ClickNext AI Security Monitor

Chrome Extension — Privacy Policy

← กลับหน้าหลัก
Document Information Effective Date: April 21, 2026  |  Last Updated: July 13, 2026  |  Version: 2.12.0

1. Overview

This Privacy Policy describes how the ClickNext AI Security Monitor Chrome Extension ("Extension") collects, uses, and protects information when installed and used by employees of ClickNext Co., Ltd. ("Company").

This Extension is an internal enterprise security tool. It is not intended for public consumer use. It is deployed exclusively by the Company's IT department to monitor AI tool usage across company-managed devices in compliance with corporate security policies.

1.1 Supported AI Platforms

As of version 2.0.0, the Extension monitors the following web-based AI platforms:

#PlatformURLCategory
1ChatGPTchatgpt.com / chat.openai.comChat AI
2Claudeclaude.aiChat AI
3Geminigemini.google.comChat AI
4Microsoft Copilotcopilot.microsoft.comChat AI
5DeepSeekchat.deepseek.comChat / Code AI
6Perplexityperplexity.aiSearch AI
7Grok (xAI)grok.comChat AI
8Mistralchat.mistral.aiChat AI
9Poepoe.comAI Aggregator
10HuggingChathuggingface.co/chatOpen-source AI
11NotebookLMnotebooklm.google.comResearch AI
12Google AI Studioaistudio.google.comDeveloper AI
13Meta AImeta.aiChat AI

The Extension does not monitor desktop AI applications (e.g., Cursor IDE, VS Code Copilot, Codex CLI) as these operate outside the browser environment.

⚠️ This extension is for authorized corporate use only. By installing this extension, users acknowledge they are using a company-managed device and consent to activity monitoring as described in this policy.

2. What Data Is Collected

The Extension collects the following information when employees interact with supported AI platforms:

Data TypeDescriptionPurpose
User Prompt Text Text submitted by the employee to any of the 13 supported AI platforms listed above Security scanning for data leakage prevention (DLP)
User Identity Employee's Google Workspace email address (via Chrome Identity API) Audit trail and user attribution
Device Information Device identifier / computer name Asset tracking and security correlation
AI Platform Name of AI service being accessed (e.g., ChatGPT, Claude, Gemini, Copilot, DeepSeek, Perplexity, Grok, Mistral, Poe, HuggingChat, NotebookLM, AI Studio, Meta AI) Activity reporting
Timestamp Date and time of AI interactions Audit log and monthly reporting
Security Scan Result Whether the prompt triggered a security policy (e.g., PII detected, injection attempt) Incident management and compliance
Uploaded Image (Thumbnail) A downscaled, JPEG-compressed copy (max 1280 px on the longest side) of images the employee attaches to an AI platform — by any method, including the file picker, drag-and-drop, pasting a screenshot, or importing from cloud storage. Captured to give context for what was asked. The original full-resolution file is NOT uploaded or stored — only this downscaled copy. DLP/security review (e.g., detecting confidential documents or screenshots shared with external AI)

2.1 Password Vault (Optional Feature)

The Extension includes an optional Password Vault — a personal, opt-in credential store (similar to a team password manager). It is entirely separate from the security-monitoring described above and behaves as follows:

3. What Data Is NOT Collected

4. How Data Is Used

All collected data is used exclusively for the following corporate security purposes:

5. Data Transmission and Storage

Collected data is transmitted via HTTPS to the organization's own security gateway — by default clicknexttest.biz; organizations running an isolated instance are served by their own dedicated subdomain configured through managed browser policy. All data is:

6. Data Retention

Activity logs are retained for 90 days from the date of collection. After this period, records are automatically and permanently deleted from the server. Employees who leave the company may request immediate deletion of their data by contacting the IT Security team.

7. User Rights (PDPA / GDPR)

Employees have the following rights regarding their data:

To exercise any of these rights, contact: it@clicknext.com

8. Consent

This Extension is deployed via organization-level Chrome management (Google Admin Console Managed Settings). By using a company-managed device with this Extension installed, employees acknowledge and consent to the monitoring activities described in this policy, as disclosed in the Company's Employee IT Acceptable Use Policy.

9. Security

The Company implements technical and organizational measures to protect collected data, including TLS encryption in transit, access control on server infrastructure, and regular security audits of the gateway system. Password Vault credentials are encrypted at rest with AES-256-GCM and can be decrypted only by the employee who created them; administrators have no ability to read them.

10. Changes to This Policy

This policy may be updated periodically. Employees will be notified of material changes via internal communication channels. Continued use of company-managed devices after changes constitutes acceptance of the updated policy.

