Privacy Policy

Who We Are

BEAST — Making Life Elegant (“BEAST”, “the Extension”, “we”, “us”, or “our”) is a Chrome browser extension developed and maintained by Nextania Technologies Private Limited. This Privacy Policy governs all data handling practices associated with the Extension and our related services.

By installing or using BEAST — Making Life Elegant, you agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the Extension.

Scope of This Policy

This Privacy Policy applies to:

• The BEAST — Making Life Elegant Chrome Extension (version 1.6.0 and above, including v2.0.0)
• Our backend infrastructure at architectx2.nextaniatechnologies.workers.dev
• Our website at nextania.in
• All subscription and payment flows associated with BEAST

This policy does not apply to third-party services we integrate with (such as Cashfree or OpenAI), which maintain their own privacy policies linked in Section 7.

What We Collect

We collect the minimum data necessary to provide the Extension’s features. The table below details every category of data we handle.

What We Do Not Collect

• Your email content — We do not read, store, or scan your Gmail inbox. Email text is only processed when you explicitly press a BEAST action button.
• Browsing history — We do not track which websites you visit.
• Webpage content — We do not read, scrape, or transmit the content of any non-Gmail webpage you visit.
• Keystrokes or form data — We do not log anything you type outside of BEAST’s own sidebar.
• Cookies — We do not use cookies for tracking or analytics.
• Personal financial data — Payment processing is handled entirely by Cashfree. We never see your card details.
• Student personal data beyond the session — Student names and registration numbers entered during BEAST Quiz are never retained beyond seventy-five minutes and are never used for any purpose other than the live quiz session.

Trial Fingerprinting

When you install BEAST for the first time, our server creates a one-way cryptographic hash (SHA-256) of your IP address and browser user-agent string. This hash is used solely to prevent the same device from claiming multiple free trials. The raw IP address is never stored — only the irreversible hash. It expires automatically after 30 days.

Why BEAST Appears on Every Webpage

BEAST — Making Life Elegant injects a small floating button (✦) into every browser tab. We want to be fully transparent about why this is necessary and what it does — and does not — do.

Real Use Cases That Require Cross-Tab Presence

• Reading a job posting on LinkedIn or Naukri → opening Opportunity Radar to match it against your profile
• Visiting a client’s website → drafting a professional outreach email without switching tabs
• Reading a research paper → composing a cold email to the author
• Reviewing a competitor’s product page → generating a market intelligence brief
• Browsing any website → writing a LinkedIn post, blog draft, or business proposal via Beast Unleashed

What the Injected Button Does and Does Not Do

The host_permissions: <all_urls> permission is required for our chrome.scripting API to inject the sidebar UI into non-Gmail tabs. Without it, BEAST would be unusable on any website outside Google, defeating its core purpose as a browser-wide productivity companion.

Gmail Automation — Zero Data Storage, Verified by Code

The Complete Data Journey — Proven by Source Code

We believe transparency earns trust. Below is the actual source code from both the BEAST Chrome Extension (content.js) and the Nextania Cloudflare Worker — the complete chain from the moment you click to the moment your AI response appears. You can verify every line.

① Extension — Reading the Email content.js · checkEmail() + triggerAutoReply()

When you open an email, BEAST reads the subject line, sender, and up to 800 characters of body text from the Gmail DOM — only if auto-reply is enabled or you click an action button. This text lives exclusively in the browser’s memory and is never written to any storage.

// Reads email from Gmail DOM — on user action only.
// Text is held in browser memory. Never written to storage.
function checkEmail() {
  let emailBody = "";
  for (const s of ["div.a3s.aiL", "div[data-message-id] .ii.gt div"]) {
    const el = document.querySelector(s);
    if (el) { emailBody = el.innerText.trim().slice(0, 800); break; }
  }
  // Passed directly to callWorker() — never stored anywhere
  if (autoReply) triggerAutoReply(sender, subject, emailBody);
}

async function triggerAutoReply(sender, subject, body) {
  const sys = `You are an elite email assistant. Tone: ${tone}.
Write a reply. 3-5 sentences. Return ONLY the reply body.`;
  // Email text flows directly into callWorker() — no storage call
  currentDraft = await callWorker(sys,
    `From: ${sender}\nSubject: ${subject}\n\n${body}`);
  // currentDraft holds only the AI reply — displayed in sidebar
  render("draft", { mode: "reply", draft: currentDraft });
}

② Extension — Sending to Worker content.js · callWorker()

The email text is transmitted over HTTPS to our Cloudflare Worker — authenticated by your license key. No third-party service other than our Worker receives this data.

async function callWorker(sys, usr, maxTokens = 1000) {
  // Sent over HTTPS — license key authenticates the request
  const r = await fetch(WORKER_URL, {
    method: "POST",
    headers: {
      "Content-Type":           "application/json",
      "X-Nextania-License-Key": licenseKey,
    },
    body: JSON.stringify({
      agent: "beast_mailer",
      request_payload: { model: "gpt-4.1-mini", input: sys + usr }
    })
  });
  const d = await r.json();
  // Returns only output_text — the AI reply. Nothing else.
  return (d.output_text || "").trim();
}

③ Worker — Processing and Discarding ArchitectX2 Worker · /architect/v1/job

The Worker receives the request, validates your license, passes the text to OpenAI’s API, and immediately returns the AI response. The only data written to storage is the token count deducted from your quota — never the email content.

