optional)

If you click Sign In, the extension calls avoidaiwriting.com/api/auth/extension/pair-init to start a pairing handshake, opens a tab to the avoidaiwriting.com sign-in page, and polls avoidaiwriting.com/api/auth/extension/pair-claim until you complete the magic-link or wallet flow on the web side. No scanned text is sent during sign-in — only the pairing tokens. On success the server returns a session token, which is saved to chrome.storage.local as described above.

3. Credit balance check (signed-in only)

When the popup opens for a signed-in user, the extension fetches your current credit balance from avoidaiwriting.com/api/credits with your session token. No text is included in this call.

4. Sign-out

Clicking Sign Out tells avoidaiwriting.com/api/auth/extension/revoke to invalidate the session token on the server, then removes the token and email from chrome.storage.local.

No other network calls are made by the extension. There is no telemetry, no analytics, no third-party SDKs.

Optional sign-in — what you give and what you get

Sign-in is fully optional. Pattern scanning works without it. You might choose to sign in to:

• Run deep audits and rewrites directly from the popup without switching tabs.
• Hold a credit balance you can top up with a card on avoidaiwriting.com, by burning $avoid tokens, or by paying directly from your Solana wallet.
• Keep a history of your past audits at avoidaiwriting.com/history so you can revisit them, and delete them or disable retention from that page.

Sign-in methods are email magic link or Solana wallet signature. What we receive on sign-in is described in the site privacy policy.

Permissions the extension requests

• Host permissions on all URLs. Required so the scan button can appear on any text field you focus, regardless of site. The manifest explicitly excludes a set of sensitive origins so the extension never injects into them — currently Google Accounts (accounts.google.com), major US banks (Bank of America, Chase, Wells Fargo, Citi, Capital One), payment services (PayPal, Venmo), and password managers (1Password, LastPass). The list is maintained in manifest.json and grows over time.
• storage. Used for the options-page preferences, the optional signed-in session token + email + credit balance, the transient pair-handshake state, and the short-lived in-page deep-audit handoff. All scoped to your local browser profile.

What we don't do

• No analytics or telemetry is collected about your usage. We do not see which sites you visit, which fields you focus, or what you type.
• No scanned text is sent anywhere unless you explicitly click the deep-audit or rewrite button. The pattern scan itself never transmits text.
• No text you submit for a deep audit is used to train any model — not ours, not Anthropic's, not anyone's.
• Sign-in is optional. The pattern scan, score, highlights, and replacement suggestions all work without an account.
• No third-party trackers, ad SDKs, or remote-loaded code anywhere in the extension.

Your rights

If you are in the EU, UK, California, or another jurisdiction with a formal data-protection framework, you have the right to:

• Access the personal data we hold about you — in practice, your email and your saved audit history if you've signed in.
• Correct or delete that data. Audit history can be deleted yourself at avoidaiwriting.com/history; full account deletion is available on request.
• Port your data — email us and we'll send a JSON export of your audit history and account record.
• Object to or restrict processing, and withdraw consent for any optional processing.
• Lodge a complaint with your local data-protection supervisory authority (for example, the ICO in the UK or your national DPA in the EU).

To exercise any of these rights, email support@fernwillowholdings.com. We aim to respond within 30 days.

California residents: Fernwillow Holdings LLC does not sell or share your personal information for cross-context behavioral advertising, as defined by the CCPA/CPRA. We have not done so in the preceding 12 months.

Changes to this policy

If this policy changes, the updated version will be posted at this URL. Material changes that affect how user data is handled will be reflected in the extension's manifest.json as a version bump.

Last updated: May 16, 2026 (v1.2.0 — added disclosures for optional sign-in, popup-direct deep audit, credit balance fetch, and wallet payment; detection expanded from 36 to 43 categories with structural, social-template, stylometric, and AI-tool-fingerprint detectors).

Data controller

The Avoid AI Writing browser extension is published by Fernwillow Holdings LLC, a Washington limited liability company. Fernwillow Holdings LLC is the data controller for personal data the extension collects, which is limited to: locally-stored preferences; for signed-in users, an email address and a session token; and audit inputs and results submitted on explicit user action.

Mailing address:
5729 Littlerock Rd SW Ste 107 PMB 252
Tumwater, WA 98512-7386
United States

Contact email: support@fernwillowholdings.com

Contact

Questions about the extension's data practices: email support@fernwillowholdings.com, reach out via @avoidaiwriting on X, or post in Telegram.