Fortulio (“we”, “our”, “us”) operates the Fortulio Browser Protection Chrome extension and the associated dashboard platform. This policy explains what data we collect, why we collect it, and how it is used and protected.
1. Who This Applies To
This policy applies to employees and users who have the Fortulio Browser Protection extension installed as part of their organization’s security program. The extension is deployed by an organization administrator — it is not a consumer product.
2. Data We Collect
The extension collects the following categories of data on behalf of the employing organization:
- Web history — URLs of pages visited, page titles, and timestamps, used to assess domain familiarity and detect phishing or risky site visits.
- User activity — Browser-level behavioral signals including file downloads (filename, type, size), form submissions on login or sensitive pages, and clipboard activity indicative of credential exposure.
- Website content — Limited page-context signals (e.g., presence of password fields, login forms, or file-download prompts) used to classify page type for threat detection. Full page content is not transmitted.
All data is collected only while the extension is active and only within the browser context. No data is collected from outside the browser (e.g., desktop activity, other applications).
3. How We Use the Data
Data collected by the extension is used exclusively for the following purposes:
- Real-time detection of risky or anomalous browser behavior (e.g., phishing visits, unusual downloads, credential reuse).
- Generating security nudges and contextual warnings displayed to the user within the browser.
- Building and maintaining a behavioral baseline per user to reduce false-positive alerts over time.
- Providing security analytics and incident investigation tools to the organization’s security administrators via the Fortulio dashboard.
We do not use collected data for advertising, profiling outside the security context, or any purpose unrelated to the organization’s security program.
4. Data Sharing
We do not sell or transfer user data to third parties. Data is shared only in the following circumstances:
- Within your organization — Security administrators designated by your employer can access behavioral event data and security reports through the dashboard.
- Service providers — We use infrastructure providers (hosting, database) under strict data processing agreements. They do not access or process user data independently.
- Legal requirements — We may disclose data if required by law or to protect the rights and safety of individuals.
5. Data Retention
Raw behavioral events are retained for 90 days by default. Normalized event summaries and behavioral baselines are retained for the duration of the organization’s active subscription. Organizations may request earlier deletion of user data by contacting us.
6. Security
All data is transmitted over encrypted connections (TLS). Events are authenticated using per-user JWT tokens. Access to the dashboard and stored data requires authentication. We apply rate limiting, input sanitization, and token blacklisting to protect against unauthorized access.
7. Your Rights
If your organization has deployed the Fortulio extension, you may have rights under applicable privacy laws (such as GDPR or CCPA) to access, correct, or request deletion of your personal data. Please direct such requests to your organization’s security or IT administrator, or contact us directly at [email protected].
8. Changes to This Policy
We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the extension after changes are posted constitutes acceptance of the updated policy.
9. Contact
For privacy-related questions or requests, contact us at [email protected].