Privacy Policy

What Baloney Is

Baloney is an AI content detection platform consisting of a Chrome browser extension and a web dashboard at baloney.app. It analyzes images, text, and video on social media to detect AI-generated content.

Data We Collect

• Content for analysis: Images and text on supported sites are sent to our detection API. Raw content is processed in-memory and is not stored.
• Detection results: Verdict (e.g., AI-generated, human), confidence score, detection method used, platform, content type, content hash, timestamp, and scan duration are stored to power your personal dashboard.
• Anonymous user ID: A random UUID generated locally by the extension. We do not collect your name, email, or any personally identifiable information through the extension.
• Page URL hash: A cryptographic hash (SHA-256) of the page URL is sent with scan requests to identify unique content sightings without storing your actual browsing history.
• Account data: If you create a web account, we store your email address and authentication credentials via Supabase Auth.

Data We Do NOT Collect

• Browsing history or page URLs (only SHA-256 hashes)
• Cookies or tracking pixels
• Personal messages or private content
• Data from sites not in your allowed-sites list
• Financial or payment information

Legal Basis for Processing

We process your data under the following legal bases as defined by the EU General Data Protection Regulation (GDPR):

• Legitimate Interest (Article 6(1)(f)): Content analysis and provenance tracking. We process submitted content to detect AI-generated material and track content provenance across platforms, helping users make informed decisions about the content they encounter online.
• Consent (Article 6(1)(a)): Account creation, scan history storage, and community data sharing. You may withdraw consent at any time by deleting your account or adjusting your settings.

How Detection Works by Edition

Baloney offers two editions with different data handling:

Community Edition (default)

• Text: Analyzed using statistical methods (perplexity, burstiness, token patterns) locally on our server. Text is processed in-memory and discarded immediately after analysis.
• Images: Analyzed using FFT/DCT spectral analysis and metadata inspection on our server. Images are processed in-memory and discarded immediately after analysis.
• No content is sent to any third-party detection service in Community edition.

Pro Edition

• Text: In addition to statistical analysis, text content is sent to the Pangram API for commercial AI detection. Pangram processes the text for detection purposes only and does not retain it.
• Images and video: Sent to the SightEngine API for commercial AI detection. SightEngine processes content for detection purposes only and does not retain it.
• Watermark detection: Text and images may be checked for SynthID watermarks (Google) to identify content generated by Google Gemini and Imagen models. Content is analyzed in real-time and not retained.

Community Data Sharing

If you opt in to community sharing (off by default), your anonymous scan results contribute to aggregate community analytics such as platform-level AI content rates. No personal information is included. You can toggle sharing on or off at any time from the extension settings.

Chrome Extension Permissions

The Baloney extension requests the following browser permissions:

• storage: To save your extension settings, anonymous user ID, and session statistics locally in your browser.
• contextMenus: To provide a right-click “Scan with Baloney” option for selected text and images.
• sidePanel: To display detailed scan results and analysis in a browser side panel.
• scripting: To programmatically inject the content scanner when you add new sites to your allowed list via the popup.
• Host permissions (8 domains): 3 social media platforms (X/Twitter, Instagram, Facebook) plus Substack, 3 image CDN domains (cdninstagram.com, pbs.twimg.com, i.redd.it), and baloney.app. X.com and twitter.com are counted separately for legacy URL support. You can add additional sites via optional permissions; Chrome prompts for approval on each.

Third-Party Services

We use the following third-party services. Each service processes data according to its own privacy policy:

• Supabase (database and authentication): stores detection metadata and account data if you sign in. Hosted in US-East-1. Privacy policy
• Vercel (web hosting and API): hosts the baloney.app dashboard and API routes. Privacy policy
• Pangram (text AI detection, pro edition only): receives text content for detection. Does not store or retain submitted content. Privacy policy
• SightEngine (image/video AI detection, pro edition only): receives images and video for detection. Does not store or retain submitted content. Privacy policy
• Google SynthID (watermark detection via Railway backend): checks text and images for AI watermarks from Google Gemini and Imagen models. Content is analyzed in real-time and not retained.

