VerraVerra
HomeProductDocs
Book a DemoSign in / Sign up

Privacy

Verra browser extension privacy policy

Last updated May 22, 2026

Overview

This policy explains how the Verra browser extension, referred to here as the extension, handles information. It covers the extension only; the Verra web application and other Verra services are covered by separate policies.

The extension helps organizations govern how their teams use web-based AI assistants. It applies a data-loss-prevention policy to content entered into AI assistants such as ChatGPT, Claude, and Gemini, and it records AI usage so the organization can audit and govern it.

How the extension is deployed

The extension is installed and configured by an organization, such as your employer, that operates a Verra workspace. That organization decides what the extension does and is the controller of the information the extension produces. Verra operates the underlying service on the organization's behalf as a processor. If you use the extension as a member of an organization, please also refer to that organization's own privacy and AI usage policies.

What the extension collects

When a device is paired to a Verra workspace, the extension sends the following information to that workspace:

  • A device pairing identifier and a device name that you or your administrator provide.
  • Records of AI assistant usage: the AI tool involved, whether content was pasted or sent, the policy decision (allowed, warned, or blocked), and a one-way cryptographic hash and character count of the content. The hash cannot be reversed back into the original text.
  • A risk summary: counts of detected secrets, personal data items, and large pastes. This detection runs on your device.
  • Optional information you choose to enter when you proceed past a warning, such as a purpose, a justification note, and a ticket reference.
  • The names of recognized business applications that are open at the same time as an AI assistant, drawn from a fixed list of well-known tools such as CRM, email, and cloud storage applications.
  • Basic technical metadata, such as your browser user-agent string.

What the extension does not collect

The extension is designed to keep sensitive content on your device. It does not send:

  • The raw text you paste or type into AI assistants. Risk analysis runs locally in your browser; only a one-way hash and a character count leave the device.
  • The content of any secret or credential. Secrets are detected locally and are never transmitted.
  • Full web addresses, page titles, or your general browsing history. Co-occurrence detection reports only application names from the fixed list described above.
  • Keystrokes, mouse movement, screenshots, or files.

How the data is used

The information the extension collects is used to apply your organization's AI usage policy, to produce audit and compliance records, and to give administrators visibility into which AI tools are in use and the risks around them. It is not used for advertising or for profiling unrelated to this purpose.

How the data is shared

Data from the extension is sent only to the Verra workspace operated by the organization that deployed it. Verra does not sell extension data and does not share it with third parties for advertising. Verra relies on infrastructure providers, such as cloud hosting and database services, to operate the service; those providers process data only to support Verra and under contractual confidentiality and security obligations.

Data stored on your device

The extension stores a small amount of operational data in your browser extension storage: the device pairing token, the current governance policy, the selected project, and a short-lived queue of events waiting to be sent if the browser was offline. This data stays in your browser.

Permissions the extension requests

The extension requests the minimum permissions it needs:

  • Access to the AI assistant sites (chatgpt.com, chat.openai.com, claude.ai, gemini.google.com), to apply data-loss-prevention checks on content entered there.
  • Access to the Verra service address, to retrieve policy and send governance records.
  • Reading the addresses of open browser tabs, to detect which recognized business applications are open alongside an AI assistant. Only application names from the fixed list are transmitted; full addresses and browsing history never leave the browser.
  • Local storage and scheduled background tasks, to hold the pairing token and policy and to retry sending records after the browser has been offline.

Data retention

How long extension data is retained is governed by your organization's Verra workspace settings and its agreement with Verra. Direct retention questions to your organization's Verra administrator.

Your choices and rights

Because the extension is deployed by your organization, that organization is the first point of contact for questions about your data, including access, correction, and deletion requests. Depending on where you live, you may have rights under laws such as the EU General Data Protection Regulation. You can raise a request with your organization's Verra administrator, or contact Verra using the details below and we will route it appropriately.

Security

Data is sent over encrypted HTTPS connections. Sensitive content is reduced to a one-way hash on your device before anything is transmitted.

Changes to this policy

We may update this policy as the extension changes. Material changes will be reflected by the last updated date shown at the top of this page.

Contact

Questions about this policy can be sent to privacy@helloverra.com.