Privacy Policy

Last updated: May 2026 · HumanAttest Security Ltd.

1. Our Core Privacy Commitment

HumanAttest is built on a zero-knowledge architecture. We do not read, store, or transmit your email content — ever. This is not a policy choice; it is a technical constraint enforced by our extension's permission model. The extension does not request Gmail API access and cannot read your emails even if it wanted to.

2. What We Collect

When you register: your full name and a hashed version of your TOTP secret (the secret itself is stored only on your device). When you verify a send action: a SHA-256 hash of the send-action event, the UTC timestamp, your registered full name, and the verification result (pass/fail). We do not collect your Gmail address, email content, recipient lists, attachments, or any Google account identifiers.

3. What We Never Collect

We never collect: your Gmail address or Google account ID, email subject lines, email body text, recipient email addresses (To/CC/BCC), email attachments or file names, browser history or tab URLs, biometric data (fingerprint, face scan — these are processed locally by your OS), Google OAuth tokens or session cookies, or any data from emails you receive.

4. How We Use Your Data

Your registered name is used solely to display the verified sender badge to email recipients. Verification hashes and timestamps are used to provide the audit trail service. We do not sell, share, or use your data for advertising, profiling, or any purpose other than providing the HumanAttest verification service.

5. Data Storage & Security

All data is stored in an encrypted PostgreSQL database (AES-256-GCM at rest). Data is transmitted over TLS 1.3. Database access is restricted to verified engineers with multi-factor authentication. We conduct regular security audits and penetration tests.

6. Data Retention & Deletion

Verification records are retained for 2 years, then automatically purged. You may request immediate deletion of all your records at any time by contacting support@humanattest.com. Account deletion removes all associated records within 30 days.

7. Your Rights (GDPR / CCPA)

You have the right to access, correct, export, or delete your personal data at any time. EU residents have additional rights under GDPR including the right to object to processing and the right to data portability. California residents have rights under CCPA including the right to know what data is collected and the right to opt out of sale (we do not sell data). To exercise any right, contact privacy@humanattest.com.

8. Contact

Privacy inquiries: privacy@humanattest.com Security disclosures: security@humanattest.com HumanAttest Security Ltd., 2026