Privacy Policy
Last updated: June 28, 2026
ContextGrade is a product and brand of MerchKart Inc., a corporation organized under the laws of the Province of Ontario, Canada ("MerchKart," "ContextGrade," "we," "us," or "our"). This Privacy Policy explains what information we collect, why we collect it, and how we handle it across the ContextGrade website (contextgrade.com), the ContextGrade Chrome extension, the ContextGrade dashboard (app.contextgrade.com), and the ContextGrade API (together, the "Service").
We wrote this policy to be specific rather than vague, because the Service — especially the Chrome extension — deals with workplace decisions and we want it to be obvious exactly what we collect and what we deliberately don't.
1. Overview
ContextGrade is a Decision Intelligence Platform. Organizations use it to capture the reasoning behind workplace decisions — primarily through a browser extension that lets a signed-in employee log a decision and its rationale while working inside tools like Jira, Figma, or HubSpot. ContextGrade is not employee-monitoring, productivity-scoring, or activity-tracking software, and this policy is written to reflect that: we collect the minimum information needed to capture a decision, not a record of everything you do online.
2. Information We Collect
2.1 On the ContextGrade website
- Early access requests: the full name and email address you submit through the "Get Early Access" form.
- Contact form submissions: the name, email address, subject, and message you submit through the "Contact Us" form.
- Usage data: we use Google Analytics to understand aggregate site traffic (pages viewed, approximate location derived from IP address, browser/device type, referring site) via cookies and similar technology. See Section 11.
2.2 Through the Chrome extension
The extension is built to collect the minimum data required to capture a decision. Specifically:
- Sign-in session: when you sign in through the ContextGrade dashboard, the extension receives the authentication token already issued by that sign-in — never your password. This is what keeps you signed in inside the extension.
- Decision content you write or select: the decision summary, your written rationale (the "why"), the decision type and context category you choose, and any follow-up notes or reviews you add.
- Limited, already-visible page context — and only on domains your organization's administrator has explicitly registered as a "tracked source" (for example, your company's own Jira, Figma, or HubSpot workspace): the page URL, and a small set of status labels already rendered on the page (e.g., a ticket status badge, a deal-stage label, or a "comment resolved" marker). This is read directly from the page's existing display text and attributes.
- Extension settings: your on/off toggle, a read-only cached list of your organization's tracked sources, and a small local queue of decisions waiting to sync if you were offline when you saved them.
We never collect, and the extension is not built to collect: passwords, payment or card details, private messages, keystrokes, the contents of form fields you are actively typing into, or your general browsing activity, mouse movement, or scrolling. Detectors only ever read a narrow, hardcoded allowlist of status changes on registered sites — they do not log page views or run on the open web.
2.3 Through the dashboard and API
Decisions, notes, reviews, and AI-generated recommendations or reports that your organization's staff create are stored on our backend and are visible inside your organization's ContextGrade workspace, governed by our agreement with your employer (see Section 4).
2.4 Information you send us directly
Anything you send to [email protected] or through a contact/support form.
3. How We Use Information
- To provide and operate the website, extension, dashboard, and API.
- To build your organization's decision record — what we call the Context Graph — from the decisions and rationale your team logs.
- To generate AI-assisted recommendations on individual decisions and to compile AI Decision Reports (see Section 5).
- To authenticate you and keep your session secure.
- To respond to support, contact, and early-access requests.
- To send service-related communications about your account or our early-access program — not third-party marketing or advertising.
- To monitor, secure, debug, and improve the Service.
- To comply with applicable law and enforce our Terms of Service.
4. Whose Data Is This — You or Your Employer?
ContextGrade is a workplace tool. If you use the extension or dashboard as an employee or contractor of an organization that has a ContextGrade account (a "Client"), the decisions, notes, and rationale you log are controlled by that Client's organization — its administrators decide who on their team can see that data, and they can request its export or deletion. This Privacy Policy describes how we handle data as the service provider; your employer's own internal policies may also apply to how they use the decision records your team creates. If you have questions about how your specific employer uses ContextGrade, your organization's admin is the right first point of contact, and we're glad to assist them with requests that affect your personal information.
5. How We Use AI
Two features in ContextGrade involve AI processing of decision content:
- Decision recommendations: after a decision is logged, AI may analyze it alongside relevant signals and precedent to suggest a recommendation (approve / reject / escalate) with a stated rationale and confidence level.
- AI Decision Reports: on request, decisions within a category can be compiled into a structured Markdown report, optionally with an AI Insights summary, designed to be handed to an LLM or agent as organizational context.
Generating these features may involve sending the relevant decision text (summaries, notes, categories — never your password or payment information) to OpenAI strictly to produce that output for your organization. AI output is always shown together with its rationale and is never applied automatically — a human always makes the final call, and overrides are tracked. We do not use your data to produce a numeric score of you, your creditworthiness, or your job performance; ContextGrade has no "score" feature at all, by design.
6. How We Share Information
- Within your organization: decisions and notes you log are visible to your authorized teammates and admins according to your organization's own ContextGrade permissions.
- Service providers: infrastructure and database hosting, authentication (Supabase), OpenAI (for AI-assisted features described in Section 5), email/support tooling, and Google Analytics (website only). These providers are contractually limited to using data only to provide services to us.
- Legal and safety: if required by law, legal process, or to protect the rights, property, or safety of ContextGrade, our customers, or others.
- Business transfers: in connection with a merger, acquisition, financing, or sale of assets, with notice where required by law.
We do not sell your personal information. We do not use or transfer your data for advertising, behavioral profiling, or interest-based targeting. We do not use or transfer your data to determine creditworthiness or for lending purposes. We do not use or transfer data collected through the Chrome extension for any purpose unrelated to providing and improving the decision-capture features described in this policy.
7. Chrome Extension Permissions, Explained
Chrome extensions request broad-sounding permissions for narrow reasons. Here is what each capability the extension uses is actually for:
- First-run disclosure: The first time you open the extension after installation, you are shown a plain-language summary of what it collects — specifically, the decision text you write, the source page URL, and your session credentials (never your password, keystrokes, or general browsing history) — along with a link to this Privacy Policy. The extension does not transmit any decision data until you acknowledge this screen and manually save your first decision.
- Local storage: keeps you signed in, remembers your on/off toggle, caches your organization's tracked-sources list for up to five minutes, and holds a small offline queue of decisions waiting to sync. Cleared items are deleted, not archived.
- Background sync ("alarms"): checks roughly every 30 seconds whether any queued decision needs to be retried, so a flaky connection doesn't lose your work.
- Side panel: opens the decision capture form in Chrome's side panel when you choose to log a decision.
- Reading Jira, Figma, and HubSpot pages: watches for a narrow, hardcoded set of already-rendered status changes — a ticket moving to Done, a comment being resolved, a deal stage changing — so it can offer to capture the reasoning. It reads only the status text and labels already displayed on the page, never form inputs or anything you're typing.
- Reading other registered sites: on any other domain your organization's admin has explicitly registered (for example, an internal tool or another SaaS product your team uses), the extension shows a small icon so you can manually log a decision. It does not run any automatic detection there.
- Outside registered domains: To support domains your administrator registers dynamically at any time, the extension may be granted broad host permissions in Chrome. However, it takes no action — no icon appears, no content script executes, and no data is read or collected — on any site that is not in your organization's registered domain list. Permission breadth is a technical requirement of supporting dynamic registration, not a reflection of what the extension actually does.
- Signing you in: on the ContextGrade dashboard (app.contextgrade.com) only, the extension picks up the session token already created when you signed in there, so you don't have to sign in twice. It never has access to your password and never runs on any other site for this purpose.
8. Data Security
All traffic between the extension, dashboard, and our backend is encrypted in transit (TLS/HTTPS). Authenticated requests use bearer tokens rather than passwords — the extension never stores or transmits your password. Raw session tokens are cleared from extension storage as soon as they're exchanged for a validated session. Access to your organization's decision data is restricted to authorized members of your own organization's workspace. No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard safeguards.
9. Data Retention
- Decision data, notes, and AI reports are retained for as long as your organization maintains an active ContextGrade account, plus a reasonable period afterward for backups and legal purposes, unless your organization's admin requests earlier deletion.
- Offline-queue items are deleted automatically once they sync successfully, or marked failed (and not retried further) after three failed attempts — you can clear failed items from the extension popup.
- Early-access and contact-form submissions are kept as long as needed to respond to you and run our early-access program, or until you ask us to delete them.
- Personal information tied to an individual user — your name, email address, and authentication credentials — is deleted within 30 days of account closure or deprovisioning from your organization, or sooner upon a verified deletion request sent to [email protected].
10. Your Rights and Choices
Depending on where you live, you may have the right to access, correct, export, or request deletion of personal information we hold about you, and to object to or restrict certain processing. You can also turn the extension off entirely at any time using its master toggle, or uninstall it from Chrome.
To exercise any of these rights, email [email protected]. If you use ContextGrade through an employer, some data (such as decisions logged as part of your job) is controlled by that organization's ContextGrade admin — we'll help route your request to them where that's the appropriate path.
For personal information under our control, we handle requests consistent with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). If you're located in the European Economic Area, the UK, or a US state with its own privacy law (such as California), you may have additional statutory rights under laws like the GDPR or applicable state privacy statutes; we'll honor applicable rights regardless of where you're located to the extent required by law.
11. Cookies (Website)
The marketing website (contextgrade.com) uses Google Analytics (GA4) to understand aggregate traffic — pages viewed, approximate location, device and browser type, and referring site — via cookies and similar technology. We do not use third-party advertising cookies or retargeting pixels on this site. You can block or clear these cookies in your browser settings, or use Google's Analytics opt-out browser add-on; doing so will not affect your ability to use the site. The Chrome extension itself does not use browser cookies — it uses Chrome's extension storage APIs described in Section 7.
12. Children's Privacy
ContextGrade is a workplace product intended for business use and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.
13. International Data Transfers
We are incorporated in Ontario, Canada. We and our service providers (including Supabase and OpenAI) may process information in Canada, the United States, or other countries where we or they operate. For transfers of personal information from the European Economic Area or the United Kingdom, we rely on appropriate transfer mechanisms — such as Standard Contractual Clauses (SCCs) approved by the European Commission — or the data protection laws of the recipient country where an adequate level of protection has been recognized. Canada's federal private-sector privacy law (PIPEDA) provides the legal framework governing our own handling of personal information. If you have questions about the specific safeguards applicable to your transfer, contact [email protected].
14. Changes to This Policy
We may update this Privacy Policy from time to time. We'll revise the "Last updated" date above, and if a change is material, we'll provide additional notice — for example, via the website or an in-product notice — before it takes effect.
15. Contact Us
Questions about this policy, or requests regarding your personal information, can be sent to [email protected]. ContextGrade is a product of MerchKart Inc., Toronto, Ontario, Canada.