Skip to content

Ethics & Privacy

Data flow

1. Write Google Docs
2. Log locally On your device
3. Export TWFF file
4. Submit Signed in
5. Validate Server checks
6. Pseudonymize If opted in
7. View Teacher or researcher

1. You write

In Google Docs, as normal. The Colophon extension is active in the background, if you've started a recording session.

2. The extension logs locally

Edits, pastes, and AI interactions are logged on your own device. Nothing is transmitted at this stage. See Privacy architecture for exactly what's recorded.

3. You export a TWFF file

A single, self-contained file: a timestamped log of a few event categories, not a recording of keystrokes. The format is open; see the TWFF specification.

4. You submit it yourself, signed in

Submission is a manual action you take while signed in to your account. There is no automatic or background upload anywhere in the extension.

5. The server validates it before accepting anything

The file's hash chain is verified and its schema checked; a tampered or malformed submission is rejected outright rather than silently accepted. The upload is also bounded in size and entry count, so a malformed or oversized file can't be used to overload the server.

6. If your class opted in: pseudonymization

Names and identifying details are replaced with a stable, one-way pseudonym before the record enters any aggregate view. See Privacy architecture for how that pseudonym works.

7. Two different views, depending on who's looking

Your teacher sees your work the same way they always could, as part of ordinary course access; that's not gated by the research layer. A researcher, if your class opted in, only ever sees cohort-level, pseudonymized patterns: never a named student's document. These are two different things; see Consent for exactly where the line is.