Makro Privacy Policy
Effective Date: February 12, 2026 • Last Updated: February 13, 2026

TechHQ USA, LLC (“we”, “us”, “our”) operates the Makro browser extension (“Makro”, “the Extension”). This Privacy Policy explains what data Makro collects, how it is used, and your rights regarding that data.

Summary

Makro is designed with a local-first, privacy-first architecture:

Free tier: All data stays on your device. Nothing is transmitted externally.
Pro/Premium tiers: Cloud sync and AI features transmit encrypted data to our servers. Synced macros are end-to-end encrypted before leaving your device. Paid tiers include a 1-month free trial.
No behavioral analytics, no ads, no tracking. We collect minimal, anonymous install telemetry (version, platform, locale) once on first install. We do not collect behavioral data or usage patterns.
1. Data We Collect
1.1 Data Stored Locally (All Users)
The following data is stored on your device using the browser’s extension storage and never leaves your device unless you enable cloud sync:

Macros: Hotwords, titles, body text, tags, keyboard shortcuts, and category structure
Settings: Theme preferences, editor options, AI provider configuration
Usage statistics: Per-macro usage counts and timestamps (for the Stats tab)
Clipboard history: Recent clipboard entries (if you enable this feature). Entries that appear to be passwords are automatically excluded if the “Skip passwords” setting is on.
Device identifier: A randomly generated UUID used for encryption key derivation. This is not linked to your identity.
Encryption keys: A device-specific key and a random salt, used to encrypt your local data with AES-256-GCM.
1.2 Anonymous Install Data (All Users)
When you first install Makro, the extension sends a single, anonymous request to our server containing:

Data Purpose Stored?
Extension version Track adoption of new versions No (one-time request)
Browser platform Understand platform distribution No
Browser locale Prioritize localization efforts No
Country (derived from IP by Cloudflare) Understand geographic distribution No
This request is:

One-time only — sent once on first install, not on updates or subsequent launches
Anonymous — no user identifiers, account IDs, or device IDs are included
IP not stored — your IP address is used for rate limiting (discarded within 24 hours) but never saved to our database
No opt-out required — no behavioral data, browsing activity, or macro content is included
1.3 Data Transmitted to Our Servers (Pro and Premium Users)
When you activate a paid subscription, the following data may be transmitted:

Data When Purpose
License key Every API request Subscription validation and tier enforcement
Encrypted macros When you click “Sync to Cloud” Cross-device synchronization
Encrypted category names When you click “Sync to Cloud” Category structure synchronization
Device ID and device name During cloud sync Multi-device management
Sync timestamps During cloud sync Conflict resolution
Macro text (Pro and Premium) When you use AI Rewrite or Semantic Search AI text processing
AI text is sent only for the specific rewrite or search operation you initiate and is not stored after processing. AI-generated content is for general informational purposes only and does not constitute professional advice (legal, medical, financial, etc.).

1.4 Data We Do NOT Collect
Email addresses (we do not require account creation)
Names or personal identifiers
Browsing history or web activity
Location data
Financial or payment information (payments are handled entirely by Polar.sh)
Page content from websites you visit
Keystroke data outside of explicit macro expansions you trigger
2. How We Use Your Data
Purpose Data Used Legal Basis
Macro expansion Locally stored macros Core functionality
License validation License key Contract performance
Cloud sync Encrypted macros, device info Your explicit opt-in
AI text rewrite Macro text you select for rewriting Your explicit action
Semantic search Macro titles and bodies (for embedding) Your explicit opt-in
Device management Device ID, device name Multi-device sync
Rate limiting License key, request counts Service protection
Install telemetry Version, platform, locale, country Legitimate interest (product improvement)
3. Encryption and Security
3.1 Local Encryption
All macro data stored on your device is encrypted using AES-256-GCM with a key derived via PBKDF2 (600,000 iterations, SHA-256) from a randomly generated device key and a per-user random salt.

Parameter Value Standard
Cipher AES-256-GCM NIST FIPS 197 / SP 800-38D
Key derivation PBKDF2 (SHA-256, 600,000 iterations) NIST SP 800-132
IV / Nonce 96-bit, random per operation NIST SP 800-38D
Salt 128-bit, random per installation NIST SP 800-132
Crypto library Web Crypto API (browser-native) W3C Web Cryptography API
3.2 Cloud Sync Encryption (Zero-Knowledge)
When you use cloud sync, your macros are encrypted on your device before transmission using a key derived from your license key. Our servers store only encrypted blobs and cannot read your macro content. Only devices with your license key can decrypt the data.

