Legal

Steward Privacy Policy

Last updated: May 18, 2026 · Publisher: The American Journalism Project (AJP) · Contact: steward-support@theajp.org

1. Overview and single purpose

Steward is a Chrome extension and accompanying web platform built for nonprofit-newsroom teams, grant writers, and fundraisers. Its single purpose is to help authorized users draft and refine funder-facing communications — grant proposals, donor updates, stewardship messages, and related fundraising content — inside Chrome's side panel.

This Privacy Policy explains what information Steward processes, how that information is used, when it is shared, how long it is retained, and the choices available to users. It applies to the Steward Chrome extension and the tools.theajp.org backend service that powers it.

Steward is available only to users who have been invited to an approved organization. It is not a general-purpose consumer product.

2. Data we collect (user data collection)

Steward collects the following categories of user data. The categories below use the same terminology as the Chrome Web Store user data disclosures.

2.1 Personally identifiable information

Full name and email address (provided by the user's identity provider — typically Google via Clerk).
Identity-provider user ID.
Organization ID and role (for example, org:journalist, org:admin).

Steward uses this information to identify the signed-in user, determine which newsroom organization the user belongs to, enforce organization-level extension access, and associate drafting activity with the correct account. This information is stored by Clerk as part of the user's authentication profile and by the tools.theajp.org backend as part of account, organization-membership, and access-control records. It is shared only with Clerk and the tools.theajp.org backend for those purposes, as described in section 4.

2.2 Authentication information

Session and access tokens issued by our authentication provider, Clerk.
Extension-access status (allowed / revoked) returned by the tools.theajp.org backend.

Steward does not collect, store, transmit, or have access to user passwords. Sign-in is handled entirely by Clerk in a separate browser tab; the extension never renders a password field, never intercepts password input, and the manifest does not request any permission (such as identity, broad host access, or content-script injection) that could allow it to read credentials from web pages.

The session and access tokens described above are issued by Clerk after sign-in and are stored only in chrome.storage.local. They are short-lived bearer tokens — not user-typed credentials — and cannot be used to recover, derive, or reset a user's password.

2.3 Personal communications (user-provided content)

Prompts, instructions, and refinement requests entered in the side panel.
Drafts, rewritten versions, and revision history within a drafting session.
Notes and other text the user saves in the extension.
Context documents the user explicitly attaches (optionally including Google Drive files the user selects through the Google Picker).

This content may contain personal or organization-sensitive information depending on what the user provides. Steward treats it as confidential and uses it only to operate the drafting features.

Steward uses personal communications to generate, revise, and save drafts at the user's request. This content is transmitted to the tools.theajp.org backend to run the drafting session and, for a generation or refinement request, to OpenAI to return the requested completion. Personal communications are not stored in chrome.storage.local except where the user intentionally saves local notes or preferences; drafting-session content is otherwise stored on the backend for the retention period described in section 5.

2.4 Website content (Google Drive data, optional feature)

When a user chooses to attach a Google Drive file as context, Steward uses Google's OAuth + Drive Picker so the user can explicitly select a specific file. For each selected file, Steward receives:

The file's ID, name, and MIME type.
The exported text content of that specific file.

Steward uses this website content only as optional context for the drafting request the user initiated. The exported text content of a selected file is transmitted to the tools.theajp.org backend and, when the user asks Steward to generate or refine text using that attachment, to OpenAI for that specific completion request. Steward stores only references to attached context documents in chrome.storage.local; the file text itself is not stored in local extension storage. On the backend, attached-file references are retained for the life of the drafting session unless the user detaches the file sooner, as described in section 5.

Steward requests only the narrow Google Drive scopes required for user-initiated file selection. It does not read, list, or scan the user's Drive beyond files the user explicitly picks. The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

2.5 Local extension storage

Steward stores the following locally in Chrome (chrome.storage.local) so the extension can work across browser sessions:

Authentication/session state issued by Clerk.
Active organization ID.
User preferences (tone, word limits, saved templates).
References to attached context documents for the current drafting session.

chrome.storage.local does not store the text contents of Google Drive files, full prompt/draft history for completed backend drafting sessions, or user passwords. It stores only the local extension state needed to keep the user signed in and preserve their extension preferences and selected-document references between browser sessions.

