Privacy Policy

Introduction

Leif ("we", "our", "us") operates the Leif ESG Checker browser extension and the shopleif.com website (collectively, the "Service"). This Privacy Policy comprehensively describes what user data we collect, how we use and store it, the third parties we share it with, and how you can request deletion. It applies to both the extension and the website.

If you do not agree with any part of this policy, please uninstall the extension and discontinue use of the website.

1. Information We Collect

1a. Information collected by the extension

When the extension is active on a supported page (currently Amazon product pages on amazon.com and its subdomains), it processes the following data from the page you are viewing in order to look up sustainability information for that product:

• Amazon product identifier (ASIN): The 10-character product code parsed from the page URL (e.g., B08N5WRWNW).
• Canonicalized product URL: The product URL normalized to https://www.amazon.com/dp/<ASIN>.
• Product title: The product title text read from the Amazon page DOM.
• Brand name: The brand or "Visit the Store" text read from the Amazon page DOM.
• Breadcrumb category: The product category breadcrumb text read from the Amazon page DOM.

This data is sent to our backend (Google Firebase / Google Cloud Functions) so we can return an ESG score and supplier information for the product. We do not read other parts of the page, send your full browsing history, capture form contents, or activate on non-Amazon pages.

The extension also stores a small amount of data locally on your device using Chrome's chrome.storage.local API. This local data is not transmitted to our servers:

• Saved cart items you add via the "Save to Cart" button (product title, URL, image, price, score). The cart lives only in your browser's extension storage and is not synced to our servers.
• A copy of your signed-in account identifier (username or email) so that the extension's background service worker and content script know who you are while you browse. This identifier is removed when you sign out of the extension.

All other user data tied to your account — including your customized ESG scoring weights, sub-weight breakdowns, onboarding and tutorial completion state, survey responses, and "About You" profile fields — is stored in Google Cloud Firestore (see Section 3), not on your device.

1b. Information collected by the website (shopleif.com)

• Account information: If you create an account, we collect your email address (required) and any optional profile information you provide. Passwords are handled by Firebase Authentication and are never stored or transmitted to us in plain text.
• Saved preferences: Selected ESG scoring weights, sub-weight breakdowns, onboarding and survey responses, and other preferences you set in your profile. (Note: the extension's "Save to Cart" list is stored only in your browser's local extension storage; it is not synced to your shopleif.com account.)
• Search queries: Product and brand searches you perform on the site or in the extension.
• Anonymous usage analytics: Page views, button clicks, feature interactions, and a randomly generated anonymous visitor identifier and session identifier. If you are signed in, these events are also associated with your user ID.
• Server logs: Standard request metadata logged by our hosting/backend providers, including IP address, user-agent string, request timestamp, and the path requested. These logs are used for security, abuse prevention, and operational diagnostics.

1c. Information we do NOT collect

• We do not collect browsing history from sites other than Amazon product pages.
• We do not read or store form contents, passwords, payment information, or other sensitive page content.
• We do not use third-party advertising trackers, retargeting pixels, or cross-site tracking cookies.
• We do not sell user data to anyone.
• We do not access your Amazon account, order history, or payment methods.

2. How We Use Your Information

We use the data described above only for the following purposes:

• To look up and display ESG/sustainability data for the Amazon product you are viewing.
• To authenticate you and persist your account and preferences across devices.
• To power product and brand search on the website and within the extension.
• To generate AI-assisted ESG summaries for brands and suppliers (see Section 4).
• To monitor service health, prevent abuse, and improve the product based on aggregated usage patterns.
• To respond to support, feedback, and privacy requests you send us.

We do not use your data for advertising, profiling, or sale to third parties.

3. How and Where We Store Your Data; Retention

• Account data and saved preferences are stored in Google Cloud Firestore (Google Cloud Platform, primary region: us-central1, United States) and protected by Firestore security rules that restrict reads and writes to the authenticated owner.
• Authentication credentials are managed by Firebase Authentication (Google Cloud Platform).
• Server and request logs are stored by Google Cloud Logging and retained for up to 30 days, after which they are automatically deleted.
• Anonymous analytics events are stored in Cloud Firestore in append-only collections and retained for up to 24 months for trend analysis.
• Locally stored extension data (cart items and a copy of your signed-in account identifier) lives only on your device until you remove the extension or clear browser storage.
• Account data is retained until you delete your account, after which it is removed within 30 days from active databases (and may persist briefly in encrypted, rotating backups before being purged).

All data in transit between your browser, the extension, and our backends is encrypted with HTTPS/TLS.

4. Third Parties We Share Data With

We share specific data with the following service providers solely to operate the Service. We do not sell or share user data with advertisers, data brokers, or any party not listed below.

