HumanStamp Privacy Policy

Last updated: June 21, 2026

HumanStamp is a Chrome browser extension that helps you voluntarily sign email drafts you have mostly typed yourself. This policy explains what information the extension handles and how.

Summary

HumanStamp runs only on Gmail and Outlook Web when you are composing email.
Your full email text is not uploaded to our servers.
When you sign a draft, only a SHA-256 hash of the message body is sent to our signing service.
Typing/paste tracking and draft metadata are stored locally in your browser.
HumanStamp requests only the storage permission plus host access to supported mail sites and our signing API. It does not request the tabs permission.

Information the extension accesses

While you use a supported compose editor, HumanStamp reads:

Message body text — to track typed vs pasted characters, determine eligibility, and insert or verify signatures.
Compose metadata — such as subject and recipient fields, used only to identify drafts locally.
Display name (optional) — if you set one in the extension popup, signatures appear as ✍ HumanStamped by Your Name. If left blank, signatures use ✍ HumanStamped only.

HumanStamp does not read your inbox, sent mail, contacts, or email content outside active compose/reply editors.

Information stored on your device

Storage	What is stored	Purpose
`chrome.storage.sync`	Optional display name	Sync your signature name across Chrome profiles where sync is enabled
`chrome.storage.local`	Typed/paste maps for recent drafts, compose session IDs	Restore eligibility when switching drafts or refreshing

Local draft data is kept for up to 64 recent drafts and is removed when you uninstall the extension or clear extension data.

Display name and draft provenance are read and written by the background service worker. Content scripts on mail pages request your display name through extension messages rather than accessing storage directly.

Information sent to our servers

When you click Add Signature, the extension sends a request to https://human-stamp.vercel.app/api/v1/sign containing:

A SHA-256 hash of your normalized message body (signature excluded)
A timestamp and version fields required by the signing format

It does not include your full email text, recipient addresses, subject lines, account identifiers, passwords, or display name.

Information we do not collect

We do not sell personal data.
We do not use advertising or analytics trackers.
We do not collect browsing history outside supported mail compose pages.
We do not request permission to read or manage browser tabs.

Permissions

Permission	Why it is used
`storage`	Save your optional display name and local draft provenance
Gmail / Outlook host access	Inject a content script and show the widget in compose editors only
`human-stamp.vercel.app`	Request cryptographic signatures from the signing service

Permissions HumanStamp does not use

Permission	Notes
`tabs`	Not requested. HumanStamp does not read, query, or monitor your open tabs. On first install, the extension may open a one-time welcome page using `chrome.tabs.create()`, which Chrome allows without the `tabs` permission.

No other broad permissions (such as activeTab, scripting, or cookies) are requested.

Data retention and deletion

Uninstalling HumanStamp or clearing its data in chrome://extensions removes stored settings and draft provenance from your browser. The signing service never receives full email content.

Children’s privacy

HumanStamp is not directed at children under 13, and we do not knowingly collect information from them.

Changes

We may update this policy from time to time. The “Last updated” date will change when we do.

Contact

For privacy questions, open an issue on the HumanStamp GitHub repository for this project.