Privacy Policy for OmniBrief

Product: OmniBrief Browser Extension Last Updated: July 7, 2026

At ZumiLabs, we believe privacy is a fundamental right. OmniBrief was designed from the ground up to operate under a local-first, zero-knowledge architectural model. This Privacy Policy details how OmniBrief handles page text, saved history, search terms, and third-party API credentials.

1. Core Privacy Commitment: Local-Only Boundary

OmniBrief runs all core functions—including document scraping, database storage, vector embeddings, and search operations—directly inside your local Google Chrome browser instance.

2. Technical Data Storage and Segregation

Your data is segregated and stored strictly within your browser's sandboxed storage area:

3. Cryptographic Protection of Third-Party API Keys

If you choose to use third-party cloud AI models (such as Google Gemini, Anthropic Claude, or OpenAI) rather than native local engines, your API keys are protected using industry-standard cryptography:

  1. PIN Derivation: A user-defined PIN is used to derive a 256-bit AES encryption key using PBKDF2 (Password-Based Key Derivation Function 2) with HMAC-SHA256 and a random cryptographic salt.
  2. AES-GCM Encryption: The plain text API key is encrypted using AES-GCM (Galois/Counter Mode) with a unique 12-byte initialization vector (IV).
  3. Local Storage: Only the salt, IV, and resulting ciphertext are saved locally to chrome.storage.local.
  4. Ephemeral Memory Cache: Decrypted keys are held in chrome.storage.session. This memory space is accessed exclusively at runtime and is cleared when you close your browser. Plain text keys are never written to physical disk storage.

4. User Control: Data Export, Deletion, and Wiping

You retain absolute ownership of all stored data:

5. Regulatory Compliance: GDPR and CCPA

Because OmniBrief does not collect, transmit, or store personal data on any server, our regulatory posture is exceptionally secure:

General Data Protection Regulation (GDPR)

Under the GDPR, ZumiLabs is neither a "Data Controller" nor a "Data Processor." Since all personal data, web histories, and content summaries are stored and processed locally within your browser sandbox, you maintain exclusive custody of your data. The processing of any personal data occurs solely on your own equipment.

California Consumer Privacy Act (CCPA)

OmniBrief does not collect "Personal Information" as defined under the CCPA. We do not sell, rent, disclose, or share user data, histories, or credentials under any circumstances, as we do not have access to them.

6. Contact Us

If you have any questions or feedback regarding our privacy practices, please contact us at [email protected].