Privacy Policy
Last updated: March 30, 2026
Be Candid (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect through our web application, browser extensions (Chrome and Safari), and Progressive Web App (PWA), how we use it, and your rights.
databaseWhat We Collect
Browser Extension
- check_circleDomain names only — we track which websites you visit (e.g. “youtube.com”), never full URLs, page content, or form data.
- check_circleSHA-256 hashing — domain names are cryptographically hashed before transmission. We cannot reverse hashes back to the original domain.
- check_circleTime spent — duration of active browsing sessions per domain, aggregated in 30-minute windows.
- check_circleCategory classification — domains are categorized locally on your device (e.g. social media, streaming). Classification happens client-side; raw browsing data is never sent to our servers for classification.
Web App & PWA
- check_circleAccount information — email address and display name for authentication.
- check_circleSelf-reported data — journal entries, mood check-ins, focus sessions, and goals you manually enter.
- check_circleSession duration — time spent in the Be Candid app (PWA tracking), with sessions under 30 seconds discarded.
blockWhat We Never Collect
- closeFull URLs, search queries, or page content
- closePasswords, form inputs, or autofill data
- closeScreenshots, keystrokes, or screen recordings
- closeBrowsing history from incognito/private mode
- closeData from other browser extensions
encryptedHow We Store & Protect Data
- shieldData is stored in Supabase with PostgreSQL row-level security (RLS). Each user can only access their own data.
- shieldAll data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256.
- shieldAuthentication tokens stay on your device. The desktop app encrypts tokens at rest, and the browser extension keeps short-lived access tokens in session storage with refresh tokens stored separately.
- shieldFailed event uploads are queued locally for up to 7 days, then permanently deleted.
shareData Sharing
- groupAccountability partners — if you choose to add a partner, they receive alerts about high-severity events. They see the category (e.g. “social media”) and severity, never raw domains or URLs.
- family_restroomFamily/Guardian accounts — guardians see summary dashboards with category-level data. Detailed browsing data is never shared.
- blockWe never sell your data. No advertising, no analytics brokers, no third-party data sharing for monetization.
gavelYour Rights
- downloadExport your data — request a full export of your data at any time from Settings > Privacy > Export Data.
- deleteDelete your account — permanently delete all your data from Settings > Privacy > Delete Account. This is irreversible and removes all events, journals, check-ins, and partner connections.
- pause_circlePause monitoring — toggle monitoring off at any time from the extension popup. No data is collected while paused.
mailContact
Questions about this policy? Email us at privacy@becandid.io