// ① Validate license — reject if inactive or expired
const status = await env.LICENSE_KV.get(`license:${licenseKey}:status`);
if (status !== "active") return json({ error: "License inactive" }, 403);

// ② Extract text from request — held only in memory
const { model, input, temperature, max_output_tokens }
  = body?.request_payload || {};

// ③ Pass to OpenAI — text leaves our system here
const oa = await fetch("https://api.openai.com/v1/responses", {
  method: "POST",
  body: JSON.stringify({ model, input, temperature, max_output_tokens }),
});

// ④ Extract AI reply text
const output_text = extractOutputText(data);

// ⑤ Only token count is stored — NEVER the email content
const used = Number(data?.usage?.total_tokens || 0);
await env.LICENSE_KV.put(
  `license:${licenseKey}:base_tokens_remaining`,
  String(remaining - used)  // quota deduction only
);

// ⑥ Return AI reply — request object is garbage collected
return json({ ok: true, output_text });

How We Use Your Data

License Key & Email

Used to validate your subscription on every AI request, deliver your license key after purchase, and communicate essential service updates. We do not send marketing emails without your explicit consent.

Career Profile Data

Stored locally on your device. Sent to our AI worker only when you click “Scan Opportunities Now.” Used solely to generate personalised job and opportunity matches. Never used for advertising or shared with third parties.

AI-Submitted Text

Text you type into BEAST’s sidebar is transmitted to our Cloudflare Worker, passed to the AI model, and the result is returned to you. This data is processed in real-time and is not stored, logged, or used for model training.

We Never

• Sell your data to any third party
• Use your data for advertising
• Share your data with data brokers
• Use your data to train AI models

Third-Party Services

BEAST integrates with the following third-party services. Each has its own privacy policy governing their data handling.

BEAST Quiz — Student Data & Privacy

BEAST Quiz is designed with student privacy as a first principle. The session data flow is as follows:

• Data entered: Student name and registration number only — entered voluntarily to join a live session. No email address is collected or stored.
• Storage: Held temporarily in Google Firebase Firestore solely to relay real-time session information between teacher and students.
• Deletion — Mechanism 1: Immediately and permanently deleted the moment the teacher downloads results (Quiz), ends the race (Race), or ends the Engage session — whichever comes first.
• Deletion — Mechanism 2: Automatically deleted after seventy-five minutes via a client-side cleanup timer, regardless of teacher action.
• Deletion — Mechanism 3: Firebase TTL (Time-to-Live) policy auto-deletes every session document server-side at exactly seventy-five minutes from creation — an independent server-enforced guarantee that operates even if the browser is closed.
• No retention: No student data is retained, exported, logged, or used for any purpose beyond the live session.

Verified by Code — Our Deletion Implementation

In the spirit of full transparency, the following is the actual deletion function from BEAST Quiz and the TTL timestamp field — both verifiable in our published extension source:

// Called on: teacher downloads results, ends race,
// ends session, or 75-minute auto-timer fires.
function deleteSessionData(sessionCode, raceCode, engageCode) {
  var ops = [];
  if (sessionCode) ops.push(deleteCollection("sessions", sessionCode));
  if (raceCode)    ops.push(deleteCollection("races",    raceCode));
  if (engageCode)  ops.push(deleteCollection("engage",   engageCode));
  return Promise.all(ops).catch(function() {});
}

// Every session document carries a server-enforced
// TTL timestamp — Firebase auto-deletes at 75 minutes.
expireAt: new FSTimestamp(new Date(Date.now() + 75 * 60 * 1000))

Data Retention

You may request deletion of your email and license data at any time by contacting nextaniatechnologies@gmail.com. We will action deletion requests within 30 days.

Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• License keys are validated via HMAC-signed request headers
• No sensitive data is stored in plaintext
• Our worker runs on Cloudflare’s enterprise-grade infrastructure
• Payment data never touches our servers — handled by Cashfree’s PCI-DSS compliant systems

If you believe you have discovered a security vulnerability, please contact us immediately at nextaniatechnologies@gmail.com.

Your Rights

Regardless of your location, you have the following rights with respect to your personal data:

Access

You may request a copy of the personal data we hold about you (email address and license key).

Correction

You may request correction of inaccurate data at any time.

Deletion

You may request deletion of your account data. Local data (career profile, preferences) can be deleted by uninstalling the Extension or clearing Chrome’s extension storage.

Portability

You may request your data in a portable, machine-readable format.

Opt-Out of Communications

You may opt out of non-essential communications at any time by emailing us.

To exercise any of these rights, contact nextaniatechnologies@gmail.com. We respond within 30 days.

Children’s Privacy

BEAST — Making Life Elegant is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at nextaniatechnologies@gmail.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page and, for material changes, notify you via the Chrome Web Store listing or a notice within the Extension.

Your continued use of BEAST — Making Life Elegant after any change constitutes acceptance of the updated policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us: