To use these add-ons, you'll need to download Firefox.

Log in
Add-on icon

Privacy policy for Imperum Veil — PII Redactor

Imperum Veil — PII Redactor by Imperum Team

0 Stars out of 5
5
0
4
0
3
0
2
0
1
0
Privacy policy for Imperum Veil — PII Redactor

Imperum Veil — Privacy Policy

Last updated: May 28, 2026

Imperum Veil is a browser extension that detects and redacts personally identifiable information (PII) before it is sent to a web-hosted large language model (LLM). This policy describes what
data the extension processes, where it goes, and what it does not do.

  1. What the extension reads

To detect PII, the extension reads the text the user types into the prompt editor on the following sites:
- chatgpt.com
- chat.openai.com
- claude.ai
- gemini.google.com
- copilot.microsoft.com
- m365.cloud.microsoft

Reading happens entirely inside the browser. The text is matched against a regular-expression catalogue (the Veil pattern set) to identify PII categories such as email addresses, IP
addresses, usernames, hostnames, secrets, credit-card numbers, and similar.
  1. What the extension stores locally

The extension stores the following in the browser's local extension storage (browser.storage.local). None of this is synced to the user's Mozilla or Google account.
  • The URL of the user's Imperum tenant (entered by the user on first run).
  • An SSO access token, refresh token, or personal access token used to authenticate calls to that tenant.
  • A local queue of pending audit events (described below).
  • A cached copy of the redaction policy fetched from the user's Imperum tenant.
  • What the extension transmits

The extension makes outbound network calls only to the Imperum URL the user configures. It does not contact any third party, telemetry endpoint, or Imperum-operated server unless the user has
explicitly enrolled against that server.

Two types of data are sent to the user's Imperum tenant:

(a) Configuration requests. The extension fetches the current redaction policy every five minutes.

(b) Audit events. Each time a user accepts a redaction, overrides one, or has a paste blocked, the extension records an event containing:
- The host (e.g. chatgpt.com).
- The action taken (redacted, sent_anyway, blocked, noop).
- Per-category counts of detected PII (e.g. "ip: 2, email: 1").
- The browser user-agent string (truncated to 64 characters) and the extension version.
- An optional conversation identifier derived from the URL.

Audit events do NOT include the original PII values, the prompt text, the LLM response, or any other prompt content. Only counts and categories are transmitted.
  1. What the extension does not do
  2. It does not sell, share, or transfer user data to any third party.
  3. It does not contact any server other than the Imperum URL the user configured.
  4. It does not log keystrokes, mouse movements, or other input device events.
  5. It does not track the user's browsing history outside the six LLM hosts listed above.
  6. It does not use any data for advertising, profiling, or creditworthiness assessment.
  7. It does not use eval() or load remote JavaScript. All code is bundled at build time.
  8. Data retention

Local data (tokens, policy cache, audit queue) persists until the user clicks Sign out in the extension Options page or uninstalls the extension. Audit events sent to the user's Imperum
tenant are retained according to the customer's own data-retention policy, which the customer controls.
  1. Permissions explained
  2. storage: persist the items in section 2.
  3. alarms: schedule the five-minute policy sync and 30-second audit drain.
  4. identity: open the Sign in with Imperum window.
  5. tabs: fall back to opening the sign-in URL in a normal tab.
  6. Host permissions for the six LLM sites: required to run the redaction content script on those pages.
  7. Host permissions for http:/// and https:///: required because each Imperum customer self-hosts the platform at their own URL, which the user enters on first run.
  8. Contact

Questions about this policy: support@imperum.io

Notes to Reviewer (very important — paste this)

This is where you head off the questions that would otherwise bounce the review:

Imperum Veil is a B2B SecOps tool, not a consumer extension. It is a client
for the Imperum platform (https://imperum.io). End users authenticate against
their own self-hosted Imperum tenant via SSO or a personal access token
entered in the Options page on first run.

How to test without an Imperum account:
- Without a tenant the extension shows the Options page but performs no
network calls beyond the URL the user types in.
- For a live test, please email support@imperum.io and we will provision
a temporary tenant URL + access token.

Source code: the submitted XPI is produced by esbuild from TypeScript source
in src/. Output is unminified with source maps. We answered "Yes" to
"Do You Use a Code Generator or Minifier" and uploaded the full source
tarball on the previous step. Build instructions are in BUILD.md inside
that tarball.

Permissions justification:

storage persist enrollment + audit queue (chrome.storage.local only;
never storage.sync, so the PAT never leaves the device via
Mozilla account sync).

alarms five-minute policy sync + 30-second audit drain.

identity chrome.identity.launchWebAuthFlow for the SSO sign-in window.

tabs fallback for SSO when launchWebAuthFlow is unavailable
(e.g. http:// dev URLs that the identity API refuses).

6 LLM hosts (claude.ai, chatgpt.com, chat.openai.com, gemini.google.com,
copilot.microsoft.com, m365.cloud.microsoft)
required to run the content script on those hosts.

http://*/*, https://*/*
required because every Imperum customer self-hosts the
platform at their own URL (e.g. https://imperum.acme.com).
The extension calls only the one URL the user typed into the
Options page; the wildcard is necessary because Mozilla does
not allow user-configurable host permissions to be granted
at runtime in MV3.


Data collection (declared in browser_specific_settings.gecko.data_collection_permissions):
authenticationInfo the SSO/PAT token, stored locally; sent only to the
user-configured Imperum URL.
websiteActivity which LLM host the user is on (audit row), category
counts of detected PII. The PII values themselves
never leave the browser as audit data.

No eval, no remote scripts, no Wasm. All runtime JavaScript is bundled at
build time.