Privacy Policy

ByHand · Effective 27 April 2026

This policy explains exactly what data the ByHand browser extension (“ByHand”, “we”, “us”) collects, why, where it goes, and what your rights are. ByHand is a product of Hand Stencil.

If you only read one section, read this:

ByHand listens to keystroke timing — when keys are pressed, not which keys. We do not read, capture, transmit, or store the content of your emails, the subject line, recipient addresses, sender information, or any text you type. The only thing we transmit is a derived statistical fingerprint of your typing rhythm.

1. What ByHand does

ByHand is a Chrome extension that watches the rhythm of your typing while you compose an email in Gmail. From that rhythm, it computes a score on a 0–100 scale that reflects how likely the text was written by a human versus generated by an AI tool. When the score is high enough, ByHand attaches a small visual stamp to the bottom of your outgoing email. Recipients can click the stamp to view a report describing how the score was derived.

2. Information we collect

2.1 What we capture on your device (locally only)

While you are composing an email in Gmail with ByHand enabled, the extension records the following events in your browser’s memory:

Timestamps of each keystroke (the moment a key is pressed and the moment it is released, in milliseconds)
Durations of pauses between keystrokes, sentences, and paragraphs
Counts of corrections (backspaces) and edits
Counts of paste events and how many characters were pasted
Counts of tab switches and window focus changes
Sentence and paragraph structure (how many of each, how long each is in characters — never their content)
Total typing time (active duration) and wall-clock duration
Word counts (total words and how many were typed versus pasted)

From these raw events, ByHand computes aggregate statistics — mean and median pause times, rhythm variance, revision counts, and similar derived numbers — that together form an “authorship report.”

2.2 What we upload

When you send a stamped email, ByHand uploads the authorship report — the aggregated statistics described above — to our backend. The upload contains:

The numerical score (0–100) and verdict label
The aggregate timing and editing statistics
A short, randomly generated 8-character report ID
A timestamp of when the report was generated
A platform identifier (e.g. “Gmail”)

The upload does not contain raw keystroke timestamps, individual key events, or anything from which the original text could be reconstructed.

2.3 What we never collect

ByHand does not collect any of the following, ever:

The characters or words you typed
The body, subject line, or any portion of the text of your email
The email addresses of senders or recipients
Your name, your Google account, your email account, or any login credential
Pages you visit outside Gmail
Browsing history
Mouse movements, screen contents, or screenshots
Microphone or camera input
Location data
Cookies or device fingerprints used for advertising

2.4 Settings stored on your device

ByHand stores your preferences (whether the extension is on, your chosen footer-stamp style, your chosen subject-line tag) in your browser’s extension storage. These never leave your device.

3. How we use the data

The uploaded authorship report is used for one purpose only: to render a clickable web page that the recipient of your email can view to inspect the basis for the score. The report is not used for advertising, profiling, training machine-learning models, or any purpose other than the authorship verification feature you opted into by enabling ByHand.

4. Where data is stored

Authorship reports are stored on Supabase infrastructure (Edge Functions and Storage), in a region selected by Hand Stencil. Static assets that recipients fetch when viewing a report (badge images, the viewer page) are served by Netlify. Both providers are bound by their own data-protection commitments and act as processors of the data we entrust to them. We do not transfer authorship-report data to any other third party.

5. Who can see a report

Each authorship report is identified by a randomly generated 8-character ID (e.g. y7lmR4w3). A report is rendered through a URL that includes that ID. Anyone in possession of the URL can view the report. We treat report IDs as unguessable but not secret: do not include report links in places you would not want a third party to see them. Reports do not contain personal information about you beyond the typing-rhythm statistics described above.

6. Modifications ByHand makes to your outgoing email

When you send an email and the score qualifies, ByHand modifies your outgoing email in two ways — both of which you can disable in the extension popup at any time:

Footer stamp. A small image hosted on authorshipstamp-report.netlify.app is appended above your signature. Clicking it opens the report URL.
Subject line tag (optional). A short marker (text, emoji, or your custom string) is prepended to the subject. Off by default.

ByHand does not otherwise alter your email’s contents or its routing.

7. Retention and deletion

Authorship reports are retained for 90 days from creation, after which they are automatically deleted from our backend. You can request immediate deletion of any specific report or all of your reports by contacting us (see Section 11). To delete data stored on your own device, remove the extension from chrome://extensions.

8. Your rights

Depending on where you live, you may have rights regarding your personal data:

European Economic Area & UK (GDPR): rights to access, rectification, erasure, restriction, portability, and to object to processing.
California (CCPA / CPRA): rights to know, delete, correct, and to opt out of sale or sharing of your personal information. We do not sell or share your personal information.
Other jurisdictions: rights as granted by applicable local law.

To exercise these rights, contact us at the address in Section 11. We will respond within the timeframe required by applicable law (typically 30 days).

9. Children

ByHand is not directed to children under 13 (or under 16 in the EEA / UK) and we do not knowingly collect data from them. If you believe a child has used the extension, contact us and we will delete any associated reports.

10. Changes to this policy

We may update this policy from time to time. The “Effective” date at the top of the page shows when it was last revised. Material changes will be highlighted on this page for at least 30 days, and the version of the extension that introduced the change will reflect the same effective date in its release notes.

11. Contact

For privacy questions, data-subject requests, or to report a concern:

Email: contact@handstencil.com
Web: handstencil.com

12. Limited Use commitment

ByHand handles user data in accordance with the Chrome Web Store Limited Use requirements. Specifically:

We use the data we collect only to provide and improve the authorship-verification feature you opted into.
We do not transfer the data to others except to provide the feature, comply with applicable law, or as part of a merger or acquisition with appropriate user notice.
We do not use the data for serving advertisements or for any unrelated purpose.
We do not allow humans to read the data, except (a) with your explicit affirmative consent for specific reports, (b) where necessary for security or abuse investigation, or (c) where required by law.