Privacy Policy

RedactFlow — Local PDF Privacy Tool · v1.1

Last updated: May 2026

RedactFlow is a Chrome extension built by PixelForgeHub(Yogesh Nichal). This policy explains exactly what data the extension touches, what stays on your device, and what (optionally, with your explicit action) is transmitted to third-party LLM providers via the Pro “Bring Your Own Key” AI feature.

Summary in 30 seconds

• Your PDFs never reach a PixelForgeHub server — because PixelForgeHub has no servers for this extension. All PDF processing happens locally in your browser using bundled libraries (pdf-lib, PDF.js).
• No telemetry, no analytics, no tracking by RedactFlow at any point.
• BYOK AI is opt-in.If you enable the optional Pro “AI Auto-Detect PII” feature, you bring your own API key for OpenAI, Google Gemini, or Anthropic Claude. The page's plaintext is sent directly from your browser to your chosen provider — never through PixelForgeHub. If you don't enable this, RedactFlow makes zero network calls.
• Forensic mode is destructive by design. Pages are rasterized to images so the underlying text cannot be recovered. This happens entirely in your browser.

How PDFs Are Handled

• You click Open PDF and select a file via the standard browser file picker.
• The PDF is read in-memory using the bundled pdf-lib (MIT-licensed) and PDF.js (Apache-2.0-licensed) — both shipped inside the extension package. No CDN fetch, no remote download.
• When you place a redaction box (by clicking text, dragging a rectangle, using Find & Redact, or accepting an AI detection), the geometry is stored only in browser memory and (if you enable session persistence) in chrome.storage.local on your device.
• When you click Download Redacted PDF, pdf-lib renders the modified PDF in-memory and offers it to you as a download via chrome.downloads.download(). The blob URL is in-memory only, revoked 60 seconds after the download finishes.
• At no point does the original PDF, the redacted PDF, or the redaction coordinates leave your browser to a PixelForgeHub server (we have none).

The BYOK AI Feature — Full Disclosure

v1.1 introduces an optional, opt-in, Pro-only AI auto-detect feature. This section explains exactly what happens.

Activation requirements (you must do all three)

1. Hold a valid Pro license key (format PFH-XXXX-XXXX-XXXX).
2. In Settings, select your AI provider (OpenAI, Google Gemini, or Anthropic Claude) and paste your own API key. The key is stored only in chrome.storage.local on your device.
3. Click the “✨ AI Auto-Detect PII” button on a specific PDF page.

What is transmitted

• The plain-text content of the currently-viewed PDF page, extracted via PDF.js getTextContent(). This is already plaintext at the moment of extraction — not the PDF binary, not an image, not metadata.
• A prompt listing PII categories to detect. The prompt is fully visible and customizable in the Settings panel (default categories: SSN, credit card numbers, email addresses, phone numbers, dates of birth, street addresses, full legal names). You can edit the prompt freely.
• Standard HTTP headers including your Authorization (OpenAI / Anthropic) or API key query parameter (Gemini).

What is NOT transmitted

• The PDF binary file
• Page images / rendered canvas
• Other pages of the document (only the currently-viewed page)
• Document metadata (author, dates, producer)
• Your IP address, browser fingerprint, or any RedactFlow-specific identifier
• Your API key to PixelForgeHub (the key never leaves your machine except in the user-initiated request to your chosen provider)

Who receives the data

The HTTP request goes directly from your browser to ONE of these endpoints (whichever you selected):

• OpenAI: https://api.openai.com/v1/chat/completions — governed by OpenAI's Privacy Policy and API data usage policies (OpenAI does NOT train on API data by default).
• Google Gemini: https://generativelanguage.googleapis.com — governed by Gemini API Additional Terms and Google's Privacy Policy.
• Anthropic Claude: https://api.anthropic.com/v1/messages — governed by Anthropic's Privacy Policy (Anthropic does NOT train on API data).

PixelForgeHub is not a party to these transmissions.We never receive, log, or process the page text. We never receive your API key. We never know that an AI call happened. The extension acts only as a thin client between your click and your chosen provider's API.

If you never enable AI

If you don't hold a Pro license, or hold a Pro license but never configure an API key, or hold a Pro license + key but never click the “AI Auto-Detect” button — no network calls of any kind happen. RedactFlow remains 100% offline.

Forensic Mode — How It Works

Forensic Mode (Pro, opt-in via Settings) replaces each redacted page with a high-resolution rasterized image. Step by step:

1. The page is rendered to a 3× scale canvas in your browser (approximately 216 DPI).
2. Redaction rectangles are painted onto the canvas as solid black or white pixels.
3. The canvas is converted to a PNG image.
4. A new pdf-lib document is created with the PNG embedded as a full-page image.
5. The original PDF's content streams, fonts, and text are discarded.

This all happens locally in your browser. The output PDF is image-only — text is unrecoverable even with pdftotext, raw stream analysis, or forensic PDF recovery tools. File size grows roughly 5×.