11. Changelog

VersionDateChanges
2.12.0July 13, 2026Vault UI: passwords and contacts are now shown separately — the shared/team view and the admin console group credentials ("🔑 รหัส / บัญชี") apart from customer records ("👤 Contacts / ข้อมูลลูกค้า"), and the extension popup's shared view is filtered by the same type tabs. Display/organization only; no change to what is stored or who can access it. (Also, internal groundwork for multi-tenant per-workspace access control — not user-visible.)
2.11.0July 13, 2026Vault UI: text tab labels ("Company", "Contacts") in the extension popup, and a "view details" button on contact/company records so their stored fields (email, phone, company, address, note …) can be viewed and copied field-by-field. Display only — no change to what is stored, monitored, or who can access it.
2.10.0July 13, 2026Central customer directory + convenience. New: a consented contact-capture prompt — when you submit a non-login form containing contact details (email + phone/name), the Extension offers to save it to the vault; like save-on-login, the fields are read at submit-time only to fill the prompt and are stored only if you click (nothing is captured, logged, or transmitted silently). New: an org-wide "central" share so customer contacts can be stored company-wide (visible to all employees + admin) instead of trapped in one person's personal vault — this keeps customer data from being lost when an employee leaves. New: CSV contact import and a share-to-team button in the extension popup. The privacy boundary is unchanged: personal vault entries remain owner-only and unreadable by administrators; only items a user deliberately shares (including org-wide) are visible to others, and every reveal is audited.
2.9.0July 13, 2026Vault convenience + governance: an "open website" button on entries with a URL; a share button to share one of your own saved items to a team/colleague directly from your list; a super-admin password-management console (org-wide view of teams, shared credentials, and the reveal audit trail — personal entries stay unreadable, only counted). The save-on-login prompt now also detects a changed password for a site already in your vault and offers to update it — the check is done by a compare-only request (your stored password is never sent back to the page and the check is not logged as a reveal), and nothing is saved or updated without your click. Autofill no longer activates on the ClickNext console's own pages. No new permissions or monitoring.
2.8.0July 13, 2026Expanded the Vault into a structured records store: Cards now hold expiry date and CVV, and two new record types were added — Company (tax ID, address, phone, email) and Contact (name, email, phone, company) for a central customer-contact directory. All extra fields are still encrypted at rest (AES-256-GCM); true secrets (card number/CVV, passwords) remain reveal-only, while non-secret directory fields are shown to people already authorized to see the entry so the directory is browsable. This is a data-entry feature only — it adds no new permissions, monitoring, or automatic collection; records appear only when a user deliberately enters them, and the personal/shared access rules (owner-only personal; shared readable by its recipients + audited super-admin) are unchanged.
2.7.0July 13, 2026Added an optional Shared / Team Vault for deliberately sharing work credentials with colleagues. Employees can create teams, add members, and share a credential either to a team or to specific email addresses. A shared credential is readable by the people it was shared with (team members / listed emails), the person who shared it, and — because it is a company-managed shared store — IT/super-admin for governance (e.g. off-boarding); every access to a shared credential is written to the audit log, and super-admin reads of items they do not own are flagged distinctly. Your personal vault entries (§2.1) are unaffected and remain owner-only — not even a super-admin can read them. Sharing is always a deliberate action by the person who holds the credential; nothing is shared automatically. Adds no new permissions or monitoring.
2.6.0July 13, 2026Added item categories to the Password Vault (Logins, Secure Notes, API Keys, Cards), similar to a standard password manager. This is purely an organizational grouping of items you deliberately save into your own vault; every category is stored the same way — encrypted with AES-256-GCM and readable only by you. This adds no new permissions, no new monitoring, and no new data collection: the Extension still never reads or captures anything you type into forms.
2.5.0July 13, 2026Added an optional "save this login?" prompt for the Password Vault. When you submit a login form, the Extension offers — with an explicit prompt you must click — to save that login to your own vault if it isn't already there. The credential is read at submit-time only to populate that prompt and is stored only if you click Save; it is never logged, monitored, or transmitted anywhere else, and nothing is saved without your click. This adds no new permissions and no new monitoring — it is the standard consented save-on-login behavior of a password manager.
2.4.0July 13, 2026Added optional autofill for the Password Vault. When you focus a login field on a website, the Extension can show a dropdown of your own saved vault entries matching that site and fill them when you choose one (or, if you turn on "auto-fill on page load", fill a single match automatically — off by default). To offer this, the Extension now runs on all websites (https://*/*); however it only injects the vault dropdown and fills credentials you explicitly saved — it does not read, capture, monitor, or transmit anything you type into forms on other sites, and it sends no page content anywhere. A saved password is fetched (decrypted) only at the moment you choose to fill it. This adds no new data collection.
