Last updated: April 2026
We built ThouShaltNotClick to protect people, not to exploit them. Your email content never leaves your browser. Your AI conversations are never seen by us. We use zero third-party trackers. We will never sell your data to anyone, ever. This isn't a legal loophole β it's a promise from one Catholic community to another.
| Data | Why | Stored Where |
|---|---|---|
| Name & email | Your account | Our server (Supabase) |
| Password | Authentication | Bcrypt hash only β we never see your password |
| Simulation results | Track if you caught or clicked the phishing test | Our server |
| Training progress | Know which courses you completed | Our server |
| Extension install status | Help admins see who has protection active | Our server (yes/no + last seen) |
| Etiquette stats | Track your please/thank you counts | Your device only |
When you open an email in Gmail, our extension analyzes it for phishing indicators using a local analysis engine (analyzer.js) that runs entirely inside your browser. The email content is never transmitted to our servers or any third party. The trust score, findings, and recommendations are all computed on your device.
When you visit an AI tool (ChatGPT, Claude, Gemini, etc.), the etiquette checker monitors your prompts for politeness indicators like βpleaseβ and βthank you.β This analysis runs 100% in your browser. Your actual prompts and conversations are never recorded, transmitted, or stored. Only aggregate counts (e.g., βsaid please 12 timesβ) are kept in your browser's local storage on your device.
When you manually scan a suspicious URL, that URL is sent to our server for real-time threat analysis β similar to how Google Safe Browsing works in every web browser. The URL is processed immediately and never stored, logged, or associated with your account. No page content, browsing history, or personal data is included.
We use zero third-party analytics, advertising, or tracking tools. No Google Analytics. No Facebook Pixel. No Mixpanel, Amplitude, Segment, HotJar, PostHog, or Sentry. No ad networks. No data brokers. Our code has been audited to confirm this. You can verify it yourself β our privacy commitments are embedded directly in the source code of every file in the Chrome extension.
For schools using ThouShaltNotClick, we store organizational data necessary to run phishing simulations and training: staff rosters (name, email, role), campaign results, and training completion records. This data is accessible only to authorized school administrators and is never shared with other schools, organizations, or third parties.
Organization-wide benchmarking (e.g. Diocese-wide) uses anonymized, aggregated statistics only β click rates and catch rates averaged across schools. No individual staff member's data is ever visible to other schools or the parent organization.
You can request complete deletion of your account and all associated data at any time by contacting us. School administrators can remove staff members from their roster, which removes their simulation and training data. Etiquette checker data is stored locally on your device and can be cleared by removing the Chrome extension.
ThouShaltNotClick is designed for adult staff, teachers, and parents β not students. We do not knowingly collect personal information from children under 13. The Chrome extension is intended for use by adults managing school cybersecurity, not by students.
Questions about our privacy practices? Email us at privacy@thoushaltnotclick.com
βWhatever you did for one of the least of these brothers and sisters of mine, you did for me.ββ Matthew 25:40
We treat your data with the same dignity we owe every person.