What VeriChain records, and what it doesn't.

What we capture

While an assignment session is open, VeriChain records the following — and nothing else.

• Document snapshots
  A full copy of the essay at every commit. Auto-commits happen roughly every five minutes during active writing; manual commits happen when you press save. Snapshots are stored as plain text plus structural metadata (headings, paragraph breaks).
• Paste events
  When text is pasted into the editor, we record (a) the time, (b) the size in characters, and (c) the domain of the source tab — for example "rba.gov.au". The pasted text itself is recorded because it is now part of the document; the source page is not.
• Tab focus
  The domains of tabs you focus during the session, plus the time you spent on each. Domains only — never URLs, page titles, or contents.
• Declared AI use
  Anything you typed into the "Declare AI use" field, exactly as you wrote it, and any per-paste annotations you added.
• Session metadata
  Start time, end time, total active writing time, session ID, and a per-commit cryptographic hash chained to the previous commit.

What we don't capture

The following are explicitly outside what VeriChain records — by design, not by promise. The product cannot capture them because the browser does not give it the means.

• Keystrokes
  We see commits — the document at points in time — not characters as you type them.
• Tab contents
  Only the domain of a focused tab is recorded. The page itself is never read.
• Anything outside this session
  When the assignment window is closed, no recording happens. Reopening creates a new session.
• Other browser windows
  We see what happens inside the writing tab's session. Anything in another window, profile, or application is invisible to us.
• Audio, video, screenshots
  None of these are captured. The product has no camera or microphone access.

When capture is active

Capture begins when you click Start writing on an assignment, and ends when you close the assignment tab or submit. If your network drops, recording pauses; queued commits send when you reconnect.

Where data lives, and for how long

VeriChain stores records on infrastructure operated under the University of Sydney's data-sovereignty agreement. Data is encrypted at rest with AES-256 and in transit with TLS 1.3.

Your rights

If you are a student covered by VeriChain at an Australian institution, the Privacy Act 1988 (Cth) and the Australian Privacy Principles give you specific rights. We have engineered the product to make these rights cheap to exercise.

• Access
  View your complete process record at any time, from the same interface your lecturer uses.
• Export
  Download a portable archive of your record — JSON commits plus rendered HTML — at any time. Pre- or post-submission.
• Correction
  Add or amend annotations to your own pastes and commits. The original record remains; your correction is layered alongside it.
• Deletion
  Request deletion of your process record after the grade has been finalised. Submission documents are retained per institutional policy; the process record is not.
• Complaint
  Lodge a complaint with the OAIC or with your institution's privacy office. We will cooperate fully with any investigation.

How tamper-evidence works (in plain language)

Every commit carries a small cryptographic fingerprint — a hash. That fingerprint depends on the document at that moment and on the previous commit's fingerprint. So a chain forms, in which any change to any earlier commit would change every fingerprint that comes after it.

This means that nobody — not us, not a lecturer, not the student, not an attacker — can quietly alter a commit in the middle of the record without making the change obvious. A third party can verify the chain independently using the published verifier.

Browser extension (Source Attribution)

VeriChain ships an optional Chrome extension called VeriChain Source Attribution. It is what turns a paste from “External paste” into “Pasted from chat.openai.com”. This section is the full account of what the extension does on your machine.

• What it sees
  The text you copy in your browser (only at the moment of the copy event), the domain of the page you copied from, and the text you paste into the VeriChain editor — used only to match the paste to a recent copy.
• What it stores
  A small ring buffer of the last 25 copies with a 10-minute TTL, in chrome.storage.session. That is browser memory tied to the active session — cleared on browser close, and never written to disk.
• What it never does
  Makes no HTTP requests. No DOM scraping, no telemetry, no page-content collection. It does not run in incognito unless you enable that yourself. Desktop apps, phones, and PDFs are out of scope — those pastes arrive as ‘unknown’.
• Why ‘read on all websites’
  Required so the extension can observe the copy event on whatever site you copy from. The permission is not used to read page content — only the active selection at the moment of copy, and only the origin domain.
• Disabling or uninstalling
  Always allowed. VeriChain still works without it — pastes record as ‘External paste (unknown)’. Absence of attribution is itself information the lecturer can see.

Contact for privacy questions

This document supersedes all earlier versions. A redlined changelog of changes from the previous release is available on request.