Local storage is scoped to the Steward extension and is removed when the user uninstalls the extension or clears extension storage.

2.6 Operational and audit logs

To operate the service, detect abuse, and comply with organizational governance, the tools.theajp.org backend records audit events for actions such as sign-in, draft generation, draft refinement, copy, feedback, and access-revocation events. Each audit record is associated with an organization ID, user ID, an action label, and an optional metadata object. Personally identifying content of prompts or drafts is not written to audit logs.

2.7 What Steward does NOT collect

User passwords or any other user-typed credentials. The extension does not render, intercept, request, log, or transmit password fields or other credential input. Authentication occurs in a Clerk-hosted tab outside the extension's process; the extension only receives a session token from Clerk after sign-in succeeds. The manifest does not request the identity permission, broad host permissions, or content scripts that could read credentials from any web page.
Health information.
Financial-account or payment information.
Precise location.
General browsing history or activity on websites unrelated to Steward.
Content of arbitrary web pages (Steward does not use content scripts that scrape pages you visit).

3. How we use data (handling)

Steward uses collected data only for the purposes described below, all of which are directly tied to the extension's single purpose:

Authenticate the user and verify that the user's organization has active extension access.
Open and render the drafting interface in Chrome's side panel.
Generate and refine drafts based on the user's prompt and attached context.
Associate attached context documents with the correct drafting session.
Persist user-scoped session state, preferences, and selected-document metadata.
Enable optional Google Drive document selection when the user opts in.
Maintain service security, troubleshoot issues, prevent abuse, and comply with legal obligations.

Steward does not use collected data to build advertising profiles, determine creditworthiness, train third-party models, or for any purpose unrelated to its single purpose.

3.1 Usage limits

For clarity, the following is a complete list of restrictions on how Steward uses the data described in section 2. These restrictions apply to every category of user data Steward processes, including authentication tokens, prompts, drafts, attached context documents, and operational logs:

Steward uses user data only to provide and improve the drafting features described in section 1 (single purpose).
Steward does not sell user data to any third party.
Steward does not share user data with third parties for advertising, marketing, profiling, or behavioural-targeting purposes.
Steward does not use user data to train, fine-tune, or improve general-purpose machine-learning models, whether operated by AJP or by a third party.
Steward does not use user data to determine creditworthiness or for any lending purpose.
Steward does not permit any human at AJP, Clerk, OpenAI, or Google to read user prompts, drafts, or attached context except where strictly necessary to investigate a specific abuse report, security incident, or support request, and only with appropriate access controls.

Steward does not sell user data. We share user data only with the service providers required to operate the extension, and only to the extent necessary for them to provide their service.

Recipient	Purpose	Data shared
Clerk	Authentication, session management, organization/role lookup.	Identity-provider profile (name, email, ID), session tokens.
`tools.theajp.org` backend (operated by AJP)	Powers drafting, sessions, audit logging, access control.	Auth token, organization ID, prompt text, attached-document references and content, feedback events.
OpenAI (LLM API)	Generates and refines drafts on request.	The prompt text and any context the user attached for that specific drafting request. OpenAI processes this data solely to return a completion; per its API terms, it does not use API inputs or outputs to train its models.
Google APIs (optional)	Google Sign-In via Clerk; Google Drive Picker and Drive file export, only if the user chooses to attach a Drive file.	Google account authorization data required by Clerk for sign-in, and for the optional Drive attach feature only, the OAuth authorization and the ID, name, MIME type, and exported text of the file the user explicitly selects.

We may disclose data if reasonably necessary to:

Comply with applicable law, regulation, legal process, or an enforceable governmental request.
Protect the rights, safety, or security of users, the extension, or the public.
Detect, investigate, or prevent fraud, abuse, security incidents, or technical issues.

We do not transfer user data to data brokers, advertisers, or other third parties unrelated to the extension's functionality.

Authentication credentials. Because Steward does not collect user passwords, no passwords are ever shared. Session and access tokens described in section 2.2 are exchanged only between Clerk (the issuer) and the tools.theajp.org backend (which validates them on each request). Tokens are not transmitted to OpenAI, to Google APIs, or to any other recipient listed above, and they are not written to audit logs.

