---

1. Information We Collect

1.1 Authentication Data (Temporary, Session-Only)

• Coursera CAUTH Cookie: Read from your browser during download sessions only. This cookie is processed in your browser memory and is never transmitted to or stored on our servers. Purpose: To verify your existing Coursera session. Duration: Active session only; deleted immediately after use.
• Extension Installation ID: Chrome-generated unique identifier for your extension installation (used for internal tracking only).
• Course Identifiers: Course slugs (e.g., "machine-learning") for courses you download.

1.2 Payment Data

Razorpay collects: Email address, payment method details, billing address, and transaction amount.

We receive from Razorpay: Payment ID (e.g., pay_abc123), Order ID (e.g., order_xyz789), and payment status (success/failure).

Entity	Data Collected	Purpose
Razorpay	Email, card details, billing info, amount	Payment processing and fraud prevention
Forestily	Payment ID, Order ID, status	Access verification and service delivery

1.3 Technical Data (Minimal, Anonymized)

• IP Address: Recorded for rate limiting and abuse prevention. Automatically deleted after 30 days.
• User Agent: Browser and operating system information for compatibility purposes.
• Request Timestamps: For token validation and session management.
• Download Count: Number of unique courses downloaded (capped at 15 for multi-course plans).

1.4 Data We Do Not Collect

---

2. Data Storage and Retention

Data Type	Storage Location	Retention Period	Deletion Method
Coursera CAUTH Cookie	Your browser (local)	Current session only	Automatic (session termination)
Payment Session Tokens	Redis (encrypted)	5 minutes	Automatic expiration
JWT Access Tokens	Your browser storage	8 hours or 1 year	Automatic expiration or user-initiated deletion
Payment IDs / Order IDs	Redis (encrypted)	24 hours	Automatic expiration
Download Tracking Data	Redis (encrypted)	9 days	Automatic expiration
IP Addresses	Server logs	30 days maximum	Rolling deletion

Key Principle: We do not manually retain or archive personal data. All data is subject to automatic deletion according to the schedule above. No backups of personal information are maintained.

---

3. How We Use Your Information

3.1 Core Functionality

• Authentication: Verify your Coursera session to enable download coordination.
• Payment Verification: Confirm payment completion via Razorpay webhooks to grant access to paid services.
• Access Control: Generate anonymous JWT tokens for temporary access to HTML organization pages.
• Download Tracking: Count unique courses downloaded to enforce plan limits (15 courses for multi-course plans).

3.2 Security and Compliance

• Rate Limiting: Prevent API abuse (100 requests/hour per IP).
• Fraud Prevention: Detect and block suspicious payment patterns.
• Token Validation: Ensure legitimate extension usage only.

3.3 What We Do Not Do

• We do not track your behavior across websites or services.
• We do not build user profiles or analytics.
• We do not sell, rent, or trade your data.
• We do not send unsolicited marketing communications.
• We do not use third-party analytics services (Google Analytics, etc.).

---

4. Third-Party Services and Data Sharing

Service Provider	Purpose	Data Shared	Certification
Razorpay	Payment processing	Email, payment method, billing address, amount	PCI-DSS Level 1
Vercel	API infrastructure hosting	IP addresses (in anonymized logs)	SOC 2 Type II
Upstash Redis	Encrypted token and session caching	Encrypted tokens, payment IDs (anonymized)	SOC 2 Type II

Data Sharing Commitment: We do not sell, rent, or trade your data with any third party. No personal information is shared beyond what is strictly necessary for service delivery.

---

5. Security Measures

5.1 Encryption

• In Transit: All data is encrypted using HTTPS with TLS 1.3.
• At Rest: Sensitive data stored in Redis is encrypted using AES-256.
• Tokens: JWT tokens are signed using HMAC-SHA256.

5.2 Access Controls

• Rate Limiting: 100 requests per hour (general); 200 requests per 5 minutes (polling).
• Token Expiration: 5 minutes (payment tokens), 8 hours (course access), 1 year (multi-course plan).
• Domain Validation: API access restricted to authorized domains only.

5.3 Infrastructure Security

• All hosting providers (Vercel, Upstash) maintain SOC 2 Type II compliance.
• Regular security updates and patches applied.
• No public exposure of sensitive endpoints.