Third-Party Detection Services

In Pro edition, user content is transmitted to the following external services for AI detection analysis. All transmissions use HTTPS. Content is processed in memory by these services and is not retained beyond the duration of the analysis request.

• Pangram: Text AI detection. pangram.com
• SightEngine: Image and video AI detection. sightengine.com
• Hive AI: Image AI detection and generator identification. thehive.ai
• Google Cloud / SynthID: AI watermark detection for text and images generated by Google Gemini and Imagen models.

None of these services retain, store, or use submitted content for model training, advertising, or any purpose beyond the detection request.

Data Lifecycle

Content submitted for analysis follows a strict lifecycle designed to minimize data retention:

• Content (text, images, video) is processed in memory and immediately discarded after analysis completes. Raw content is never written to disk or stored in a database.
• Only a cryptographic hash (HMAC-SHA256) of the content is retained for deduplication and provenance tracking. This hash is a fixed-length fingerprint that cannot be reversed to recover the original content.
• The HMAC key used for hashing is stored server-side and is never exposed to clients, preventing external parties from generating or matching hashes independently.
• Detection results (verdict, confidence, method) are stored and linked to the content hash, not to the original content.

Limited Use Disclosure

Baloney's use and transfer of information received from Google APIs adheres to the Chrome Web Store API Limited Use Requirements, including the Limited Use requirements.

• Data collected by the extension is used solely to provide AI content detection functionality as described on the Chrome Web Store listing and in this privacy policy.
• Data is not sold to third parties, used for advertising, used for creditworthiness determinations, or transferred to any data broker or information reseller.
• Third-party detection services (Pangram, SightEngine, SynthID) receive content exclusively for AI detection analysis. These services do not retain, store, or use submitted content for model training, advertising, or any purpose beyond the detection request.
• Human access to user data is limited to debugging with explicit user consent, aggregated and anonymized analytics, or responding to security incidents.

Data Retention

Raw content (images, text, video) is never stored. It is processed in-memory and discarded immediately. Other data is retained for the following periods:

• Scan history (verdicts, confidence scores, platform, timestamps): Retained until you delete your account.
• Content hashes in provenance registry: Retained indefinitely for aggregate provenance analysis. These hashes are not linked to individual user accounts.
• Rate limiting data (IP-based request counters): Automatically purged after 7 days.
• Authentication tokens: Retained until logout or token expiry, whichever comes first.

You may request deletion of all stored data at any time by contacting us or using the account deletion feature, and we will process the request within 30 days.

Your Rights (GDPR Articles 15–21)

If you reside in the EU/EEA, you have the following rights under the General Data Protection Regulation. Users in other jurisdictions (e.g., California under CCPA) may have similar rights under local law.

• Right to Access (Art. 15): Request a copy of all data we hold about you. Authenticated users can export their data at /api/account/export.
• Right to Erasure (Art. 17): Delete your account and all associated scan history. Use /api/account/delete or contact us at the email below.
• Right to Data Portability (Art. 20): Export your data in machine-readable JSON format via the export endpoint above.
• Right to Object (Art. 21): You may object to processing at any time by deleting your account, disabling the extension, or opting out of community sharing.
• Right to Lodge a Complaint: You have the right to file a complaint with your local data protection authority if you believe your data is being processed unlawfully.

You can also access your scan data via the personal dashboard, opt out of community sharing at any time, or uninstall the extension to stop all data collection.

Children's Privacy

Baloney is not directed at children under 13. We do not knowingly collect data from children.

Security

All data is transmitted over HTTPS. Authentication uses industry-standard practices via Supabase Auth. Row-level security is enabled on all database tables. The extension enforces a strict Content Security Policy (script-src 'self'; object-src 'self') to prevent code injection.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of Baloney after changes constitutes acceptance.

Contact & Data Protection

For privacy questions, data access requests, data deletion requests, or to exercise any of your data protection rights, email our data protection contact at support@baloney.app. We aim to respond to all data protection requests within 30 days.