Privacy

Privacy Policy

Hilo is a browser extension that gives you instant AI explanations for text you select on any web page. This policy explains, in plain language, what we collect, why, and how we protect it.

Last updated · May 2026
The short version: we don't log the text you select or the pages you visit. The minimum needed to generate your explanation is sent to Anthropic's Claude, then forgotten. Your email is used only to log you in.

01 Who we are

Hilo is operated as a sole-proprietor side project by the developer based in France. The extension is published on the Chrome Web Store and Firefox Add-ons, and runs entirely in your browser — except for the API call that fetches your explanation, which goes through our backend on Cloudflare Workers.

02 What we collect

We collect the bare minimum required for the extension to work, and nothing more.

What When Stored?
Selected text + surrounding paragraph When you click the trigger button after selecting text No — sent to Anthropic, response streamed back, not retained
Page title & URL When you click the trigger button No — used only as context for the explanation
Email address When you sign in with a one-time code Yes — to identify your account and quota
Usage counts (number of explanations) On every successful explanation Yes — to enforce daily limits
Display preferences (theme, language) When you change them in the options page Locally in your browser only

We never collect: passwords, payment card data, browsing history, your selections (we don't keep a log), or telemetry about which sites you use Hilo on.

03 Why we use it

  • Selected text & context — to generate an accurate, contextual explanation via Anthropic's Claude.
  • Email — for one-time-code sign-in and to associate your account with a Pro subscription if you upgrade.
  • Usage counts — to enforce the daily limit (10 free, 100 Pro) and prevent abuse of the API.

Legal basis under GDPR: contract performance (we can't generate an explanation without sending your selection to the model) and legitimate interest (preventing API abuse). For paid plans, also contract performance for billing.

04 Sub-processors

We use a small number of trusted services to operate Hilo. Each receives only the data strictly required for its role.

Service Role Privacy policy
Anthropic AI model (Claude) generating explanations anthropic.com/privacy
Supabase Authentication & user database supabase.com/privacy
Cloudflare Edge infrastructure hosting our API cloudflare.com/privacypolicy
Polar Payments & subscription management (Pro plan only) polar.sh/legal/privacy

05 Third-party data sharing

Your selected text and page context are transmitted to Anthropic's API to generate explanations. This happens server-side through our backend — your Anthropic API key is never exposed to the browser. Anthropic's API usage policies apply to this data; please consult their privacy policy for details on retention.

When you upgrade to Pro, your email address is shared with Polar to create a customer record and process payment. Polar handles all payment card data; we never receive or store your payment details.

We never sell, rent, or trade any data with third parties for advertising or marketing purposes.

06 Data retention

  • Selected text & explanations — never stored. Forwarded to Anthropic and the response streamed back to you, then discarded.
  • Account data (email, usage counts) — kept as long as your account exists. Deleted within 30 days of your account-deletion request.
  • Payment records — retained by Polar for the period required by EU/national accounting law (typically 10 years).

07 Security

  • All traffic to and from our backend is encrypted via HTTPS/TLS.
  • JWTs are short-lived and stored only in your browser's local storage.
  • Your Supabase password (if you set one) is hashed by Supabase, never seen by us.
  • The extension contains no remote code, no eval, no externally hosted scripts.
  • API keys (Anthropic, Polar) live only on the server; the extension never sees them.

08 Your rights (GDPR)

If you're in the EU, UK, or any region with similar protections, you have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to processing.
  • Portability — receive your data in a machine-readable format.

To exercise any of these rights, email us at the address below. We respond within 30 days.

09 Contact

For privacy questions, data deletion requests, or any concerns about this policy:

Email us directly.
We respond personally within 30 days, usually within a couple of working days.
lucas@hiloapp.dev

10 Changes to this policy

We may update this policy occasionally. When we do, we update the "Last updated" date at the top of this page. For material changes (a new sub-processor, a change to what we collect), we'll also notify Pro users by email before the change takes effect.

Continued use of the extension after a change constitutes acceptance of the revised policy.