G
ekflow · GuIA

Privacy Policy

Last updated: 2026-02-22

Introduction

ekflow ("we", "us", or "our") operates the GuIA Chrome extension and web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy.

Single Purpose: The GuIA extension exists solely to provide contextual AI-powered assistance for Oracle PeopleSoft. All data collection is limited to what is strictly necessary for this purpose.

Information We Collect

1. Information You Provide

  • Account Information: When you create an account, we collect your email address, name, and organization details.
  • Chat Messages: Questions you ask through the GuIA assistant are used exclusively to analyze and improve the quality of support interactions. Chat messages are automatically deleted after 90 days, or sooner if your organization's administrator initiates an early cleanup.
  • Uploaded Documents: Documents you upload to the knowledge base for your organization.
  • Feedback: Ratings and comments you provide about assistant responses.

2. Information Collected Automatically

  • Page Context (URL and DOM): When using the Chrome extension on ERP systems configured by your organization, we collect contextual information including:
    • Page URL and title (to identify the ERP screen)
    • Technical metadata (component names, menu paths, panel identifiers)
    • Form field labels and types (NOT the values you enter)
    • Validation error messages displayed on screen
    Purpose: This context enables the AI assistant to understand which ERP screen you are viewing and provide accurate, relevant help. Without this context, the assistant would not know which process or screen you need help with.
  • ERP System Detection: We automatically detect Oracle PeopleSoft screens based on URL patterns and page structure. This ensures you receive assistance specific to your system.
  • Usage Data: We collect information about how you use the Service, including features accessed, response times, and error logs.
  • Device Information: Browser type, operating system, and extension version.

What We Do NOT Collect

We explicitly DO NOT collect:

  • Values entered in form fields (only labels and field types)
  • Passwords, credentials, or authentication tokens from ERP systems
  • Social Security Numbers, credit card numbers, or financial data
  • Data from websites outside your organization's configured ERP domains
  • Browsing history, bookmarks, or activity on non-ERP sites
  • Cookies or session data from your ERP system

3. Screenshots (Optional, Consent Required)

When escalating an issue to support, you may optionally include a screenshot of the current page to help diagnose the problem. Screenshots are:

  • Only captured with your explicit consent: A consent dialog appears before any screenshot is taken. You can revoke consent at any time in settings.
  • Automatically redacted: Sensitive fields (passwords, SSN, credit cards, personal identifiers) are automatically detected and covered with opaque rectangles before transmission. A watermark indicates "Sensitive data redacted by GuIA".
  • Compressed and size-limited: Screenshots are compressed to JPEG (80% quality) and limited to 1MB maximum.
  • Temporary storage only: Screenshots are deleted immediately after the support ticket is resolved (maximum 30 days).
  • Never shared with third parties: Screenshots are only visible to your organization's support administrators.

Smart Screenshot Suggestions: The extension may suggest capturing a screenshot when you describe certain issues (e.g., "I can't find the button", "there's an error"). This suggestion is based on keywords in your message, not on analyzing your screen content.

4. Guided Walkthrough and Training Overlays (Optional)

For organizations that enable visual training features, the extension may display interactive overlays on ERP screens:

  • DOM Access for Overlays: The extension reads the page structure (DOM) to position helpful tooltips and step-by-step guides on specific elements.
  • No Data Extraction: Overlays only highlight and annotate existing elements; they do not extract or transmit field values.
  • Organization-Controlled Content: All walkthrough guides are created and managed by your organization's administrators.

How We Use Your Information

We use the collected information for the following purposes:

  • Provide the Service: To respond to your questions, provide contextual help, and escalate issues when needed.
  • Improve the Service: To analyze usage patterns, identify common questions, and enhance response quality.
  • Organization Analytics: To provide your organization's administrators with usage statistics and insights.
  • Security: To detect, prevent, and address technical issues and security vulnerabilities.
  • Communication: To send service-related notifications and respond to support requests.

Data Storage and Security

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Multi-Tenant Isolation: Your organization's data is logically isolated from other organizations using Row Level Security (RLS) policies.
  • API Keys: Third-party API keys (if configured) are encrypted using industry-standard encryption.
  • Data Retention: Chat messages are automatically deleted after 90 days. Your organization's administrator may also initiate an earlier cleanup at any time.
  • Infrastructure: We use Supabase (PostgreSQL) for data storage and Vercel for application hosting, both SOC 2 Type II compliant.

Data Sharing

We do NOT sell your personal information. We may share data only in these cases:

  • AI Providers: Chat messages are sent to AI providers (Anthropic Claude, OpenAI) to generate responses. These providers process data according to their privacy policies and do not use your data to train their models.
  • Service Providers: We use trusted third-party services for email (Resend), hosting (Vercel), and database (Supabase).
  • Legal Requirements: We may disclose information if required by law or to protect our rights.
  • Organization Administrators: Your organization's admins can view aggregated usage statistics but NOT individual chat content.

Chrome Extension Permissions

The GuIA Chrome extension requires specific permissions to function. Below is a detailed explanation of each permission and why it is necessary:

PermissionWhy It's NeededWhat It Accesses
activeTabRead the current ERP page context (title, URL, form field labels) to provide accurate, contextual assistanceOnly the currently active tab, only when you interact with the extension
storageStore your authentication session, conversation history, and preferences (theme, language) locally in your browserLocal browser storage only; data never leaves your device without your action
sidePanelDisplay the GuIA assistant chat interface in a side panelNo data access; UI display only
tabsDetect when you navigate to a new page so the assistant can update context and suggest relevant helpTab URL and title changes; not browsing history
scriptingInject content scripts to read page structure (DOM) for context extraction and to display visual training overlaysOnly on ERP domains configured by your organization; never on arbitrary websites
host_permissions
(<all_urls>)		Access ERP systems your organization uses. This broad permission is required because ERP systems run on many different domains (your company's subdomain, cloud instances, etc.)Restricted at runtime: The extension only activates on domains explicitly configured by your organization's administrator. On all other websites, the extension remains completely inactive and collects no data.

Screenshot Capture (Optional)

When you choose to escalate an issue with a screenshot, the extension uses:

  • chrome.tabs.captureVisibleTab() - Captures the visible area of the current tab. This only occurs when you explicitly click "Include Screenshot" and confirm consent.

Permission Minimization

We follow the principle of least privilege:

  • No background tracking: The extension does not monitor your browsing activity in the background.
  • No history access: We do not request history permission and cannot see your browsing history.
  • No bookmark access: We do not request bookmarks permission.
  • No cookie access: We do not request cookies permission and cannot access your ERP session cookies.
  • Runtime restriction: Despite having host_permissions, the extension only executes on organization-approved ERP domains.

Your Rights

You have the right to:

  • Access: Request a copy of your personal data.
  • Correction: Update or correct inaccurate information.
  • Deletion: Request deletion of your personal data.
  • Export: Export your chat history in a portable format.
  • Withdraw Consent: Revoke screenshot permissions at any time.

To exercise these rights, contact us at soporte@ekflows.com.

GDPR Compliance

For users in the European Economic Area (EEA):

  • We process data based on contractual necessity and legitimate interests.
  • You may lodge a complaint with your local data protection authority.
  • Data transfers outside the EEA are protected by Standard Contractual Clauses.

Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us: