Privacy Policy

1. Scope

This Policy applies only to the Parachute Benefits browser extension and related in-browser experiences (toolbar popup, optional in-page shopping assistant, and connection to your Parachute account on parachutebenefits.com).

If you use other Parachute products (website, mobile app, employer programs), those services are also governed by our general Privacy Policy linked above.

2. Information the Extension Collects

The Extension is designed to minimize data collection. You may use some surfaces while signed out; signed-in features require a Parachute account.

• Account and authentication data (when you sign in): email address, password (sent only to our identity provider for authentication), display name, internal user identifiers, and Cognito session tokens (including ID tokens used to call Parachute APIs).
• Website context for rewards matching (when signed in): the hostname of the tab you are viewing (for example, `www.example.com`). We do not collect the full URL path, page title, or page content through the Extension for eligibility checks.
• Rewards and wallet summary (when signed in): wallet balance and offer metadata returned by our servers for the toolbar popup (for example, offer titles, images, and reward amounts).
• Local preferences and state: whether you activated rewards on a hostname, cached eligibility results, last sign-in email (optional convenience), extension session snapshot, and technical build metadata needed to operate the Extension.
• User-initiated actions: when you choose to activate an offer or open a merchant link, we process that action to apply affiliate tracking parameters and record activation consistent with our rewards program.

3. How We Use Information

• Authenticate you and keep you signed in to the Extension.
• Determine whether the store you are visiting has an eligible Parachute offer.
• Display wallet balance and featured offers in the toolbar popup.
• Activate cashback or rewards links when you request them.
• Maintain session freshness, cache eligibility to reduce network calls, and prevent fraud or misuse.
• Improve reliability and support (for example, diagnosing failed sign-in or API errors).

4. Storage on Your Device

The Extension uses Chrome extension storage (`chrome.storage.local`) on your device to store session snapshots, authentication tokens, eligibility cache entries, and per-host activation flags. This data stays on your device unless you sign in and we transmit information to our servers as described in Section 2.

The Extension declares the `storage` and `alarms` permissions. Storage is used for the items above. Alarms are used to refresh authentication sessions periodically while you remain signed in.

If you open a Parachute web page in your browser (for example, to complete sign-in or account linking), that page may set cookies or use storage under our web app privacy practices.

5. Information We Do Not Collect Through the Extension

• Full browsing history or a list of all websites you visit.
• Full page content, form fields, passwords entered on merchant websites, or payment card numbers entered on third-party checkout pages.
• Keystroke logging, screenshots, or screen recordings.
• Microphone, camera, or precise geolocation data.
• Sale of your personal information.

A content script may load on many websites so the in-page assistant can appear when an offer is available, but eligibility requests use only the hostname and only when you are signed in (subject to caching rules).

6. How We Share Information

We do not sell personal information collected through the Extension.

• Parachute web application APIs (hosted on parachutebenefits.com) to verify offer eligibility, return wallet and offer summaries, and process activations.
• Amazon Web Services (for example, AWS Cognito and AppSync) for authentication and program data, as configured for your account.
• Merchant or affiliate partners when you choose to open a tracked shopping link, so rewards can be attributed correctly.
• Service providers that help us operate our platform (hosting, security, support), under contractual confidentiality and security obligations.
• Regulators or law enforcement when required by applicable law.

7. Consent and Your Choices

• Sign-in is optional for browsing, but required for personalized rewards, wallet balance, and offer activation.
• You may sign out from the Extension, which clears locally stored session and token data used by the Extension.
• You may remove the Extension at any time through your browser’s extension manager; you may also clear extension storage in browser settings.
• You may withdraw consent, request access to, correction of, or deletion of your personal information by contacting us (see Section 14). If you are in the EU or other regions with additional privacy rights, those rights may also apply as described in our general Privacy Policy.

8. Data Retention and Security

Server-side data is retained only as long as necessary for the purposes described in this Policy, to operate the rewards program, or as required by law.

Cached eligibility and local session data on your device persist until you sign out, clear extension storage, uninstall the Extension, or until the cache expires according to our internal policies.

We use industry-standard safeguards to protect data in transit (HTTPS/TLS) and at rest on our systems. No method of transmission or storage is 100% secure.

9. Third-Party Websites and Services

When you visit third-party merchant websites, their privacy policies govern those sites. The Extension does not control merchant tracking on those sites except when you explicitly open a Parachute-tracked link.

The Extension does not include third-party advertising or analytics SDKs separate from Parachute’s own APIs. If you navigate to our marketing site or web app, those properties may use cookies or analytics as described in our general Privacy Policy.

10. Browser Permissions

The Extension requests the following permissions and host access:

• `storage` — save session, cache, and activation state locally on your device.
• `alarms` — schedule periodic session refresh while signed in.
• Host access to `*.parachutebenefits.com` — communicate with Parachute APIs and allow secure sign-in handoff from the web app.
• Host access to our AppSync endpoint — load program and offer data when required by your account configuration.
• Broad website access (`*://*/*` content script) — inject the optional in-page assistant only; network calls for eligibility use hostname only when signed in, as described above.
• `externally_connectable` to Parachute domains (and local development hosts) — allow the web app to complete account linking with the Extension after you sign in on parachutebenefits.com.

We do not request access to `activeTab`, clipboard, downloads, native messaging, or the `tabs` permission for background tab inspection.

11. Relationship to Our General Privacy Policy

Our general Privacy Policy at parachutebenefits.com explains how we handle personal information across Parachute services, including employers, mobile apps, payments, and marketing. Where this Extension Policy is more specific, it controls for Extension data practices; otherwise, the general policy applies.

12. Children’s Privacy

The Extension is not intended for children under 13. We do not knowingly collect personal information from children without appropriate parental consent.

13. Updates to This Policy

We may update this Policy from time to time. We will post the revised Policy at this URL with an updated “Last updated” date. Material changes may also be communicated via email or in-product notice where appropriate. Continued use of the Extension after changes take effect constitutes acceptance of the updated Policy.

14. Contact Us

For privacy questions, access requests, or complaints about the Extension, contact us at finance@parachutebenefits.com.