2.3.0July 13, 2026Added an optional built-in password manager (Vault), opened from the Extension's toolbar button. Employees must sign in to their organization dashboard to unlock it; without signing in the Vault stays locked while all other Extension features keep working. Entries are deliberately added by the employee (never captured automatically from login forms) and are encrypted so that only that employee can read them — not the administrator. To unlock the Vault, the Extension reads the existing dashboard session token on the organization's own gateway domain; it does not read passwords typed into any other website.
2.2.0July 13, 2026Added support for organizations to run their own private, isolated instance of the security gateway. The Extension can now read a single setting — the gateway address — from the browser's managed (enterprise) policy configured by the organization's own IT administrator, so each organization's monitored data is sent only to that organization's own gateway and is never combined with another's. When no such policy is set, behavior is unchanged. This adds permission to reach the organization's gateway subdomain (*.clicknexttest.biz); it does not change what data is monitored or collected, and the gateway address is validated so it can only ever point to an authorized ClickNext gateway host.
2.1.7July 7, 2026The on-screen security alert now shows the specific word or phrase that triggered it, highlighted in the surrounding sentence, so an employee can immediately see what to remove or rephrase — instead of only naming the policy category. For alerts about a real secret/credential value (password, API key, credit-card or national-ID number), the value itself is partially masked in this display rather than shown in full. This change only affects how an already-detected match is displayed on-screen — it does not change what is detected, does not collect any new data, and adds no new permissions. Also refreshes the alert's icon.
2.1.6July 6, 2026Fixed a false-positive in the Company Confidential detection rule: a custom/admin-added term (e.g. a short business word) could previously be flagged anywhere it appeared, even with no connection to the Company. Detection for this category now requires the Company's name to appear near the matched term before anything is flagged, matching how this check has always worked on the server side. This is a detection-accuracy fix only — it does not change what data is collected, and adds no new permissions.
2.1.5July 2, 2026Company IT/security administrators can now manage the Extension's DLP block-list (which categories of sensitive content — company-confidential terms, personal data, credentials, prompt-injection phrases — are flagged) from an internal management dashboard, instead of a fixed list built into each release. To keep this list current, the Extension now periodically (every 30 minutes) fetches the latest rules from the Company's own security gateway in the background, which requires the new alarms permission to schedule. This permission is used only to trigger that periodic fetch — it does not access, collect, or transmit any additional employee data, browsing activity, or content. All other data handling described in this Policy is unchanged.
2.1.4June 19, 2026Improved the reliability and coverage of uploaded-image capture for DLP review. Previously only images added by pasting, drag-and-drop, or the standard file picker were captured; the Extension now also captures images attached through other methods — pasted screenshots, the browser's File System Access picker, cloud imports (e.g., Google Drive / Google Photos), and previews rendered inside web components (shadow DOM) — so confidential documents and screenshots shared with external AI are not missed. This change does not collect any new type of data and adds no new permissions; it still stores only the downscaled, JPEG-compressed thumbnail (never the original file), and duplicate captures of the same image are de-duplicated.
2.1.3June 15, 2026Increased the uploaded-image thumbnail resolution from 256 px to a maximum of 1280 px (longest side) so screenshots remain legible for security review — the original full-resolution file is still never uploaded or stored, only the downscaled copy. Refined DLP detection to flag on actual secret values (passwords, API keys, credit-card and Thai national-ID numbers, validated by checksum) instead of the mere mention of a keyword, which removes false blocks on ordinary questions such as "how do I set a strong password?".
2.1.0May 21, 2026Updated DLP rules to use Smart Context Detection. "ClickNext" alone is no longer blocked; it is only blocked when paired with sensitive keywords.
2.0.0May 18, 2026Expanded monitoring from 3 platforms (ChatGPT, Claude, Gemini) to 13 platforms. Added support for Microsoft Copilot, DeepSeek, Perplexity, Grok, Mistral, Poe, HuggingChat, NotebookLM, Google AI Studio, and Meta AI. Removed unused googleapis.com host permission.
1.9.8May 14, 2026Security hardening: added Thai keyword blocking for sensitive terms. Fixed retry bypass vulnerability.
1.9.7May 13, 2026Added AI reply token tracking via MutationObserver. Improved Thai token estimation.
1.9.0April 21, 2026Initial release with PII detection, prompt injection blocking, and company data protection.

12. Contact Information

For questions about this privacy policy or data handling practices, contact: