Privacy Policy

Last updated: 2026-05-05

This Privacy Policy describes how Satori Factory ("we", "us") collects, uses, stores, and shares information when you use the AI Auto Reply Chrome extension and the related online service (collectively, the "Service"). By installing the extension or signing in to the online service, you agree to the practices described here.

1. Who we are

AI Auto Reply is operated by Satori Factory, Japan. For any privacy-related question or request, contact us at satori-privacy@satorifactory.jp.

2. What the Service does

The Service provides an AI assistant that turns short notes into polished email replies inside Gmail and Outlook on the web. Two operating modes are offered:

Bring Your Own Key (BYOK): You provide your own API key for an AI provider (OpenAI, Anthropic, Groq, OpenRouter, or any OpenAI-compatible endpoint you configure). Your messages are sent directly from your browser to that provider. We never receive your key or your messages.
AI Auto Reply (managed): You sign in with your email. Your draft is sent to our server, which forwards it to an AI provider on your behalf using a server-managed API key.

3. Information we collect

3.1 BYOK mode

In BYOK mode, the extension stores the following only on your device (Chrome's local storage, which Google may sync across devices on your Google account):

Your AI provider endpoint URL and API key
Your selected model and system prompt
UI preferences (theme, button style, language)

We do not receive or transmit any of this data in BYOK mode. Your AI prompt and response travel directly between your browser and the AI provider you chose.

3.2 Managed mode

If you sign in to the managed service, we collect and store the following on our servers (located in Japan):

Email address — required for one-time-password (OTP) sign-in.
Account profile — your plan, daily usage counter, and how you signed up (e.g. self-signup, invite code).
Authentication tokens — short-lived session tokens that let you stay signed in. Access tokens expire within an hour and rotate automatically.
Usage logs — per-request metadata only: timestamp, model used, provider name, and token counts. Email body and AI responses are NOT stored.
IP address (transient) — used during sign-up rate limiting. Retained for at most one hour, then purged.

3.3 Email content

When you press "AI Rewrite", the extension reads the email currently open in your inbox and the bullet-point draft you typed, and sends them as part of the AI prompt. In managed mode this text passes through our server on its way to the AI provider.

We do not persist email content. Our server processes the prompt in memory, forwards it to the AI provider, returns the reply, and discards the conversation. Only the metadata listed in §3.2 (model, token counts, timing) is recorded.

3.4 Bot protection (sign-up only)

Sign-up forms use Cloudflare Turnstile to block automated registrations. Cloudflare may process a Turnstile interaction token and request metadata according to its own Privacy Policy.

4. How we use your information

To generate AI email replies on your request.
To authenticate you and protect your account.
To enforce per-plan daily and per-minute usage limits.
To investigate abuse, fraud, or violations of our Terms.
To debug and improve the Service using aggregated metrics only.

We do not use your data to train AI models, sell it to third parties, or build advertising profiles.

5. Who we share data with

5.1 AI providers

When you trigger an AI Rewrite, the prompt (containing your email content and draft notes) is sent to the AI provider that powers the model you selected (or, in managed mode, the model assigned to your plan). The current providers are:

OpenAI
Anthropic
Groq
Any OpenAI-compatible provider you (BYOK) configure

These providers process the request under their own terms. In managed mode we use the providers' standard API tier and do not opt your prompts into provider-side training. In BYOK mode, the data-handling terms of your account with the provider apply.

5.2 Service providers

We rely on a small set of infrastructure providers to operate the Service:

Supabase — database, authentication, and serverless functions (Tokyo region).
Vercel — hosting of the static landing and sign-in pages.
Cloudflare — Turnstile bot protection on sign-up.
Sakura Internet — outbound transactional email (sign-in codes, invitations).

We do not sell or rent your data to any third party. We may disclose information when legally compelled (subpoena, court order) or where strictly necessary to protect the Service from fraud or abuse.

6. Permissions used by the extension

Permission	Why
`storage`	Save your settings (and, in managed mode, your sign-in token) on your device.
`sidePanel`	Show the AI rewrite UI in Chrome's side panel.
Host access to `mail.google.com` and Outlook on the web	Read the email currently open in your inbox so it can be used as context for the rewrite. The extension does not send emails on your behalf.

7. Data retention and deletion

BYOK mode: data is stored only in your own Chrome profile. You can delete it any time by removing the extension or by clearing settings on the Options page.
Managed mode:
- Account profile and usage logs are retained while your account is active.
- Sign-in tokens are short-lived and rotate automatically.
- To delete your account and all associated data, email satori-privacy@satorifactory.jp from the address you registered with the Service. We will permanently delete your account within 14 days, unless retention is legally required.

8. Security

All network traffic is encrypted with HTTPS/TLS.
Sign-in tokens are short-lived and rotate automatically.
In managed mode, server-side AI provider keys are stored encrypted at rest and are never returned to the browser.
Database access controls ensure that one user cannot read another user's data.

No system is perfectly secure. If you believe your account or data has been compromised, contact us immediately at the address above.

9. Your rights

You may, at any time:

Access the data we hold about you (email us).
Correct inaccurate data.
Request deletion of your account and data.
Withdraw consent and stop using the Service (uninstall the extension).
Lodge a complaint with a relevant data protection authority (e.g. the Japan PPC).

10. Children

The Service is intended for business email use and is not directed at children under 16. We do not knowingly collect personal information from children.

11. Changes to this Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any change. Material changes will also be announced through an update to the extension or via your registered email address.

12. Contact

Questions, concerns, or requests: satori-privacy@satorifactory.jp.

13. Limited Use disclosure (Google API Services)

Although AI Auto Reply does not call Google APIs server-side, the extension reads the email currently displayed in your Gmail tab in order to generate a reply. Our use and any transfer of information received from Google services adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use this information only to provide the user-facing feature you requested (turning your draft notes into a polished reply).
We do not transfer this information to any third party other than the AI provider you (or, in managed mode, your administrator) selected, and only for the purpose of generating that reply in real time.
We do not use this information for advertising, including retargeting, personalized, or interest-based advertising.
We do not allow humans to read this information, except (a) with your explicit consent, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the information has been aggregated and anonymized.
We do not retain email content beyond the in-memory processing of the request — see §3.3.

← Back to home