---

6. Your Privacy Rights

6.1 Data Access and Deletion

• Access: You can view JWT tokens stored in your browser's local storage. We maintain no server-side personal data.
• Deletion: Clear your browser's local storage at any time. All data associated with your session will be purged.
• Portability: You may export tokens from your browser if needed.

6.2 GDPR Rights (European Union Users)

Although Forestily is India-based, we respect GDPR principles for EU residents:

• Right to Access: Request information about data we hold (minimal/none).
• Right to Deletion: Request deletion of any associated data.
• Right to Object: Object to any processing activities.
• Right to Lodge Complaint: Contact your local data protection authority.

6.3 CCPA Rights (California Users)

• Right to Know: We collect minimal anonymous technical data only.
• Right to Delete: Clear your browser storage to delete local data; we auto-delete everything else.
• Do Not Sell My Personal Information: We do not sell data. No opt-out mechanism needed.

6.4 How to Exercise Your Rights

Email: satya@forestily.com

Subject Line: "Privacy Rights Request" or "GDPR Request" or "CCPA Request"

Response Time: Within 30 days

---

7. Chrome Web Store Disclosure

7.1 Extension Permissions

Permission	Purpose and Scope
storage	Store JWT access tokens locally in your browser for authentication persistence.
cookies	Read your Coursera CAUTH cookie to verify session. Cookie is processed in-memory only; never transmitted or stored on our servers.
tabs	Communicate between extension components (popup and background scripts).
*.coursera.org/*	Access Coursera pages only. No access to other domains.

7.2 Single Purpose Statement

This extension is designed solely to coordinate downloads from Coursera and generate HTML organization pages for paid users. No other functionality or data collection is performed.

7.3 Compliance Certification

• ✓ Data is used exclusively for the stated purpose.
• ✓ No user data is sold, rented, or transferred.
• ✓ No tracking, analytics, or behavioral profiling.
• ✓ No data transfer for unrelated purposes.

---

8. Legal Basis for Data Processing (GDPR)

Processing Activity	Legal Basis (GDPR)
HTML page generation (paid service)	Contract Performance (Article 6(1)(b))
Payment verification	Contract Performance + Legal Obligation (Articles 6(1)(b), (c))
Security and fraud prevention	Legitimate Interest (Article 6(1)(f))
API rate limiting and abuse prevention	Legitimate Interest (Article 6(1)(f))

---

9. International Data Transfers

Our Infrastructure Locations:

• United States: Vercel (API hosting), Upstash Redis (token caching)
• India: Razorpay (payment processing)

Data Transfer Safeguards: All data transfers are protected through encryption (TLS 1.3 for in-transit, AES-256 for at-rest), minimal data transmission, automatic deletion, and compliance with international data protection standards.

Standard Contractual Clauses (SCCs): For GDPR compliance, data transfers to the United States are protected by Standard Contractual Clauses as per GDPR Article 46.

---

10. No Tracking or Analytics

---

11. Children's Privacy

Age Restriction: Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from minors.

If We Become Aware of Minor Data Collection: Contact satya@forestily.com immediately. We will investigate and delete any such data within 24 hours.

---

12. Policy Changes and Updates

We may update this privacy policy to reflect:

• Service changes or new features
• Changes in legal or regulatory requirements
• Security improvements or best practices
• Clarifications based on user feedback

Notification of Changes: Significant changes will be communicated via extension update notifications. We will provide at least 30 days' advance notice for material changes affecting your privacy rights.

Version History

• Version 3.3.3 (October 16, 2025): Clarified anonymous operation, India-based jurisdiction, Razorpay payment processing, and compliance standards.
• Version 1.0 (June 23, 2025): Initial privacy policy.

---

13. Contact Information

Privacy and Data Protection Inquiries

Email: satya@forestily.com

Subject Line: "Privacy Policy Inquiry" or "GDPR Request" or "CCPA Request"

Response Time: Within 30 days

Payment and Refund Inquiries

Email: satya@forestily.com

Refund Policy: 100% refund guarantee if the service does not function as described.

Documentation Required: Payment confirmation screenshot from Razorpay.

Company Information

Organization: Forestily (India-based independent software provider)

Website: https://forestily.com

Jurisdiction: India (not EU-based)

---

14. Compliance and Standards

Forestily operates in accordance with international privacy standards and best practices. While we are India-based and not subject to GDPR directly, we voluntarily implement GDPR principles for all users. Our payment processing partner, Razorpay, maintains PCI-DSS Level 1 certification.