Privacy Overview (TL;DR)

Last Updated: December 2025

The Big Picture

qwip is a browser extension that detects AI-generated images. Here's how we handle privacy in plain English:

---

What Happens to Your Images?

Your images NEVER leave your browser.

When you visit a webpage with images:

1. Detection happens in your browser - We use ONNX models that run locally (like a built-in calculator)
2. Nothing is uploaded - Your images stay on your device, always
3. We can't see what you're analyzing - We don't have access to your browsing

Think of it like: A spell-checker in your word processor. It checks your writing locally without sending your documents to Microsoft or Google.

---

What Data Do We Collect?

✅ What we DO collect:

Data	What It Is	Why
Anonymous Session ID	Random number like a lottery ticket (e.g., a3f2b1c4-5d6e-...)	Count unique users without knowing who they are
Images Analyzed Count	Just a number (e.g., you've checked 47 images)	Measure platform usage
Model Preference	Which AI model you selected (e.g., "CiFake")	Optimize model selection

Example of what we store:

{
  "session_id": "a3f2b1c4-5d6e-7f8g-9h0i-1j2k3l4m5n6o",
  "images_analyzed": 47,
  "model": "cifake"
}

❌ What we DON'T collect:

• ❌ Your images or screenshots
• ❌ Your browsing history or website URLs
• ❌ Your IP address or location
• ❌ Your name, email, or any personal information
• ❌ Cookies or tracking identifiers
• ❌ Device fingerprints

---

Can Anyone Identify Me?

No. Absolutely not.

We use a random session ID generated by your browser (like a random lottery number). Even if someone hacked our database, they would find:

• A random ID that looks like a3f2b1c4-5d6e-7f8g-9h0i-1j2k3l4m5n6o
• A count of how many images that ID analyzed (e.g., 47)
• The model preference (e.g., "cifake")

They could NOT:

• ❌ Figure out who you are
• ❌ See what images you analyzed
• ❌ Track your browsing history
• ❌ Link the ID to your email, name, or device

Real-world analogy: It's like tracking how many people visit a park by counting footsteps, but without cameras or ID checks. We know "someone" walked through 47 times, but we don't know who.

---

How Is This Different from Other Services?

Most AI Detection Services:

1. ❌ Upload your images to their servers
2. ❌ Track what you analyze (URLs, timestamps)
3. ❌ Require an account (email, password)
4. ❌ Sell your usage data to third parties
5. ❌ Closed source - you can't verify their claims

qwip:

1. ✅ Processes everything locally in your browser
2. ✅ Only shares anonymous aggregates (session IDs + counts)
3. ✅ No account required - install and use immediately
4. ✅ Never sells data - we don't have data to sell!
5. ✅ Open source - verify on GitHub

---

What About the "Server-Assisted" Feature?

When you enable "Server-Assisted Detection" (optional), we:

✅ DO:

• Share a cryptographic hash of the image (think: a unique fingerprint)
• Store this hash to recognize similar images in the future
• Return cached detection results if the image was seen before

❌ DON'T:

• Upload the actual image (only the hash goes to server)
• Know who submitted the hash (it's anonymous)
• Track which website the hash came from

Analogy: It's like taking a fingerprint (hash) and checking if it's in a database, but you can't recreate a person from just their fingerprint. Similarly, we can't recreate your image from the hash.

Technical detail: We use perceptual hashing (cryptographic one-way function). The hash is 64 characters, while your image might be millions of pixels. It's mathematically impossible to reverse the hash back to the original image.

---

Your Rights

1. Right to Privacy

Your images stay on your device. We never see them, period.

2. Right to Delete

Clear your session ID anytime:

1. Open qwip extension → Settings
2. Click "Clear Session Data"
3. Your anonymous ID is deleted immediately

3. Right to Opt-Out

Disable all server features:

1. Open qwip extension → Settings
2. Toggle off "Server-Assisted Detection"
3. Toggle off "Contribute to Database"
4. Now you're 100% local-only (zero data sent)

4. Right to Know

Read our source code: Everything is open source on GitHub. You can verify every claim we make.

5. Right to Access

What data do we have about you?

We don't actually have data "about you" - just an anonymous session ID. But you can:

• View your local stats in the extension popup (images analyzed count)
• Export your browser's local storage to see what's stored

---

Common Questions

Q: Why collect any data at all?

A: To improve the service and show investors that people are using it. We only collect the minimum needed:

• Count active users (for growth metrics)
• Track accuracy over time
• Identify most popular models

We designed it so we can answer "how many users?" without knowing "who are the users?"

Q: Could you add tracking later?

A: Technically yes, but:

1. Open source - You'd see it in the code immediately
2. Browser permissions - We'd need to request additional permissions (you'd be notified)
3. Trust - We'd lose all credibility and users

Our business model is privacy-first detection, not data collection. Tracking would destroy our core value proposition.

Q: What if your server gets hacked?

A: The attacker would get:

• Random session IDs (useless without names/emails)
• Image hashes (can't reverse to images)
• Aggregate counts

They would NOT get:

• Your images (never stored)
• Your identity (never collected)
• Your browsing history (never tracked)

Worst case impact: Very low. No personal data = nothing sensitive to leak.

Q: Do you share data with third parties?

A: No. We don't share, sell, or rent any data. There's nothing to share - we don't have personal data!

Q: What about law enforcement requests?

A: If we receive a data request (never happened yet), we'd have nothing useful to provide:

• No way to identify specific users
• No browsing history
• No images
• Just anonymous session IDs and counts

We'd still notify users via our Transparency Report.

Q: Can I use qwip completely offline?

A: Almost! The extension runs locally, but the models are loaded from chrome.runtime.getURL() (bundled with extension). Once loaded, you can:

1. Disable "Server-Assisted Detection"
2. Disable "Contribute to Database"
3. Now it's 100% local-only

We're exploring a true offline mode for future versions.

---

Want More Details?

• Data Collection Practices - Detailed breakdown with examples
• Security Practices - Technical security details
• Compliance - GDPR, CCPA, COPPA regulations
• User Rights - Full legal rights
• Transparency Report - Quarterly updates

---

Contact Us

• Privacy questions: privacy@qwip.io
• Security issues: security@qwip.io
• General inquiries: hello@qwip.io

---

Bottom Line: We built qwip for people who care about privacy. Your images never leave your browser, we don't know who you are, and you can verify everything because we're open source.