CoreDesk Templates Extension — Privacy Policy
Effective date: May 3, 2026
What this extension does
CoreDesk Templates is a Chrome extension that lets Core Matters staff insert pre-written email templates directly into Gmail and quietly logs outbound emails to known clients into the CoreDesk consulting system.
Who can use it
This extension is restricted to Core Matters staff signed in with a @corematters.com Google Workspace account. It is force-installed via Workspace administration and is not offered to the public. The extension authenticates against the CoreDesk backend using the same OTP login Core Matters staff use to sign in to desk.corematters.com; sign-in is rejected for any other email domain.
What we read from Gmail
The extension only reads from the Gmail compose window. When you click the Send button (or press Cmd/Ctrl+Enter), it reads:
- Recipient email addresses in the To, Cc, and Bcc fields.
- Sender identity (your
@corematters.comemail). - Subject line.
- Email body content (HTML).
- Attachment filenames (filenames only — never file contents).
The extension does not read your inbox, sent folder, drafts you don’t send, contacts list, calendar, or any other Gmail data. It does not run outside mail.google.com.
What gets sent and where
Captured email metadata is sent to Core Matters’ own Supabase backend at https://xrrvewbvkagrsdfvitll.supabase.co. This is the same backend that powers desk.corematters.com. Data does not pass through any third-party service en route.
What gets stored
For each outbound email to a recipient that matches a known CoreDesk client contact, one row is written to the client_email_log table containing the fields listed above plus the timestamp and your CoreDesk user id. Emails to sales-deal contacts are captured separately by a server-side Gmail sync into the deal_activities table. Emails to recipients that match no client and no deal are skipped — nothing is logged for them. Emails to other @corematters.com colleagues are also skipped.
Authentication tokens (Supabase access and refresh tokens) are stored locally in chrome.storage.local so you stay signed in between Chrome sessions. They are not transmitted anywhere except back to Supabase to refresh themselves.
Who can view stored data
Stored email logs are visible only to authenticated CoreDesk users (Core Matters staff). They appear inside the Client and Deal detail screens in desk.corematters.com as part of the engagement history. There is no public access path.
Retention
Email logs are kept indefinitely as part of the long-term client engagement record — that’s the whole point of logging them. Specific entries are deleted on request; email [email protected] and reference the client or date range you want removed.
No third-party sharing
We do not sell, trade, or share captured data with any third party. The data is not used for advertising, analytics, machine-learning training, or any purpose outside Core Matters’ own consulting workflow. There are no third-party SDKs, no telemetry, no cookies set by the extension itself.
Permissions justification
The extension declares the minimum permissions required to function:
storage— needed to keep your Supabase auth tokens inchrome.storage.localso you stay signed in between Chrome sessions.alarms— schedules a background check every 50 minutes that refreshes the auth token before it expires, so logging keeps working without prompting you to sign in mid-session.host_permissions: https://mail.google.com/*— required so the content script can read the Gmail compose window and inject the Templates button.host_permissions: https://xrrvewbvkagrsdfvitll.supabase.co/*— required so the extension can talk to the CoreDesk backend (fetch templates, look up contacts, write log entries, refresh auth tokens).
No broad host permissions (<all_urls>), tab permissions, or scripting permissions are requested.
Data deletion contact
To request deletion of any data captured by this extension, email [email protected].
