The short version: Boppi's core PII detection runs entirely on your device. Optional features like team management and usage statistics require opt-in and use a secure hosted database. No raw PII values are ever transmitted.
1. What Boppi does
Boppi is a browser extension that detects and masks personally identifiable information (PII) in real time as you type into web-based applications, including AI tools. It is designed to help individuals and organizations prevent accidental exposure of sensitive data.
2. Data that stays on your device
The core of Boppi runs entirely inside your browser. The following data never leaves your device:
PII detection results — All scanning for Social Security numbers, phone numbers, email addresses, credit card numbers, and other sensitive patterns happens locally. No raw PII values are transmitted anywhere.
Your settings and preferences — Stored in chrome.storage.local on your machine.
Activity logs — Detection counts, risk assessments, and site trust lists are kept locally.
Admin and policy configurations — Any masking policies or industry profiles you configure remain in local storage.
You can clear all local data at any time from the Boppi dashboard under Admin > Reports > Clear All Event Data.
3. Data that may be sent externally
Boppi will only send data off your device if you explicitly opt in during onboarding or in settings:
Email address and industry selection — If you choose to provide your email (for update notifications) and select an industry during onboarding, those values are sent to a Supabase database. This is entirely optional. Boppi works fully without it.
Anonymous usage statistics — If you opt in, Boppi sends aggregate, anonymous telemetry (such as how many detections occurred, which PII categories were triggered, and general feature usage) to Supabase. These statistics contain no raw PII, no page content, and no browsing history.
That is the complete list. Boppi does not use third-party analytics services, advertising networks, or tracking pixels.
4. Accounts and authentication
Boppi offers optional account functionality for team and admin features. If your administrator invites you, you may create an account with an email and password. Account data (email, hashed password, role) is stored in Supabase Auth. You can use Boppi's core PII detection features without creating an account.
5. Permissions
Boppi requests the following browser permissions and uses them only as described:
Access to all websites (https://*/*) — Required to detect and mask PII across any web-based application, including AI tools like ChatGPT, Gemini, and Claude.
Storage — Required to save your settings and activity log locally.
Tabs — Lets Boppi know when you switch tabs so it can update its badge icon and apply the correct site settings.
Scripting — Enables Boppi to inject its content scripts into pages for real-time PII detection.
WebNavigation — Required to detect page navigations in single-page apps so Boppi can reinitialize detection on new views.
Context Menus — Adds right-click menu options for quick access to Boppi features.
6. Your rights
You can:
Disable or uninstall Boppi at any time. All locally stored data is removed when you uninstall the extension.
Opt out of anonymous statistics in the extension settings. Collection stops immediately.
Request deletion of any data sent to Supabase (your email or anonymous stats) by emailing boppii.ioo@gmail.com. Requests will be fulfilled within 30 days.
7. Children
Boppi is not directed at children under 13 and does not knowingly collect information from them.
8. Changes to this policy
If we make material changes to this policy, we will update the date at the top. Continued use of Boppi after changes constitutes acceptance of the updated policy.