Privacy Policy

Effective Date: April 5, 2026 — Last Updated: April 5, 2026

Gmail Read Receipts ("the Extension," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By installing or using the Extension, you agree to the practices described in this policy. If you do not agree, please uninstall the Extension and discontinue use.

1. Information We Collect

1.1 Information You Provide

Google Account Email Address — collected during sign-in via Google OAuth to identify your account and isolate your tracking data.

1.2 Information Collected Automatically

Data Type	Purpose	Retention
Email subject lines	Display in your tracking dashboard so you can identify which email was opened	90 days (Free) / 1 year (Pro)
Recipient email addresses	Display in your tracking dashboard and match open events to emails	90 days (Free) / 1 year (Pro)
Email open timestamps	Record when a recipient opens your email	90 days (Free) / 1 year (Pro)
Anonymized IP addresses	Approximate geographic location of opens (last octet zeroed for anonymization)	90 days (Free) / 1 year (Pro)
User agent strings	Determine the device type and email client used to open your email	90 days (Free) / 1 year (Pro)

1.3 Information We Do NOT Collect

We do not read, store, or transmit the body content of your emails.
We do not access your Gmail inbox, drafts, or any folder other than injecting a tracking pixel at the time you send.
We do not collect passwords, financial information directly, or contacts beyond the specific recipients of tracked emails.

2. How We Use Your Information

Provide core functionality: tracking whether your sent emails have been opened, delivering open notifications, and displaying read status badges in Gmail.
Maintain your account: authenticating you and keeping your tracking data isolated from other users.
Improve the service: aggregated, anonymized usage statistics to understand feature adoption and performance.
Process payments: if you subscribe to a paid plan, your billing is handled by Stripe (see Section 4).

3. How Data Is Stored and Secured

All tracking data is stored in Google Firebase / Cloud Firestore, hosted on Google Cloud Platform infrastructure.
Data is encrypted in transit (TLS) and at rest (AES-256) by Google Cloud.
Firestore security rules enforce per-user data isolation — you can only access your own tracking records.
Authentication tokens are stored locally in your browser via the chrome.storage API and are never transmitted to third parties.

4. Third-Party Services

4.1 Google Firebase / Cloud Firestore

We use Firebase for authentication, data storage, and serverless functions. Firebase is operated by Google and subject to the Firebase Terms of Service and Google Privacy Policy.

4.2 Stripe

If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store your credit card number, bank account details, or other payment instrument data on our servers. Stripe's handling of your payment information is governed by the Stripe Privacy Policy.

We receive from Stripe only: your Stripe Customer ID, subscription status, and billing period dates.

4.3 No Other Third-Party Sharing

We do not sell, rent, or share your personal data with any other third parties for marketing, advertising, or any purpose beyond what is described in this policy.

5. IP Address Anonymization

When a recipient opens a tracked email, the tracking pixel request includes their IP address. We anonymize this IP address by zeroing the last octet before storing it (e.g., 192.168.1.45 becomes 192.168.1.0). This limits geographic precision to the city or region level and prevents identification of individual recipients by IP address alone.

6. Data Retention

Free plan: Tracking data (email metadata and open events) is retained for 90 days from the date the email was sent, then automatically deleted.
Pro plan: Tracking data is retained for 1 year from the date the email was sent, then automatically deleted.
Account data: Your account record (email address, plan status) is retained as long as your account is active. If you delete your account, all data is removed within 30 days.
Payment records: Billing history is retained by Stripe according to their data retention policy and applicable financial regulations.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access: Request a copy of all personal data we hold about you.
Right to Rectification: Request correction of inaccurate personal data.
Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data. Upon request, we will delete your account and all associated tracking data within 30 days.
Right to Data Portability: Request your data in a structured, machine-readable format (JSON or CSV).
Right to Restrict Processing: Request that we limit the processing of your data under certain circumstances.
Right to Object: Object to the processing of your personal data based on legitimate interests.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

Legal Basis for Processing: We process your data based on:

Contract performance: Processing necessary to provide the service you have requested (email open tracking).
Legitimate interests: Improving service reliability, preventing abuse, and generating anonymized usage analytics.
Consent: Where required by applicable law, particularly for optional features such as browser notifications.

To exercise any of these rights, contact us at the email address listed in Section 12 below. We will respond within 30 days.

8. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
Right to Delete: Request deletion of personal information we have collected.
Right to Opt-Out of Sale: We do not sell your personal information. There is no sale to opt out of.
Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

9. Email Tracking Disclosure and CAN-SPAM Compliance

This Extension uses a tracking pixel (a 1x1 transparent image) embedded in outgoing emails to detect when a recipient opens the message. The tracking pixel is loaded from our servers when the email is rendered, recording the open event.

9.1 Sender Responsibilities

If you use this Extension for commercial or marketing emails, you are responsible for ensuring your emails comply with the CAN-SPAM Act, including:

Including accurate sender identification and a valid physical postal address.
Providing a clear and functional unsubscribe mechanism.
Not using deceptive subject lines or misleading header information.

The Extension includes an optional setting to append a tracking disclosure footer to your emails (e.g., "This email may contain a read notification"). We encourage enabling this feature, especially for recipients in GDPR-regulated jurisdictions.

9.2 Recipient Data

When a recipient opens a tracked email, we collect only the anonymized IP address, user agent string, and timestamp associated with the open event. Recipients may request deletion of any data associated with their email address by contacting us at the address in Section 12.

10. Children's Privacy

The Extension is not intended for use by individuals under the age of 13 (or 16 in jurisdictions where GDPR applies). We do not knowingly collect personal information from children. If we become aware that a child has provided personal data, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Display a notice within the Extension popup for at least 30 days following the change.
For significant changes affecting data collection or sharing, send an email notification to your registered email address.

Your continued use of the Extension after the effective date of a revised policy constitutes acceptance of the changes.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about our privacy practices, please contact us at:

Email: john@hearthstonesoftwaregroup.com

We aim to respond to all privacy-related inquiries within 30 days.

If you are in the EEA and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority.