Privacy First

Phylax Privacy Policy

Effective Date: May 5, 2026

Phylax (“we,” “our,” or “us”) provides a Chrome browser extension, parent dashboard, desktop application, and companion browser designed to help families protect children from harmful online content. This Privacy Policy explains what information we collect, how we use it, and how we protect it. It applies to all Phylax products including the Chrome extension, the parent dashboard at dashboard.phylaxsafety.ai, the Phylax desktop agent, and the Phylax browser.

1. Information We Collect

Phylax collects only the data necessary to provide core child-safety functionality. The categories below describe exactly what is collected and why.

A. Account Information (Parent Dashboard)

When a parent creates an account, we collect:

  • Email address
  • Name (optional)
  • Encrypted password (or OAuth identity if using social login)
  • Subscription and payment status (processed by Stripe; we do not store credit card numbers)

This information is used for authentication, account management, and subscription billing only.

B. Device Pairing

When a parent pairs a child’s device, we generate and store:

  • A unique device identifier
  • An authentication token for secure communication between the extension and our backend
  • Device name (assigned by the parent)

No personal information about the child is collected during pairing.

C. Web Browsing Activity

The Phylax extension collects the following from websites the child visits:

  • Page URLs, domains, and titles
  • Page text content, headings, meta descriptions, and structured data (used for real-time safety classification)
  • Timestamps of page visits

Browsing activity is sent to the parent dashboard so parents can review their child’s web history. Pages that are blocked or flagged include additional context (e.g., the reason for the block).

Exempt domains: Phylax does not analyze content on email services (Gmail, Outlook, Yahoo Mail), productivity tools (Google Docs, Drive, Sheets), or banking sites. These domains are excluded from content scanning.

D. Search Queries

The extension intercepts search queries on Google, Bing, DuckDuckGo, and Yahoo to check them against parent-configured safety rules. Blocked search queries are logged and reported to the parent dashboard.

E. YouTube Video Metadata

On YouTube, the extension collects video titles, channel names, descriptions, and video identifiers to classify video content for safety. Blocked videos are reported to the parent.

F. Chat and Messaging Platforms

To detect grooming, manipulation, and other harmful interactions, Phylax monitors visible message content on the following platforms:

  • Discord
  • Instagram Direct Messages
  • WhatsApp Web
  • Facebook Messenger

Message text is analyzed for safety signals only. Conversations that do not trigger safety concerns are not stored on our servers. Flagged conversations generate a parent alert with a summary of the concern.

G. AI Chat Platforms

Phylax monitors the child’s interactions with AI assistants including ChatGPT, Claude, Google Gemini, Copilot, Perplexity, Poe, and Grok. We collect:

  • Prompts the child sends to AI assistants
  • Responses the AI assistant returns

These are evaluated against parent-configured rules to block unsafe prompts before submission and flag concerning AI responses. Blocked or flagged interactions are reported to the parent dashboard.

H. Screen Time and Activity Data

The extension tracks:

  • Time spent on each website (active browsing time)
  • Idle and active states (using Chrome’s idle detection API)
  • Activity signals such as scrolling, clicking, and typing (used solely to distinguish active use from idle/background tabs)

Screen time data is reported to the parent dashboard. Activity signals are aggregated and are not stored as individual keystroke or click logs.

I. Access Requests

When a child attempts to visit a blocked site, they may submit an access request. We collect the requested domain, the time of the request, and any message the child includes. Parents can approve or deny requests from the dashboard.

J. Safety Alerts and Reports

We store:

  • Flagged content summaries and risk classification scores
  • Blocked event logs (domain, timestamp, reason, content category)
  • Parent alert records

2. How We Use Information

We use collected data solely to:

  • Provide real-time content filtering and website blocking
  • Detect grooming, manipulation, and other harmful interactions in chat platforms
  • Filter unsafe AI prompts and flag concerning AI responses
  • Enforce parent-configured safety rules and screen time limits
  • Track and report screen time to parents
  • Send real-time safety alerts to the parent dashboard
  • Process access requests from children
  • Improve detection accuracy and reduce false positives

We do NOT:

  • Sell or transfer user data to third parties outside of the approved use cases described in this policy
  • Use data for advertising or marketing
  • Build behavioral profiles for any purpose other than child safety
  • Transfer data to data brokers
  • Use data to determine creditworthiness or for lending purposes
  • Use data for purposes unrelated to child safety

3. Data Processing and AI Analysis

Phylax uses artificial intelligence to classify content for safety risks. Here is how AI processing works:

  • On-device classification: The extension performs initial content analysis locally in the browser using rule-based logic and keyword matching. This data does not leave the device unless a safety concern is detected.
  • Cloud AI evaluation: When content requires deeper analysis (e.g., AI prompt safety checks, ambiguous grooming signals), the extension sends the relevant text to Google’s Gemini API for classification. Only the minimum necessary text is sent — we do not send the child’s identity, account information, or browsing history to Gemini.
  • Backend AI evaluation: In certain cases, content may be sent to our own backend for additional AI-powered safety classification.

Important details about AI processing:

  • AI processing is limited to safety detection and content classification
  • Data sent to Google Gemini is subject to Google’s API Terms of Service. Gemini API data is not used by Google to train their models.
  • We do not use child browsing data to train public AI models
  • AI classification results (safe/unsafe/blocked) are stored; raw content sent for classification is not retained after processing

4. Local Data Storage

The extension stores data locally on the child’s device using Chrome’s storage API, including:

  • Parent-configured safety rules and blocked domain lists
  • Device pairing credentials
  • Pending event logs (queued for upload to the backend)
  • Screen time session data
  • Policy version and sync state

Local storage enables the extension to enforce safety rules even when the device is temporarily offline. Locally stored data is cleared when the extension is uninstalled.

5. Data Storage and Security

We implement industry-standard security measures, including:

  • All data transmitted between the extension and our servers is encrypted via HTTPS/TLS
  • Authentication tokens are used for all API communication (bearer token authentication)
  • Database storage is encrypted at rest
  • Access to child activity data is restricted to the authenticated parent account holder
  • Payment processing is handled entirely by Stripe; we never see or store credit card numbers

Our backend infrastructure is hosted on secure, SOC 2-compliant cloud providers.

6. Data Sharing

We do not sell or rent user data. We share data only with the following categories of service providers, solely to operate Phylax:

  • Cloud infrastructure: Secure hosting and database providers for storing account data, safety rules, and event logs
  • Google Gemini API: Page content and AI prompts are sent for safety classification (no personal identifiers are included)
  • Stripe: Payment processing for subscriptions (Stripe receives billing information directly; we do not handle card details)

We may also disclose data if required by law or to protect the safety of a child.

All service providers are contractually obligated to maintain confidentiality and use data only for the services they provide to us.

7. Children’s Privacy

Phylax is designed as a parental supervision tool. Important details about how we handle children’s data:

  • All accounts are created and managed by parents or legal guardians. Children do not create accounts.
  • The extension is installed and paired by the parent. It cannot be activated without parent authorization.
  • We do not collect children’s names, email addresses, or other personal identifiers. Children are identified only by their device identifier.
  • Browsing activity data is collected for the sole purpose of child safety and is accessible only to the parent.
  • We do not knowingly collect personal information from children for any purpose other than safety monitoring as directed by the parent.
  • Parents can review, manage, and delete all data associated with their child’s device at any time through the dashboard.

8. Data Retention

We retain data only as long as necessary to:

  • Provide ongoing safety monitoring services
  • Display activity history and reports in the parent dashboard
  • Maintain account functionality
  • Comply with legal obligations

When a parent deletes a child’s device from the dashboard, all associated activity data, event logs, and alerts for that device are permanently deleted.

Parents may request deletion of their entire account and all associated data at any time by contacting us.

9. User Rights and Data Deletion

Parents have the right to:

  • Access all stored activity reports and safety alerts
  • Modify or remove safety rules at any time
  • Remove a paired device and delete all its associated data
  • Request a complete export of their data
  • Request permanent deletion of their account and all associated data

To exercise any of these rights, contact: kyrispirosv@gmail.com

Deletion requests will be processed within 30 days.

10. Chrome Extension Permissions

The Phylax Chrome extension requests the following permissions, each used exclusively for child safety functionality:

  • Host access (all URLs): Content scripts run on all websites to analyze page content, enforce blocking rules, and track screen time across the entire web
  • Storage: Stores safety rules, device credentials, and activity logs locally for offline enforcement
  • Declarative net request: Blocks restricted domains at the network level before pages load
  • Tabs: Reads active tab URLs to apply the correct safety rules and associate events with browsing context
  • Web navigation: Detects page navigations early to block harmful content before it renders
  • Idle: Detects when the device is idle to pause screen time tracking for accurate reports
  • Scripting: Enables runtime content script injection for dynamic rule enforcement
  • Alarms: Schedules periodic tasks such as policy sync, heartbeat pings, and event uploads

No permissions are used for advertising, profiling, or any purpose outside of child safety. The extension does not inject ads, modify search results, or track users for marketing.

11. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will update the effective date at the top of this page. We encourage parents to review this policy regularly.

12. Contact

For questions regarding privacy, data practices, or to exercise your data rights:

Phylax

Email: kyrispirosv@gmail.com

Website: https://phylaxsafety.ai