3.3 Sensitive Data Warning
While your macros are encrypted both locally and in the cloud, Makro is not a password manager or secrets vault. Anyone with access to your browser or device can open the extension, trigger your hotwords, and view your macro content in plaintext. We strongly recommend that you do not store passwords, API keys, authentication tokens, or other sensitive credentials in your macros.

3.4 Session Security
Decrypted data is held in memory only during your active session. The session auto-locks after 30 minutes of inactivity. Encryption keys are never stored in plaintext.

1. Third-Party Services
   Makro uses the following third-party services for paid features:

4.1 Polar.sh (License Validation)
Purpose: Validate subscription license keys and determine tier (Free, Pro, Premium)
Data shared: License key (validated against our Polar.sh organization)
Privacy policy: https://polar.sh/legal/privacy
4.2 Cloudflare (Infrastructure)
Purpose: Hosts our API (Cloudflare Workers) and database (Cloudflare D1)
Data stored: Encrypted macros, device records, AI usage counts
Privacy policy: https://www.cloudflare.com/privacypolicy/
4.3 Google Gemini (AI Features — Pro and Premium)
Purpose: Text rewriting and semantic embeddings
Data shared: The text you explicitly submit for AI processing
When: Only when you actively use the AI Rewrite or Semantic Search features
Model: Gemini 2.0 Flash (via our Cloudflare Worker proxy — your license key is never sent to Google)
Privacy policy: https://policies.google.com/privacy
4.4 Ollama (Local AI — Optional)
Purpose: Alternative AI provider that runs entirely on your machine
Data shared: None — all processing happens locally
When: Only if you configure Ollama as your AI provider in Settings
4.5 Browser Permissions
Makro requests the following browser permissions, which are necessary for core functionality:

Permission Purpose
storage Store macros, settings, and statistics locally
clipboardRead Capture clipboard history (optional, user-enabled feature)
activeTab Insert text expansions in the active tab
contextMenus Right-click context menu for quick macro access
alarms Schedule periodic tasks (session timeout, auto-lock)
downloads Export macros as JSON files
declarativeNetRequest Manage network request rules for content script compatibility
notifications Display sync status and system notifications
We do not request tabs, history, cookies, webRequest, or other broad permissions.

1. Data Retention
   Local data: Stored until you uninstall the extension or clear browser data.
   Cloud sync data: Stored on our servers as long as your subscription is active. Deleted within 30 days of subscription cancellation.
   Trial data: Stored during the 1-month trial period. If you do not subscribe after the trial, server-side data is deleted within 30 days.
   AI usage logs: Request counts (no content) retained for 90 days for quota enforcement, then deleted.
   Device records: Removed when you deactivate a device or cancel your subscription.
2. Data Deletion
   You can delete your data at any time:

Local data: Uninstall the extension or use your browser’s “Clear extension data” feature.
Cloud data: Contact us at support@makroexpander.com to request deletion of all server-side data.
Device records: Use the “Manage Devices” feature in the extension to deactivate and remove devices, or contact us at support@makroexpander.com.
7. Your Rights
Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete your data (“right to be forgotten”)
Export your data (use the extension’s Export feature)
Restrict processing of your data
Object to processing of your data
To exercise any of these rights, contact us at support@makroexpander.com.

7.1 California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to request its deletion. For information on your CCPA rights or to submit a request, contact us at support@makroexpander.com.

1. Children’s Privacy
   Makro is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
2. International Data Transfers
   Our servers are hosted on Cloudflare’s global network. By using cloud sync or AI features, your encrypted data may be processed in data centers outside your country of residence. Cloudflare maintains appropriate safeguards for international data transfers.
3. Security Incident Response
   In the event of a security incident affecting our servers, we will notify affected users within 72 hours as required by applicable law and provide details on impacted data and recommended actions.
4. Changes to This Policy
   We may update this Privacy Policy from time to time. We will notify users of material changes by updating the “Last Updated” date at the top of this document and, where appropriate, via in-product notice or email. Continued use of Makro after changes constitutes acceptance of the updated policy.