Privacy Policy — Legal Ops Maestro

Effective date: [EFFECTIVE_DATE] Last updated: [EFFECTIVE_DATE]

This privacy policy explains what data Legal Ops Maestro (the “Extension”) collects, what it doesn’t collect, and how optional paid features handle data differently from the free core product. If anything is unclear, email [SUPPORT_EMAIL].

TL;DR

Core tracking is 100% local. Your work log lives in your browser’s storage. It is never sent to us.
AI features are opt-in. When you choose to use them, and only then, we receive the specific content you confirmed to send.
We do not use third-party analytics on the Extension or the marketing website. We do not track pageviews, clicks, or user identities for marketing purposes.
Paid add-ons (Resume Pack, Portfolio Page, Annual Review Pack, and the Orchestra Career Pack bundle that includes all three) require an account and involve a payments processor; details below.

1. Who we are

Legal Ops Maestro is operated by [LEGAL_ENTITY]. Questions about this policy: [SUPPORT_EMAIL]. Mailing address: [CONTACT_ADDRESS].

2. What the Extension stores locally on your device

When you use the free core product, the following data is stored only in your browser (Chrome’s chrome.storage.local). None of it is transmitted to us:

Your work-tracking entries: start/end times, durations, labels, optional notes you type.
Your work-button configuration: labels, colors, CLOC weightings.
Your profile (if you choose to fill it out during onboarding): display name, target job, selected industries.
Your optional AI API key (if you choose to enable Bring-Your-Own-Key AI features — see §4).
Settings and preferences.

You can export all of this data as JSON or CSV from the Dashboard at any time, and you can delete it permanently using the “Delete all data” action on the Options page. Deletion is immediate and unrecoverable.

3. What we DO NOT collect

When using the free core product:

We do not receive your work entries, labels, notes, or timer activity.
We do not receive your browser history, page titles, URLs, clipboard contents, or any activity outside the Extension’s own pages.
We do not set cookies on third-party sites.
We do not use Google Analytics, Mixpanel, PostHog, Facebook Pixel, or any third-party analytics or tracking service.
We do not fingerprint your device.
We do not maintain a server-side database of your tracking data.

The Extension requests only two browser permissions: storage (to save your entries locally) and alarms (to keep timers running reliably). It does not request host permissions for web pages you visit or access to your tabs, history, or bookmarks.

4. Optional AI features — Bring-Your-Own-Key (free core product)

The Extension includes optional AI features (resume bullets, personalized work buttons, archetype narrative). These features are OFF by default. Nothing is sent anywhere until you:

Open Settings and manually enable AI.
Paste your own API key from Anthropic or OpenAI.
Click a feature that uses AI.
Review a consent modal showing you the exact JSON payload to be sent, the provider, the model, and an estimated cost.
Click “Send”.

In this BYO-key mode:

Your API key is stored locally (lightly obfuscated; documented in the Settings UI as not encryption).
Requests go directly from your browser to Anthropic or OpenAI — we (the publisher) do not see or relay the content.
Your relationship with Anthropic or OpenAI is governed by their respective terms and privacy policies.
You can revoke access at any time by removing your API key in Settings or deleting all data.

5. Paid add-ons (v0.2.0 and later)

When paid add-ons launch, this policy will be updated with an effective date. Using a paid add-on requires you to create an account and means the following data handling applies:

5.1 Account

To purchase and use paid add-ons, you sign in via a magic link sent to your email. We store:

Your email address.
A hashed (SHA-256) session token.
Your account creation date and last-active timestamp.
Your purchase history (see §5.2).

We do not store passwords because we don’t use them. Authentication is passwordless.

5.2 Payments

Payments are processed by Creem.IO, acting as merchant of record. Creem handles your card details, tax, and invoices — we never see your card number or billing address. We receive a webhook from Creem noting your purchase ID, product, amount, currency, and a reference to your Legal Ops Maestro user account.

Creem’s privacy policy: https://creem.io/privacy

5.3 AI proxy for paid features

When you use a paid AI feature (e.g., generate resume bullets), the following flow occurs:

The extension composes a payload from only the fields you consent to send — typically your archetype, top CLOC categories, tracked hours, and optional highlights you type.
The payload is sent to our Cloudflare Worker backend (legalopsmaestro.com/api/ai/*).
The Worker forwards it to Cloudflare AI Gateway with Unified Billing and Zero Data Retention (ZDR), which routes the request directly to the chosen model provider — currently Anthropic or OpenAI. ZDR ensures Cloudflare does not retain your prompt or response. Anthropic and OpenAI’s standard API tiers do not train on API traffic, so the model providers themselves do not retain or learn from your data either. (Confirmed with Cloudflare support 2026-04-28: ZDR + no-training is a composite guarantee for Unified Billing routes to these two providers by default; no separate enterprise agreement required.)
We log metadata about the call (timestamp, model used, token counts, cost in cents, cache status) for operational accounting. We also scan inputs and outputs for sensitive identifier patterns and block any request or response that contains them — to protect you from accidentally exposing identifiers you didn’t mean to share. The scan covers:
- Financial identifiers (credit card numbers, bank account numbers)
- Social Security Numbers
- Insurance and tax identifiers
- Government-issued ID numbers (passport, driver license, national ID)
- API keys and cloud-provider credentials (OpenAI, Anthropic, AWS, GitHub, Stripe, Slack, generic bearer tokens, PEM-format private keys)
The first four categories are scanned by Cloudflare AI Gateway’s Data Loss Prevention layer. The credentials category is scanned by our Worker before the request reaches Cloudflare. Both apply to inputs and outputs.