5. Data retention and storage

Data category	Retention
Personally identifiable information (name, email, user ID, organization role)	Retained by Clerk and the `tools.theajp.org` backend while the user's account and organization membership remain active; deleted within 90 days after account deletion or organization removal unless a longer retention period is required by law.
Clerk authentication session	Until the user signs out, the session expires, or the user is removed from the organization.
Chrome local extension storage (session state, preferences, doc metadata)	Until the user uninstalls the extension or clears extension storage.
Drafting sessions and associated prompts/drafts on the backend	Retained while the user's organization is active; deleted within 90 days after the organization is deleted or the user is removed, unless a longer retention period is required by law.
Attached-context-document references (including optional Google Drive picks)	Removed immediately when the user detaches the document in the extension; otherwise retained for the life of the drafting session.
Exported text of Google Drive files the user attaches as context	Processed only for the drafting session in which the user attached the file; retained on the backend only for the life of that drafting session and deleted within 90 days after the associated user or organization is deleted, unless a longer retention period is required by law.
Audit logs	Retained for up to 24 months for security, abuse-prevention, and governance purposes.

Users (or their organization admins) can request deletion of their account data by emailing steward-support@theajp.org. We will confirm and complete deletion within 30 days, except where retention is required by law.

6. Security

Steward uses reasonable technical and organizational measures to protect data against unauthorized access, disclosure, alteration, or destruction, including:

TLS/HTTPS in transit for all production backend traffic.
Short-lived authentication tokens verified on every request.
Role-based access control at the organization and extension-access level.
Access to production systems restricted to authorized AJP personnel.
Encryption at rest for persisted database content.

No method of transmission or storage is completely secure, so absolute security cannot be guaranteed.

7. Your choices and controls

Choose whether to sign in at all — Steward has no functionality for unauthenticated users.
Choose what text, prompts, notes, and context documents to provide.
Choose whether to use the optional Google Drive attach feature.
Remove attached context documents (the extension sends a deletion request for the corresponding backend reference).
Revoke Google Drive permissions at any time at myaccount.google.com/permissions.
Clear locally stored extension data through Chrome settings, or by uninstalling the extension.
Request deletion of account and organizational data by emailing steward-support@theajp.org.

8. Chrome extension permissions

Steward requests only the permissions required to operate:

storage — Save user-scoped session state, selected documents, preferences, notes, and related local extension data.
windows — Open and focus the Chrome window that should display Steward's side panel or auxiliary extension UI.
tabs — Open, focus, update, and close Steward-managed tabs used for sign-in and the Google Drive Picker flow. Not used to read browsing history or monitor unrelated web activity.
tabGroups — Label tabs opened during Steward's sign-in flow so users can recognize which tabs belong to the extension. Not used to read or modify user-created tab groups.
sidePanel — Display Steward's main drafting interface in Chrome's side panel.
contextMenus — Provide a quick action for opening Steward from the browser menu.

Host access is limited to the production service domain required for Steward to function:

https://tools.theajp.org/*

Steward does not request access to arbitrary websites outside this declared service domain and does not inject content scripts into user-visited pages.

9. Limited Use Statement

Steward complies with the following commitments, consistent with the Google API Services User Data Policy (Limited Use) and the Chrome Web Store Developer Program Policies:

Affirmative disclosure: The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

We do not sell or transfer user data to third parties outside of the approved use cases described in this policy.
We do not use or transfer user data for purposes that are unrelated to Steward's single purpose.
We do not use or transfer user data to determine creditworthiness or for lending purposes.
We do not use user data to serve advertisements.
We do not use user data to train general-purpose machine-learning models that are unrelated to Steward's single purpose.

10. International users

Steward is operated from the United States. By using Steward, users understand that data may be processed and stored in the United States and in the regions used by our service providers (Clerk, Google, OpenAI). Where required by law, we rely on appropriate safeguards for cross-border data transfers.

11. Children's privacy

Steward is a professional tool for nonprofit-newsroom fundraising teams and is not directed to children. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided personal information through Steward, contact steward-support@theajp.org and the information will be removed consistent with applicable law.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the extension, its features, or legal requirements. When the policy changes, the "Last updated" date above will be revised. Material changes will be communicated to organization admins.

13. Contact

Questions, access requests, or deletion requests:

The American Journalism Project
Email: steward-support@theajp.org
Website: https://www.theajp.org