Privacy Policy for OmniBrief
At ZumiLabs, we believe privacy is a fundamental right. OmniBrief was designed from the ground up to operate under a local-first, zero-knowledge architectural model. This Privacy Policy details how OmniBrief handles page text, saved history, search terms, and third-party API credentials.
1. Core Privacy Commitment: Local-Only Boundary
OmniBrief runs all core functions—including document scraping, database storage, vector embeddings, and search operations—directly inside your local Google Chrome browser instance.
- No Central Servers: ZumiLabs does not host or operate scraping servers, data aggregators, analytics engines, or databases for OmniBrief.
- Zero Transmission: No text from scraped web pages, reading logs, collection structures, or search inputs is transmitted to ZumiLabs or any third-party analytics vendor.
- Zero Telemetry: The extension contains no telemetry beacons, heartbeat pings, tracking codes, or remote error logging tools. Your interactions with the extension are entirely private.
2. Technical Data Storage and Segregation
Your data is segregated and stored strictly within your browser's sandboxed storage area:
- Origin Private File System (OPFS): All processed articles, summary text files, and screenshot preview thumbnails are written to the OPFS under a dedicated
/pages/<uuid>/folder structure. This filesystem is isolated from other domains and extensions, preventing unauthorized data access. - Persistent vs. Ephemeral Data: Metadata (including reading statuses such as Unread/Reading/Finished, favourites, pins, notes and tags), summaries, vector binaries, and images are persistent locally. Processing-queue state is saved to
chrome.storage.sessionto track in-flight operations; it is cleared when you close the browser.
3. Cryptographic Protection of Third-Party API Keys
If you choose to use third-party cloud AI models (such as Google Gemini, Anthropic Claude, or OpenAI) rather than native local engines, your API keys are protected using industry-standard cryptography:
- PIN Derivation: A user-defined PIN is used to derive a 256-bit AES encryption key using PBKDF2 (Password-Based Key Derivation Function 2) with HMAC-SHA256 and a random cryptographic salt.
- AES-GCM Encryption: The plain text API key is encrypted using AES-GCM (Galois/Counter Mode) with a unique 12-byte initialization vector (IV).
- Local Storage: Only the salt, IV, and resulting ciphertext are saved locally to
chrome.storage.local. - Ephemeral Memory Cache: Decrypted keys are held in
chrome.storage.session. This memory space is accessed exclusively at runtime and is cleared when you close your browser. Plain text keys are never written to physical disk storage.
4. User Control: Data Export, Deletion, and Wiping
You retain absolute ownership of all stored data:
- ZIP Data Portability: You can export your entire OPFS library into a single
.zipfile at any time from the Storage settings pane. - Manual Database Wipe: You can trigger a permanent database wipe in the settings panel. This action deletes the entire
/pages/folder tree (all briefs, embeddings and thumbnails). Configuration settings and encrypted API keys are unaffected. Stored keys can be permanently removed at any time via Reset PIN in the provider settings.
5. Regulatory Compliance: GDPR and CCPA
Because OmniBrief does not collect, transmit, or store personal data on any server, our regulatory posture is exceptionally secure:
General Data Protection Regulation (GDPR)
Under the GDPR, ZumiLabs is neither a "Data Controller" nor a "Data Processor." Since all personal data, web histories, and content summaries are stored and processed locally within your browser sandbox, you maintain exclusive custody of your data. The processing of any personal data occurs solely on your own equipment.
California Consumer Privacy Act (CCPA)
OmniBrief does not collect "Personal Information" as defined under the CCPA. We do not sell, rent, disclose, or share user data, histories, or credentials under any circumstances, as we do not have access to them.
6. Contact Us
If you have any questions or feedback regarding our privacy practices, please contact us at [email protected].