DCE Toolkit Extension - Privacy Policy

1. Introduction

This Privacy Policy explains how the DCE Toolkit Extension ("we", "our", "the extension", or "DCE Toolkit") collects, uses, stores, and protects your data when you use our browser extension. We are committed to ensuring the privacy and security of your data.

The DCE Toolkit Extension is designed to help identify and assist with RFI (Request for Information) questions on Procore construction management platform pages. The extension uses AI-powered assistance to help users respond to RFI questions more effectively.

2. Data We Collect

When you use our extension, we collect:

• Website Content: Text content from Procore.com web pages, specifically RFI questions and content from embedded forms and rich text editors (such as TinyMCE iframes). This includes the full text of RFI questions to provide contextual assistance.
• Web Navigation Data: URLs and page titles of Procore pages you visit, navigation events, and page load timing to identify when you're viewing an RFI page and optimize performance.
• User Interactions: Your chat messages, questions, feedback (including thumbs up/down ratings and comments), button clicks, and other interactions with the extension interface.
• Usage Analytics: Detailed information about how you use the extension, including:
  • Click events and button interactions
  • Chat session start/end events
  • Error events and debugging information
  • Performance metrics (response times, load times)
  • Extension version and browser information
  • WebSocket connection status and events
  • Authentication and consent events
  • Filter and settings changes
  • Knowledge base interaction events
• User Identifier: A randomly generated UUID (universally unique identifier) stored locally to associate your conversations, maintain session continuity, and provide personalized assistance.
• Consent Data: Your consent preferences and the version of the privacy policy you agreed to, stored locally in your browser.

Specific to Procore Integration: The extension specifically targets Procore.com domains and extracts content from rich text editors commonly used for RFI questions. It monitors for specific DOM elements with data attributes like 'data-qa="rfi-question"' to identify relevant content.

We do NOT collect:

• Personal information beyond what appears in the RFI content you're working with
• Login credentials, passwords, or authentication tokens
• Financial, payment, or sensitive business information unrelated to RFI content
• Content from non-Procore websites (the extension only activates on Procore domains)
• Private messages or communications outside of your interactions with the extension

3. How We Use Your Data

We use the collected data for the following purposes:

• RFI Detection and Analysis: We analyze page content from Procore to automatically identify when you're viewing an RFI question that our extension can help with, including parsing rich text editor content and iframe elements.
• AI-Powered Assistance: We process the content of RFI questions using AI services to provide relevant suggestions, context, and assistance in formulating comprehensive answers.
• Conversation Management: We store your chat conversations with the extension to provide conversation history, context for follow-up questions, and continuity across sessions.
• Feedback Processing: We collect and analyze feedback you provide (ratings, comments) about the extension's responses to continuously improve our AI models and response quality.
• Performance Monitoring: We track usage patterns, performance metrics, and error events to identify issues, optimize response times, and ensure reliable service delivery.
• Feature Enhancement: We use aggregated usage data to understand how users interact with the extension, which features are most valuable, and where improvements can be made.
• Authentication and Security: We use authentication events and session data to ensure secure access to the extension's features and prevent unauthorized usage.
• WebSocket Communication: We maintain real-time connections to provide immediate responses and updates to your queries.

Data Processing Location: Your data is processed using Amazon Web Services (AWS) infrastructure, primarily in the US-East-1 region, with secure transmission via HTTPS and WSS protocols.

We do NOT use your data for:

• Advertising, marketing, or promotional purposes
• Selling, renting, or sharing with third parties for commercial gain
• Creating user profiles for purposes unrelated to RFI assistance
• Training AI models on your specific business or project information without consent
• Any purpose not directly related to providing the extension's core RFI assistance functionality

4. Data Processing and Storage

Local Processing: Initial data processing occurs locally within your browser. The extension analyzes Procore page content directly on your device to detect RFI questions before any data is transmitted to our servers.

Cloud Storage and Processing: Certain data is transmitted to and stored in Amazon Web Services (AWS) infrastructure:

• Amazon DynamoDB: Stores conversation history, chat messages, user feedback, and session data with automatic encryption at rest
• AWS CloudWatch RUM (Real User Monitoring): Collects and stores usage metrics, performance data, error events, and analytics with data retention policies
• WebSocket Services: Facilitates real-time communication between the extension and our AI services for immediate response delivery
• AI Processing Services: RFI content is processed by AI services to generate contextual assistance and suggestions

Data Retention Policies:

• Conversation Data: Chat conversations and RFI content are stored for up to 60 days, after which they are automatically deleted from our systems
• Usage Analytics: Performance metrics and usage data may be retained for up to 12 months in aggregated form for service improvement purposes
• Error Logs: Error events and debugging information are retained for up to 90 days to facilitate issue resolution
• Consent Records: Your consent preferences are stored locally in your browser and are not transmitted to our servers

Data Security: All data transmission uses industry-standard encryption (HTTPS/TLS for API calls, WSS for WebSocket connections). Data stored in AWS services is encrypted at rest using AWS-managed encryption keys.