Email addresses, phone numbers, and similar contact details are not blocked, because they legitimately belong in resumes and portfolio pages.
We do not log or retain the prompt or the response. The content flows through the Worker and is not persisted on our servers, and ZDR ensures the underlying providers do not retain it either.
Future opt-in (v0.3, not yet shipped): if a generation produces a clearly broken result and you want our help debugging it, a future version may show a one-click “send this to support” button. Clicking it would send only that specific prompt and response to a debug-only store, retained for 7 days then auto-deleted, used solely to investigate the issue you reported. This will be OFF by default; without your explicit per-incident click, no prompt or response leaves the default flow described above.

Cloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/ Anthropic and OpenAI each have their own API privacy policies, accessible through Cloudflare’s Unified Billing route.

5.4 Portfolio Page (if purchased)

If you purchase the Portfolio Page add-on, you can publish a public profile at legalopsmaestro.com/u/{your-handle}. Only data you explicitly mark public is published:

A user-chosen display title.
Your archetype badge, level, top-3 CLOC category names.
Resume bullets you specifically mark as public.
An optional profile photo you upload.

Tracking data, timer entries, individual work logs, and private notes are never rendered on the public page, regardless of account status.

5.5 Magic-link email

When you request a sign-in link, we pass your email and the one-time link to Resend (our transactional email service). Resend retains minimal delivery metadata per their policy: https://resend.com/legal/privacy-policy

6. Security

Transport security: TLS 1.3 with HSTS for the backend domain.
Session tokens are stored in your browser and compared server-side only as a SHA-256 hash.
API keys (BYO-key mode) are stored locally in your browser with light obfuscation (not encryption — documented in the Settings UI).
Session validity: 30-day sliding window; sign out at any time to revoke.

No system is perfectly secure. If you discover a security issue, please email [SUPPORT_EMAIL] with the subject line “Security”.

7. Data retention and deletion

Local tracking data: retained until you delete it via the Options page. We have no copy.
Account and purchase records (paid users only): retained while your account is active, plus 7 years for tax and accounting compliance.
AI usage metadata (model, tokens, cost): retained for 12 months then purged.
Portfolio pages: retained while active; on lapse or explicit unpublish, returned to a private state. Data retained for up to 12 months to allow renewal restoration, then permanently deleted.

Right to deletion: email [SUPPORT_EMAIL] from the email address on file and request deletion. We complete deletion within 30 days. Portfolio pages and account records are removed; tax/accounting records for completed purchases are retained as required by law.

8. Children’s privacy

Legal Ops Maestro is intended for working legal operations professionals. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, email [SUPPORT_EMAIL] and we will delete it.

9. International users

If you access the Extension from outside the United States, you understand that information may be processed in the United States (where Cloudflare Workers run) or in other regions where our providers operate. By using the Extension, you consent to this transfer.

For users in the European Economic Area, the United Kingdom, or California: you have rights to access, correct, port, and delete your data, and to object to processing. Email [SUPPORT_EMAIL] to exercise these rights.

10. Third-party services

Service	Purpose	When it sees data
Cloudflare (Workers, D1, R2, AI Gateway, Workers AI)	Hosting and delivery of the paid backend; AI routing under Unified Billing with Zero Data Retention; Workers AI for free / degraded fallback inference	Only when you use a paid or free AI feature
Creem.IO	Merchant of record for paid add-ons	Only when you purchase
Anthropic	Upstream AI model provider for paid long-form features (via Cloudflare AI Gateway, Zero Data Retention composite, standard API tier — no training on prompts)	Only during a paid AI call
OpenAI	Upstream AI model provider for paid short-form features and fallback (via Cloudflare AI Gateway, Zero Data Retention composite, standard API tier — no training on prompts)	Only during a paid AI call
Resend	Sign-in email delivery	Only when you sign in

11. Changes to this policy

We will update this policy when we add features, change providers, or clarify language. The effective date at the top reflects the last substantive change. For material changes that affect how we handle your data, signed-in users will receive an email notice at least 7 days before the change takes effect.

12. Contact

Privacy questions: [SUPPORT_EMAIL] Security reports: [SUPPORT_EMAIL] with subject “Security” Mailing address: [CONTACT_ADDRESS]