1. Overview
This Privacy Policy describes how the ClickNext AI Security Monitor Chrome Extension ("Extension") collects, uses, and protects information when installed and used by employees of ClickNext Co., Ltd. ("Company").
This Extension is an internal enterprise security tool. It is not intended for public consumer use. It is deployed exclusively by the Company's IT department to monitor AI tool usage across company-managed devices in compliance with corporate security policies.
1.1 Supported AI Platforms
As of version 2.0.0, the Extension monitors the following web-based AI platforms:
| # | Platform | URL | Category |
|---|---|---|---|
| 1 | ChatGPT | chatgpt.com / chat.openai.com | Chat AI |
| 2 | Claude | claude.ai | Chat AI |
| 3 | Gemini | gemini.google.com | Chat AI |
| 4 | Microsoft Copilot | copilot.microsoft.com | Chat AI |
| 5 | DeepSeek | chat.deepseek.com | Chat / Code AI |
| 6 | Perplexity | perplexity.ai | Search AI |
| 7 | Grok (xAI) | grok.com | Chat AI |
| 8 | Mistral | chat.mistral.ai | Chat AI |
| 9 | Poe | poe.com | AI Aggregator |
| 10 | HuggingChat | huggingface.co/chat | Open-source AI |
| 11 | NotebookLM | notebooklm.google.com | Research AI |
| 12 | Google AI Studio | aistudio.google.com | Developer AI |
| 13 | Meta AI | meta.ai | Chat AI |
The Extension does not monitor desktop AI applications (e.g., Cursor IDE, VS Code Copilot, Codex CLI) as these operate outside the browser environment.
2. What Data Is Collected
The Extension collects the following information when employees interact with supported AI platforms:
| Data Type | Description | Purpose |
|---|---|---|
| User Prompt Text | Text submitted by the employee to any of the 13 supported AI platforms listed above | Security scanning for data leakage prevention (DLP) |
| User Identity | Employee's Google Workspace email address (via Chrome Identity API) | Audit trail and user attribution |
| Device Information | Device identifier / computer name | Asset tracking and security correlation |
| AI Platform | Name of AI service being accessed (e.g., ChatGPT, Claude, Gemini, Copilot, DeepSeek, Perplexity, Grok, Mistral, Poe, HuggingChat, NotebookLM, AI Studio, Meta AI) | Activity reporting |
| Timestamp | Date and time of AI interactions | Audit log and monthly reporting |
| Security Scan Result | Whether the prompt triggered a security policy (e.g., PII detected, injection attempt) | Incident management and compliance |
3. What Data Is NOT Collected
- AI responses or outputs generated by AI platforms
- Browsing history unrelated to supported AI platforms
- Passwords, authentication credentials, or payment information
- Personal communications, emails, or messages outside AI platforms
- Location data (GPS or IP-based geolocation)
- Biometric data of any kind
4. How Data Is Used
All collected data is used exclusively for the following corporate security purposes:
- Real-time DLP (Data Loss Prevention): Scanning prompts for sensitive patterns such as API keys, credit card numbers, internal connection strings, proprietary code, and internal business data (e.g., business plans, salary information) before they are sent to external AI services.
- Security Audit Trail: Maintaining a time-stamped record of AI tool usage per employee for compliance with internal IT security policies.
- Incident Response: Identifying and flagging security policy violations for investigation by the IT Security team.
- Monthly Usage Reporting: Generating aggregated usage reports for management review of AI tool adoption and risk posture.
5. Data Transmission and Storage
Collected data is transmitted via HTTPS to the Company's internal security gateway server (clicknexttest.biz), which is operated and maintained by the ClickNext IT Security team. All data is:
- Transmitted over encrypted HTTPS connections (TLS 1.2+)
- Stored in a secured SQLite database on a company-controlled server
- Accessible only to authorized IT Security administrators
- Not shared with any third parties, vendors, or AI platform providers
- Never used for advertising, profiling, or any commercial purpose
6. Data Retention
Activity logs are retained for 90 days from the date of collection. After this period, records are automatically and permanently deleted from the server. Employees who leave the company may request immediate deletion of their data by contacting the IT Security team.
7. User Rights (PDPA / GDPR)
Employees have the following rights regarding their data:
- Right to Access: Request a copy of all data collected about you.
- Right to Deletion: Request permanent deletion of your activity records (Right to be Forgotten).
- Right to Correction: Request correction of inaccurate personal data.
- Right to Object: Object to processing of your personal data in specific circumstances.
To exercise any of these rights, contact: it@clicknext.com
8. Consent
This Extension is deployed via organization-level Chrome management (Google Admin Console Managed Settings). By using a company-managed device with this Extension installed, employees acknowledge and consent to the monitoring activities described in this policy, as disclosed in the Company's Employee IT Acceptable Use Policy.
9. Security
The Company implements technical and organizational measures to protect collected data, including TLS encryption in transit, access control on server infrastructure, and regular security audits of the gateway system.
10. Changes to This Policy
This policy may be updated periodically. Employees will be notified of material changes via internal communication channels. Continued use of company-managed devices after changes constitutes acceptance of the updated policy.
11. Changelog
| Version | Date | Changes |
|---|---|---|
| 2.1.0 | May 21, 2026 | Updated DLP rules to use Smart Context Detection. "ClickNext" alone is no longer blocked; it is only blocked when paired with sensitive keywords. |
| 2.0.0 | May 18, 2026 | Expanded monitoring from 3 platforms (ChatGPT, Claude, Gemini) to 13 platforms. Added support for Microsoft Copilot, DeepSeek, Perplexity, Grok, Mistral, Poe, HuggingChat, NotebookLM, Google AI Studio, and Meta AI. Removed unused googleapis.com host permission. |
| 1.9.8 | May 14, 2026 | Security hardening: added Thai keyword blocking for sensitive terms. Fixed retry bypass vulnerability. |
| 1.9.7 | May 13, 2026 | Added AI reply token tracking via MutationObserver. Improved Thai token estimation. |
| 1.9.0 | April 21, 2026 | Initial release with PII detection, prompt injection blocking, and company data protection. |
12. Contact Information
For questions about this privacy policy or data handling practices, contact:
- Organization: ClickNext Co., Ltd.
- IT Security Team: it@clicknext.com
- Website: clicknexttest.biz