5. Data Sharing

We do not sell, rent, or share your data with any third parties except as described below:

AWS Services: Your data is stored and processed using Amazon Web Services (AWS), including DynamoDB and CloudWatch. These services are subject to AWS's privacy policy and security practices.

Legal Requirements: We will only share information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

6. Your Rights and Choices

You have several rights and choices regarding the collection and use of your data:

• Consent Management: Before the extension collects any data from Procore pages, you will be presented with a consent dialog explaining what data will be collected. You must actively consent before any data collection begins.
• Disable the Extension: You can disable or uninstall the extension at any time through your browser's extension management interface (chrome://extensions/). This will immediately stop all data collection.
• Data Access: You can request access to the personal data we have collected about you by contacting us at the email address provided below.
• Data Deletion: You can request deletion of your conversation data and personal information by contacting us. Note that some data may be retained in aggregated, anonymized form for service improvement purposes.
• Data Portability: You can request a copy of your conversation data in a machine-readable format.
• Withdraw Consent: You can withdraw your consent at any time by disabling the extension or contacting us directly. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Browser Controls: You can use your browser's privacy settings to control how the extension accesses website content and stores local data.

7. Security Measures

We implement comprehensive technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards:

• Encryption in Transit: All data transmitted between the extension and our servers uses HTTPS/TLS encryption for API calls and WSS (WebSocket Secure) for real-time communications
• Encryption at Rest: Data stored in AWS services (DynamoDB, CloudWatch) is encrypted at rest using AWS-managed encryption keys
• Access Controls: Strict access controls and authentication mechanisms protect our systems and your data
• Network Security: Our AWS infrastructure includes firewalls, intrusion detection, and other network security measures

Organizational Safeguards:

• Limited Access: Only authorized personnel have access to systems containing personal data, and access is granted on a need-to-know basis
• Regular Audits: We conduct regular security audits and assessments of our data handling practices
• Incident Response: We have procedures in place to detect, respond to, and notify users of any security incidents
• Data Minimization: We collect and retain only the data necessary for the extension's functionality

AWS Security: Our use of AWS infrastructure provides additional security benefits including AWS's compliance with SOC, ISO 27001, and other security standards.

Breach Notification: In the unlikely event of a data breach that affects your personal information, we will notify you promptly and provide information about the incident and steps being taken to address it.

8. Extension Permissions Explained

The DCE Toolkit Extension requests several permissions to function properly. Here's what each permission is used for:

• Access to all websites ("<all_urls>"): Required to detect and analyze RFI content on Procore pages and to provide the extension functionality across different Procore subdomains and environments
• Storage: Used to store your conversation history, user preferences, consent status, and extension settings locally in your browser
• Scripting: Enables the extension to analyze page content, detect RFI questions in rich text editors, and inject the side panel interface
• Tabs: Allows the extension to detect when you navigate to RFI pages and manage the extension's activation state
• Side Panel: Provides the main interface for interacting with the AI assistant and viewing conversation history
• Identity: Used for authentication and user identification to maintain conversation continuity
• Management: Enables self-uninstall functionality and extension lifecycle management
• Web Navigation: Monitors page navigation to detect when you move between RFI pages and reset the extension state appropriately

Permission Justification: These permissions are necessary for the extension's core functionality of detecting RFI content and providing AI assistance. The extension only actively processes content on Procore domains, despite having broad permissions for technical compatibility reasons.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes to this policy, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you through the extension interface with a prominent notice
• For significant changes, request renewed consent through the extension's consent mechanism
• Provide a summary of key changes when practical

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your data. Continued use of the extension after the posting of changes constitutes your acceptance of such changes, unless the changes require explicit consent under applicable law.

Version History: This privacy policy may be updated to reflect new features, changes in data handling practices, or legal requirements. Previous versions will be archived and available upon request.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: dce-toolkit-extension-team@amazon.com

Response Time: We aim to respond to privacy-related inquiries within 30 days of receipt.

Data Subject Requests: For requests related to accessing, correcting, or deleting your personal data, please include:

• Your request type (access, correction, deletion, etc.)
• The approximate time period of your extension usage
• Any specific data or conversations you're inquiring about
• Your preferred method of response

Technical Support: For technical issues with the extension that are not privacy-related, please use the feedback mechanism within the extension interface.