Privacy Policy

This privacy policy explains what data the Chameleon: Adaptive Accessibility Chrome extension does and does not collect, where it goes, and how it is used.

Data the extension stores locally

The following data is stored on your device using the Chrome extension storage APIs (chrome.storage.local and chrome.storage.session). It never leaves your device unless you sign in to the Chameleon website (see "Account sync" below).

You can clear all stored data at any time by removing the extension from chrome://extensions.

Data the extension reads from web pages

To apply accessibility transformations, the extension reads:

• Page DOM and styles — needed to identify text nodes, interactive controls, and elements to adapt (enlarge buttons, swap fonts, adjust contrast).
• Image element data — only when you actively hover over an image to request an AI description.
• Computed styles — to know whether a current site already meets your preferences before overriding.

This reading happens entirely inside your browser. The extension does not transmit page content, URLs, browsing history, form data, or input values anywhere — with the single exception below.

The one external request: Gemini AI image descriptions

This feature is OFF by default. It only runs after you enable the "AI alt text" toggle under Low Vision in your dashboard settings.

When the toggle is on and you hover over an image, the extension sends only the bytes of that single image to Google's Gemini API (generativelanguage.googleapis.com) along with our shared API key. Google's Gemini terms apply to that request; please review their generative AI privacy policy.

This feature can be disabled by removing the extension or by not hovering over images. No image data is sent automatically — only when you actively trigger the feature.

Dashboard AI search bar — disability descriptions, voice input, and recommendation generation

This feature is OFF by default and gated behind explicit consent. The Chameleon Hub dashboard includes an AI search bar where you can describe (in writing or by voice) the accessibility challenges you experience, and Chameleon will recommend a corresponding set of preference settings. Because what you say or type may include health- and disability-related information, we treat this as special-category personal data under GDPR Article 9 and require your explicit, opt-in consent before any data leaves your device.

The first time you focus the search bar, a consent banner appears in the corner of the screen explaining what will be processed and asking you to choose between:

• "Continue with AI" — your description is sent to the third parties listed below, and a recommendation is generated.
• "No, configure manually" — nothing is sent to any external service. You configure preferences using the Profiles toggles instead. The AI search bar is disabled until you change your mind.

Where the data goes if you opt in:

• Voice audio (only if you click the microphone button) is uploaded to Deepgram for speech-to-text transcription. The audio is kept only long enough to return a transcript and is not used to train Deepgram's models per their data-processing terms. We do not store the audio ourselves.
• Your text description (typed, or returned from the Deepgram transcription above) plus the names of any accessibility conditions you've already enabled is sent to Google's Gemma generative-language API (generativelanguage.googleapis.com). Google's Gemini API additional terms and privacy policy govern Google's handling of that prompt. On Google's free API tier, prompts may be retained and used to improve their models. If this matters to you, decline AI and configure manually.
• Only the resulting recommendation (a structured list of preference flags — never the raw description, never the audio) is saved to your Chameleon account in our Supabase database, so your preferences sync across devices.

Your right to withdraw consent. Under GDPR Article 7(3), you may withdraw your consent at any time, and withdrawal is as easy as giving consent. To withdraw:

• In your browser, open the dashboard, open developer tools, and clear the chameleon_ai_consent entry fromlocalStorage for this site, or
• Clear all site data for the dashboard via your browser's privacy settings.

After withdrawal the consent banner reappears the next time you interact with the search bar, and you can choose again. Withdrawal does not affect the lawfulness of any processing that took place while consent was active.

What we do not do: we do not log, store, or redistribute the raw description text or audio; we do not retain transcripts; we do not pass disability information to advertising networks, analytics providers, or other third parties beyond Deepgram (audio) and Google (text), each for the strictly limited purpose described above.

Data controller: Chameleon — see contact details at the bottom of this policy. Legal basis:consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)).

Account sync (optional — only if you sign in)

If you create an account on the Chameleon website (the Chameleon Hub) and sign in, your accessibility preferences only are synced to your account so they follow you across devices. This sync uses Supabase (a hosted Postgres service) over HTTPS. The data synced is the same preferences listed in the table above — no browsing data, no page content.

If you do not sign in, no data ever leaves your device (other than the on-demand Gemini image-description requests described above).

You can stop syncing at any time by signing out via the extension's options page.

What we do NOT collect

Explicitly, the extension does not collect, log, transmit, or share:

• Your browsing history or list of visited sites
• The content of any page you visit (text, headings, links)
• Form data, passwords, search queries, or anything you type
• Cookies or session tokens from sites you visit
• Your name, email, IP address, or any contact information
• Analytics events, pageviews, click-tracking, or "telemetry"
• Camera, microphone, or hardware sensor data

Earlier versions of this extension included a runtime accessibility-violation telemetry feature; all telemetry has been removed in version 2.0.

Permissions the extension requests, and why

Children's privacy

Chameleon is not directed at children under 13. The extension does not knowingly collect personal information from children. (And in fact, it does not knowingly collect personal information from anyone.)

Disclaimer (no warranty / not a medical device)

Chameleon is provided "as is" and "as available", without warranty of any kind, express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, accuracy, and non-infringement. Use of the extension and the Chameleon Hub is at your own risk.

Chameleon is not a medical device and is not certified assistive technology. It is a general-purpose accessibility-adaptation tool. It is not intended to diagnose, treat, cure, or prevent any condition; nor to replace screen readers, switch-control systems, or any other device, software, or service that has been certified for clinical, regulatory, or disability-accommodation purposes. Users who depend on certified assistive technology should continue to use it.

To the maximum extent permitted by law, the developers of Chameleon disclaim all liability for any direct, indirect, incidental, special, consequential, or exemplary damages arising out of or in connection with your use of, or inability to use, the extension or the Chameleon Hub.

Changes to this policy

If we ever change what data the extension collects or how it is used, we will update this policy and, where the change materially affects existing users, publish a notice in the next extension release notes. Continued use after a change indicates acceptance of the updated policy.

Contact

Questions or concerns about this policy? Email extchameleon@gmail.com. You can also report security issues at the same address.