• Google Firebase / Google Cloud Platform (Authentication, Cloud Firestore, Cloud Functions, Cloud Logging, Hosting). Receives: account credentials, profile data, saved preferences, ESG lookup requests (including ASIN, product URL, title, brand, breadcrumb category), search queries, anonymous analytics events, and server log metadata (including IP address). Subject to the Firebase Privacy Policy and the Google Cloud Privacy Notice.
• Algolia, Inc. (search index hosting). Receives: search queries you type, and the content of our product/brand index. Subject to the Algolia Privacy Policy.
• Anthropic, PBC (Claude AI models, used server-side via our Cloud Functions to generate ESG summaries). Receives: brand names, supplier names, and product titles for which we are generating sustainability summaries. Receives no account identifiers, email addresses, or personal user data. Subject to the Anthropic Privacy Policy.
• Rainforest API (Traject Data, LLC) (Amazon product data enrichment, used server-side). Receives: ASINs and product URLs for which we are fetching public product information (price, ratings, images, description). Subject to the Traject Data Privacy Policy.
• Amazon Associates Program (Amazon.com, Inc.). Outbound product links may include an Amazon Associates affiliate tag; if you click and make a purchase, Amazon attributes the click. Amazon does not share your purchase details with us beyond aggregated commission reports. Subject to the Amazon Privacy Notice.
• GitHub, Inc. (static hosting for shopleif.com via GitHub Pages). Receives: standard web request metadata for the website (IP address, user-agent, request path) via standard HTTP serving logs.
• Vercel Inc. (planned static hosting for migrated extension page surfaces). To the extent Vercel hosts pages you visit, it receives standard web request metadata (IP address, user-agent, request path). Subject to the Vercel Privacy Policy.

We do not use Google Analytics, Google Tag Manager, Segment, Mixpanel, Amplitude, Sentry, Facebook/Meta pixels, or any other third-party analytics or advertising SDK in the extension or website at this time. If we add any such service in the future, this policy will be updated and the change disclosed.

5. AI-Generated Content

Some sustainability summaries displayed in Leif are generated by AI models (Anthropic Claude) using publicly available information about brands, suppliers, and products. AI-generated content is intended for informational purposes only, may contain inaccuracies, and should not be relied on as the sole basis for purchasing or sustainability decisions. We do not send your account identifiers, email, or personal data to the AI provider — only brand/supplier/product names being summarized.

6. Affiliate Disclosure

Leif participates in the Amazon Services LLC Associates Program. Outbound product links from Leif to Amazon.com may include an affiliate tag, and Leif may earn a commission on qualifying purchases at no additional cost to you. Affiliate revenue does not influence our ESG scores, ratings, or recommendations — our scoring methodology is independent and based solely on publicly available ESG data. Prices and availability shown in Leif are sourced from third-party data and may not reflect real-time values; always verify final pricing on Amazon before purchase.

7. Your Rights and Choices

• Access: You can view the data associated with your account at any time by signing in and visiting your User Profile.
• Correction: You can edit your profile, preferences, and saved items directly from your User Profile page.
• Deletion (self-serve): Signed-in users can permanently delete their account and associated profile data using the "Delete Account" option on the User Profile page. This removes your authentication record and your /users/{username} Firestore document, and disassociates your prior anonymous analytics events from your user ID.
• Deletion (by request): If you cannot access your account, email loganfisher@leiftechnology.onmicrosoft.com from the address registered to your account. We will verify the request and delete your data within 30 days.
• Local data: To clear data stored locally by the extension on your device, remove the extension from Chrome (chrome://extensions) or use Chrome's "Clear browsing data" tool with extension storage selected.
• Withdraw consent: You may stop using Leif at any time by uninstalling the extension and, if applicable, deleting your account.

8. California Residents (CCPA / CPRA Rights)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you specific rights regarding your personal information.

Categories of personal information we collect, use, and disclose: As described in Sections 1 and 4 above, we collect identifiers (email address, account username, anonymous visitor ID, session ID, IP address from request logs), commercial information (saved cart items, product interactions), internet activity (Amazon product pages viewed while the extension is active, search queries, page views on shopleif.com), and inferences drawn from your selected ESG scoring weights. We disclose these categories to the service providers listed in Section 4 for the operational purposes described in Section 2.

Your CCPA/CPRA rights:

• Right to know what personal information we collect, use, disclose, and share.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising.
• Right to limit the use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising these rights.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not sold or shared personal information for these purposes in the preceding 12 months.

To exercise any of these rights, use the self-serve deletion mechanism in Section 7 or email loganfisher@leiftechnology.onmicrosoft.com from the address registered to your account. We will respond within 45 days as required by law.

9. Users in the EEA, UK, and Switzerland (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation ("GDPR") and corresponding UK/Swiss data protection laws give you the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request that inaccurate or incomplete data be corrected.
• Right to erasure ("right to be forgotten") — request deletion of your data.
• Right to restriction of processing — request that we limit how we use your data.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing of your data based on our legitimate interests.
• Right not to be subject to automated decision-making with legal or similarly significant effects (Leif does not engage in such automated decision-making).
• Right to lodge a complaint with your local supervisory authority.

Legal bases for processing: We process your data on the following bases: (a) your consent (when you create an account or enable optional features), (b) performance of a contract (to provide the Leif service you have signed up for), and (c) our legitimate interests in operating, securing, and improving the Service in a manner you would reasonably expect.

International transfers: Your data is stored on US-based infrastructure (Google Cloud Platform, primary region us-central1). For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the EU-US Data Privacy Framework (in which Google Cloud is a certified participant) and, where applicable, the European Commission's Standard Contractual Clauses.

Designated privacy contact: Logan Fisher — loganfisher@leiftechnology.onmicrosoft.com. We will respond to verified requests within 30 days as required by GDPR.

10. Children's Privacy

Leif is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

11. International Users (Outside CCPA/GDPR Jurisdictions)

Leif is operated from the United States, and your data is stored on US-based infrastructure. By using Leif, you consent to the transfer and processing of your data in the United States, which may have data protection laws different from those in your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent change. Material changes will additionally be announced in the extension or via email to registered users.

13. Contact

For privacy questions, deletion requests, or any other concerns relating to this policy, contact:

Logan Fisher, Leif Technology
Email: loganfisher@leiftechnology.onmicrosoft.com
Or via our Contact page.