Last updated: April 16, 2026

Privacy Policy

This Privacy Policy explains how Hand Stencil ("we," "our," or "us") handles data when you use ByHand, our Chrome extension for human authorship verification. We built ByHand around one principle: your writing stays yours. This policy reflects that.

Hand Stencil is the data controller for the limited data described in this policy. [Data controller address and EU representative details to be added upon establishment of EU entity, targeted before June 2026.]

1. What ByHand does

ByHand is a Chrome extension that verifies human authorship by analyzing writing behavior. It works inside Gmail compose windows and Google Docs. When activated, ByHand observes how you type — not what you type — and produces an authorship score indicating whether the text was genuinely composed by a human.

ByHand analyzes behavioral signals such as typing rhythm, pauses between keystrokes, editing patterns, and revision behavior. It does not read, store, or transmit the content of your writing.

2. Data we process

When ByHand is active, it processes the following categories of data locally in your browser:

2.1 Keystroke timing data

Temporal patterns: the timing intervals between keystrokes, pause durations, and the rhythm of your typing. This includes when you speed up, slow down, or stop to think. ByHand does not record which keys you press — only the timing between them.

2.2 Editing behavior data

Composition patterns: whether you go back to revise earlier text, how often you delete and retype, where you insert new content mid-text, and the ratio of final text to total keystrokes. These patterns reflect how a person composes — they are distinct from simply transcribing or pasting text.

2.3 Session metadata

Aggregate session information: total writing duration, words per minute (composition speed, not raw typing speed), number of paste events, and focus/blur events (how often you switched tabs during writing). No information about which tabs you visited is collected.

2.4 What we do NOT process

• The content of your writing (words, sentences, paragraphs)
• Which specific keys you press
• Email addresses, recipients, or subject lines
• Document titles or content in Google Docs
• Browsing history or URLs of other tabs
• Clipboard content (ByHand detects paste events but does not read what was pasted)

3. Where your data is processed

All data processing happens locally in your browser.ByHand runs entirely on your device. No keystroke timing data, editing behavior data, or session metadata is transmitted to Hand Stencil's servers or to any third party. The authorship analysis — from raw signals to final score — is computed on your machine.

Your writing session data is stored temporarily in your browser's local storage for the duration of the session and is retained for your last 10 sessions so you can review your own history. This data never leaves your browser. You can clear it at any time through your browser's extension settings.

4. A note on biometric data

Keystroke timing patterns are sometimes classified as "behavioral biometric data" under data protection frameworks including the EU General Data Protection Regulation (GDPR). We want to be transparent about how ByHand relates to this classification.

Under GDPR Article 4(14), biometric data receives special protection when it is used to uniquely identify a natural person. ByHand does not identify who is typing. It determines whether a human is typing at all. The distinction matters: ByHand is an authorship verification tool, not an identity verification tool. It does not build profiles, does not match typing patterns to individuals, and does not store biometric templates.

Moreover, because all processing occurs locally on your device and no biometric data is transmitted to or accessible by Hand Stencil, we do not act as a data controller over your keystroke biometric data in the GDPR sense. Your data remains under your sole control.

We recommend that enterprise customers deploying ByHand in their organizations conduct their own Data Protection Impact Assessment (DPIA) to evaluate ByHand in the context of their specific use case and jurisdiction.

5. The authorship badge and report

When you complete a writing session, ByHand generates an authorship badge showing your score. If you choose to include this badge in an email or document, the badge itself is visible to recipients. The badge contains:

• Your authorship score (a number from 0 to 100)
• A verdict (Likely Human, Mixed/Assisted, or Likely AI-Generated)
• The ByHand certification mark

The badge does not contain your keystroke data, timing patterns, or any behavioral data. It is a summary output only.

6. Data we collect through our website

When you visit handstencil.com, we use cookies and analytics as described in our Cookie Policy (available at handstencil.com/cookies). In summary:

• We use Google Analytics 4 to understand how visitors use our website.
• Analytics cookies are only set after you give explicit consent.
• Google Signals is disabled. Data retention is set to 14 months.
• You can withdraw consent at any time through the "Manage cookies" link in the website footer.

7. Legal basis for processing (GDPR)

For the limited data processing activities where Hand Stencil acts as data controller:

• Website analytics: consent (Article 6(1)(a) GDPR). You choose whether to accept analytics cookies.
• Contact form inquiries: legitimate interest (Article 6(1)(f) GDPR) in responding to your request.
• ByHand extension processing: as described in Section 3, this processing occurs locally on your device. Hand Stencil does not receive or process this data on its servers.

8. Third parties

Hand Stencil does not sell, rent, or share your personal data with third parties for their own purposes. The third-party services involved in our website operations are:

• Google Analytics 4 (website analytics, with consent)
• Netlify (website hosting)
• Google Chrome Web Store (extension distribution)

ByHand itself does not communicate with any third-party service.

9. International data transfers

Our website hosting (Netlify) and analytics (Google Analytics) involve data processing in the United States. Where applicable, these transfers are covered by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses.

[To be updated with specific transfer mechanisms and EU entity details upon establishment.]

10. Data retention

• ByHand extension data: stored locally in your browser for your last 10 sessions. You can clear it at any time. We do not retain any copy.
• Website analytics: 14 months (Google Analytics 4 setting).
• Cookie consent preference: 6 months (stored in your browser).
• Contact inquiries: retained as long as necessary to respond, then deleted.

11. Your rights

If you are in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: ask us to delete your data.
• Restriction: ask us to limit how we process your data.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interest.
• Withdraw consent: for analytics cookies, at any time via the website footer.

Because ByHand processes data locally on your device and we do not receive it, most of these rights apply primarily to data collected through our website. For ByHand extension data, you maintain full control: you can view, export (JSON), or delete your session data directly through the extension.

To exercise your rights regarding website data, contact us at contact@handstencil.com.

You also have the right to lodge a complaint with your local data protection authority.

12. Children

ByHand is not directed at children under 16. We do not knowingly process personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Security

The strongest security measure we have is architectural: we do not collect your sensitive data in the first place. Keystroke timing data never leaves your browser, so there is nothing for us to protect on our end. For our website, we use HTTPS encryption and follow standard security practices for hosting and analytics.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top. For significant changes, we will provide notice through the ByHand extension or on our website.

15. Contact us

If you have questions about this Privacy Policy or how ByHand handles your data:

Hand Stencil
Email: contact@handstencil.com
Web: handstencil.com

[Registered address and EU representative to be added.]