This Privacy Policy explains how Hiili ('we', 'our', or 'the Company'), established as a Data Controller in the European Union, collects, uses, shares, and protects personal data when providing its Chrome browser extension and related analytics services. This policy complies with the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and comparable global privacy frameworks.

This policy applies to all users of the Hiili browser extension worldwide. Regional provisions are included for users located in the European Economic Area (EEA), the United Kingdom (UK), the United States (including California, Virginia, Colorado, and Connecticut), and any other jurisdiction with applicable data protection laws. Where local law requires additional rights or disclosures, this policy incorporates them.

Hiili acts as the Data Controller for all processing activities described herein.

We collect and process the following categories of data when you use our plugin:

• Input and output text processed by Large Language Models (LLMs) such as ChatGPT, Gemini, and DeepSeek.
• Model name, provider, date and time of interaction, token counts, and generation speed.
• Conversation titles, chat IDs, and message IDs assigned by the LLM platform.

Hiili does not collect usernames, emails, or other direct identifiers. Where users include personal data in prompts or outputs, such data is pseudonymized and stored under a random UUID.

Estimated energy usage associated with LLM activities performed through the plugin.

Continent, country, and region inferred from IP address to estimate CO₂ emissions. IP addresses are not stored or logged.

Installation date, browser version, preferred language, and user agent for technical support, debugging, and statistical purposes.

Basic demographic data regarding age group, prefessional field and gender for statistical purposes.

We process personal data based on the following lawful grounds under Article 6 GDPR:

• Consent: For collecting and analyzing prompt data or using anonymized inferences for all the elements listed in section 5 “Purposes for processing”.
• Legitimate Interests: To measure energy consumption, assess environmental impact, and improve Hiili’s offerings, ensuring minimal privacy impact.
• Contractual Necessity: Where processing is required to provide the plugin’s core functionality.
• Legal Obligation: Where processing is necessary for compliance with applicable law.

Under the UK, GDPR and US laws, equivalent lawful bases apply. Users may withdraw consent at any time via plugin settings or by contacting Hiili.

We use the data described above for the following purposes:

• To estimate and analyze energy consumption associated with AI model usage.
• To conduct scientific research with academic institutions.
• To conduct environmental research and sustainability reporting.
• To enhance plugin performance and develop new features.
• To produce aggregated, anonymized insights into purchase intent and user interests (non-identifiable) for advertising and market research, subject to consent.
• To produce methodologies, technologies and solutions that allows Hiili to carry out commercial actions to optimize the use of AI solutions for Hilli customers.
• To comply with legal, security, and regulatory requirements.

We do not sell, rent, or disclose identifiable personal data. However, we may share anonymized or aggregated insights with research institutions or commercial partners for research purposes, sustainability analytics, optimized use of AI solutions and advertising intelligence.

Where transfers outside the European Economic Area or United Kingdom occur, Hiili ensures compliance through:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The UK International Data Transfer Addendum;
• Adequacy decisions for approved jurisdictions; and
• Binding contractual safeguards consistent with GDPR Articles 44–49.

We retain personal data only as long as necessary to fulfill the purposes stated in this policy, or as required by law. Anonymized and aggregated data that no longer identifies any individual may be retained indefinitely for research and statistical purposes.

Hiili applies appropriate technical and organizational measures to protect data from unauthorized access, alteration, loss, or disclosure. This includes encryption in transit (HTTPS) and at rest (AES-256), restricted access, logging, and periodic security audits.

In the event of a data breach, Hiili will notify affected users and relevant authorities in accordance with Articles 33 and 34 GDPR and applicable US state laws.

Users have the following rights depending on jurisdiction:

• Access, rectification, erasure, and restriction of processing (GDPR Articles 15–18);
• Data portability (Article 20);
• Right to object (Article 21) and to withdraw consent at any time;
• Under the CCPA/CPRA: right to know, delete, correct, and opt-out of data sale or sharing;
• Under the VCDPA and CPA: right to appeal processing decisions.

Requests can be submitted by providing the UUID shown in the plugin interface and contacting: hello@hiili.org.

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from minors. If we learn that such data has been collected, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The 'Last Updated' date at the top will indicate the latest revision. Significant updates will be communicated through the plugin or our website.

If you have any questions, concerns, or wish to exercise your rights, please contact:

If you are based in the EU or UK, you may also lodge a complaint with your national data protection authority. In the United States, consumers may contact the relevant state attorney general’s office for privacy complaints.