Motivity Activity Monitor is an enterprise Data Loss Prevention (DLP) and security policy enforcement browser extension. It is deployed by IT administrators to enforce organizational security policies on employee browsers, including URL filtering, clipboard control, download restrictions, PII detection, content watermarking, and security activity monitoring.
By using this extension (or having it deployed on your device by your employer), you acknowledge that your organization has elected to enforce the security and acceptable-use policies described in this document.
The following data types are collected by this extension as part of its core security enforcement and monitoring functionality. All collection is on behalf of and for the benefit of your employer organization.
| Data Type | What Is Collected | Why It Is Collected |
|---|---|---|
| Web History | Full URLs of pages visited, page titles, and timestamps of each navigation event | Core URL activity monitoring. Used to enforce URL allowlist/blocklist policies and produce audit logs for organizational compliance. |
| User Activity | DLP enforcement events including: clipboard access attempts, blocked download attempts, keyboard shortcut interceptions, form submission events (field names only — not field values), and right-click attempts on restricted pages | DLP policy enforcement and security audit trail. Helps IT administrators identify policy violations and potential data exfiltration attempts. |
| Website Content | Rendered text content of visited web pages is scanned in-browser for Personally Identifiable Information (PII) patterns such as email addresses and identification numbers | PII detection feature. The extension scans page content locally to detect potential data exposure. PII detection events (not the full page content) are logged to the backend. |
| Personally Identifiable Information | PII pattern match events (e.g., "email address pattern detected on page X") — not the PII values themselves | DLP violation reporting. The type of PII detected and the URL it was found on are logged. Raw PII values are not transmitted. |
| Location (IP Address) | The device's public IP address, collected once at device registration via api.ipify.org | Device registration and security posture assessment. Used to associate the device with the organization's enrolled device record. |
| Extension Inventory | Names, IDs, versions, and enabled/disabled status of all browser extensions installed on the device. Lifecycle events (installs, uninstalls, enable/disable changes) are also reported in real time. | Device security posture assessment. IT administrators use this to identify unapproved or potentially malicious browser extensions on managed devices. |
| Device Information | A device registration ID (UUID generated at first install), browser type and version | Associates activity logs with a specific enrolled device in the organization's security console. |
| Authentication Data | Keycloak access tokens and ID tokens (OpenID Connect). Stored locally on the device in chrome.storage.local only. | Authentication with the organization's identity provider. Tokens are used to authorize API calls to the organization's backend. They are never transmitted as collected data. |
| Download Activity | File name, file extension, source URL, and block/allow outcome for every file download attempted in the browser | Download policy enforcement and audit logging. Allows administrators to track file download activity and verify that download restrictions are being enforced. |
| Tenant Configuration | Organization-specific configuration including tenant host URL, Keycloak realm, and client ID — pushed by IT admin via MDM | Required to connect the extension to the correct organization backend and identity provider. |
| Data Type | Why It Is Not Collected |
|---|---|
| Passwords or credentials | The extension does not read, intercept, or log form field values. Form monitoring captures field names only (e.g., "a form with fields 'email' and 'subject' was submitted") — never the values entered. |
| Personal messages or emails | The extension does not read, intercept, or transmit the content of emails, chat messages, or any personal communications. |
| Financial or payment information | The extension does not collect credit card numbers, bank details, or any financial data. |
| Health information | The extension does not collect or process health or medical data. |
| Raw PII values | PII detection scans for patterns locally in the browser. The values themselves (e.g., the actual email address detected) are not transmitted — only the event type and URL are logged. |
All data collected by this extension is used exclusively for the following purposes, on behalf of your employer organization:
Data is not used for advertising, marketing, product analytics, sale to third parties, or any purpose unrelated to the organization's security and compliance objectives.
Data collected by this extension is shared only as follows:
| Action | Does This Extension Do It? |
|---|---|
| Sell user data to third parties | NO |
| Share data with advertisers | NO |
| Use data for marketing | NO |
| Transfer data for creditworthiness assessment | NO |
| Send data to employer's own infrastructure | YES — this is the core function of the extension |
Local data (tokens, cached policy, device ID) stored in chrome.storage.local is
cleared when the extension is uninstalled or when the user signs out.
Activity logs and audit data transmitted to the backend are retained according to the organization's data retention policies. Organizations may request deletion of their tenant's data upon contract termination or tenant deactivation.
This extension operates in a single instance across both normal and private (incognito) browser windows. If your organization's policy enables incognito enforcement, the extension's URL filtering, DLP policies, and activity monitoring apply equally to private browsing sessions. This is a deliberate design decision to prevent policy bypass via incognito mode.
If your organization has set disableIncognito: true in the extension policy, private
browsing windows will be blocked entirely and redirected to a policy notification page.
This extension is strictly intended for enterprise and professional use by adults in an employment context. It is not directed at, and should not be used by, individuals under the age of 18.
This Privacy Policy may be updated when the extension's data collection practices change, when required by applicable law, or when needed for security or operational reasons. The "Last Updated" date at the top of this document reflects the most recent revision. Continued use of the extension following a policy update constitutes acknowledgement of the updated policy.
For questions about this Privacy Policy or the data practices of this extension:
If you are an employee with questions about how your organization uses the data collected by this extension, please contact your IT administrator or HR department directly.