What We Store Locally

The following is saved in chrome.storage.local on your device only:

• Your chosen default color (black / white) and default tool (drag / text-select)
• Settings flags: confirm-before-download, embed SHA-256 hash, audit logging enabled
• Pro license key (if entered — local format check only)
• BYOK AI configuration (if entered): your selected provider, your API key, your customized detection categories prompt
• Session form values: last batch coordinates, reason code, watermark settings, batch find text, default mode/tool
• Local audit log (opt-in, default ON): timestamps + operation names (redaction placed, redaction moved, AI detected, batch redacted, page rotated, file opened, downloaded). The log includes SHA-256 hashes of opened/downloaded PDFs when the hash-embed setting is on.
• Whether you dismissed the upsell banner
• Language preference

The audit log does not contain PDF content, file paths, sticker text, or sensitive form data — only operation names + timestamps + file hashes (when enabled). All stored data is removed when you uninstall the extension.

SHA-256 Tamper-Evident Hashing

If enabled (Settings → “Embed SHA-256 hash + timestamp into PDF metadata”), RedactFlow computes a SHA-256 hash of the output PDF using the Web Crypto API (crypto.subtle.digest) and embeds it along with an ISO 8601 timestamp in the PDF's metadata. This is computed entirely in your browser using Chrome's built-in cryptography. The hash provides court-defensible tamper-evidence: any later modification of the redacted PDF will produce a mismatched hash.

Permissions Explained

• sidePanel: Renders the RedactFlow workbench (PDF viewer + redaction tools + find bar + AI detection results) as a persistent Chrome side panel.
• downloads: Saves the redacted PDF to your local Downloads folder via chrome.downloads.download(). This is the only way to deliver the output — without this permission the extension cannot give you the redacted file.
• storage: Saves your preferences, session values, audit log, and (if entered) license key and BYOK AI configuration locally in chrome.storage.local. Never synced to any cloud.

Host Permissions

None requested. RedactFlow declares no host_permissions in its manifest. It does not request access to any website. It does not inject content scripts on any page. It works exclusively with PDFs you explicitly open through the file picker.

CSP connect-src Whitelist

To enable the optional BYOK AI feature, the extension's Content Security Policy whitelists connect-src for these three exact endpoints:

• https://api.openai.com
• https://generativelanguage.googleapis.com
• https://api.anthropic.com

No other URLs can be contacted by the extension. The whitelist is required at the manifest level because Chrome restricts fetch() calls from extension pages by default. Listing the endpoints does not cause the extension to contact them — only a user-initiated AI detection click does that.

What We Do Not Do

• We do not collect analytics or telemetry of any kind.
• We do not require an account, sign-up, or login.
• We do not have servers that receive your PDFs — there is nowhere for them to go.
• We do not sell or share any user data with third parties (because we have no user data to share).
• We do not read or modify any website you visit. The extension does not interact with web content.
• We do not perform OCR or fingerprinting of PDF content.
• We do not transfer data for advertising, credit scoring, or any purpose unrelated to the extension's single function.
• We do not store your API key on any server, or proxy your AI requests through any service.

License Key

The Settings tab contains a license key field that unlocks Pro features (AI auto-detect, batch redaction, forensic mode, metadata scrub, no-watermark output). Validation is purely a local regex format check matching the pattern PFH-XXXX-XXXX-XXXX. The extension never contacts a license server. License keys are generated and emailed to you off-extension via Lemon Squeezy when you purchase a Pro license. That purchase interaction is governed by Lemon Squeezy's privacy policy, not ours.

HIPAA, GDPR, ABA Compliance Notes

Because RedactFlow does not transmit, store, or process PDF data outside the user's own browser, traditional data-processor frameworks do not apply — PixelForgeHub never becomes a data processor of your document content under HIPAA, GDPR, or CCPA.

If you enable the BYOK AI feature, the LLM provider you choose (OpenAI / Google / Anthropic) does become a data processor under their own terms. Their data handling, retention, and any required Business Associate Agreements are governed by your direct relationship with them — not by RedactFlow.

Attorneys remain responsible for their own ethical obligations under state bar rules and ABA Model Rule 1.6 (Confidentiality). RedactFlow is a tool for local PDF redaction; the attorney remains the data controller and confidentiality fiduciary.

Children's Privacy

RedactFlow is a professional tool not directed at children under 13. We do not knowingly collect personal information from anyone, including children.

Changes to This Policy

If we update this policy, the “Last updated” date at the top will change. Material changes — especially anything that would expand the BYOK AI feature's scope or add new transmission endpoints — will be announced in the extension's release notes on the Chrome Web Store and explicitly disclosed in a banner inside the extension UI before the change takes effect.

Contact

For questions about this policy or to report a privacy concern:

• Email: pixelforgehubai@gmail.com
• Website: pixelforgehub.pro
• Support: pixelforgehub.pro/support