Limits & quirks

This page documents the rules that are intentional but not always obvious from the UI. If you hit something surprising, it’s probably here.

Analytics

5-person department floor

Division-level analytics (engagement, violations, acknowledgement rates) only display when the Division has at least 5 assigned users. Smaller Divisions are hidden entirely; a footer note says how many teams were suppressed.

Why: violation and engagement metadata must remain non-user-linkable per our public privacy commitment. With fewer than 5 people in a group, summary statistics can effectively identify individuals.

In practice:

A tenant with a 3-person “Legal” Division won’t see that Division in team analytics until it grows.
Reorgs that drop a Division below 5 retroactively hide that Division’s metrics.
Tenant-wide rollups (KPIs, Top Policies table, by-Area and by-Severity charts) always display regardless of team size.

The threshold is hard-coded, not configurable. See Privacy & the 5-person floor.

No user-level attribution

Analytics events do not carry a userId. You cannot ask “who triggered violation X?” — the data model does not support that question, by design.

CSV export only, no PDF

The Export CSV button on the Analytics dashboard produces a comprehensive CSV covering all policies in the current date range. PDF export and scheduled email reports are not shipped.

Data freshness: ~60 seconds

The dashboard re-fetches every minute. Violation events are written synchronously, so the round-trip from “user dismissed a violation” to “the dismiss count ticks up on the dashboard” is typically well under a minute.

Policies

Body minimum: 10 characters

Policies shorter than 10 characters of body text can’t be saved. Intentional — a 3-word policy is unlikely to be a real policy.

No body maximum, but very long policies get slow

There’s no hard maximum on body length. In practice, policies over ~50 KB of body text start to slow down violation detection (both in the authoring sidebar and in the extension/Mac app). Split very long policies into multiple related policies in the same Policy Area.

Confidence slider: 0–10 displayed, 0–1 stored

The editor shows a 0–10 slider for the confidence threshold. Internally this maps to a 0.0–1.0 value. Don’t be thrown by the API or a CSV export showing 0.8 where the UI said 8.

Severity: 1–5 in UI, 1–10 in analytics

Policy severity is set 1–5 in the editor. Analytics buckets severity 1–10 (leaving room to expand the scale). Values above 5 appear in analytics today only as residue from older policies or imports.

Auto-extracted titles

If you leave the title blank, InPolicy auto-extracts the first ~12 words of the body as the title. This is convenient for imports but sometimes produces awkward titles — override manually for anything you’ll keep.

Embedding regeneration on publish

Every publish triggers an async embedding job (used for violation detection). Rapid publish → edit → publish → edit cycles can leave the extension and Mac app briefly unaware of your latest changes. Typically resolves in under a minute.

No automatic re-acknowledgement

Editing or re-publishing a policy does not require anyone to re-acknowledge it. Acknowledgement workflows are not shipped in the current release.

Policy Inbox (AI imports)

File uploads max out at 10 MB

PDF, DOCX, TXT. Larger files fail to upload. Split externally.

Scanned PDFs without OCR fail

If the PDF is a scanned image without an OCR text layer, parsing cannot extract any text. Run it through an OCR pass first.

Watch mode requires a public URL

The daily-rescan watch mode fetches the URL server-side with no cookies or credentials. Auth-gated URLs (internal wikis, Notion pages, Google Docs) cannot be watched.

Dismissed suggestions stay dismissed across rescans

Content-hashing plus dismissal state means a suggestion you dismissed won’t resurface on re-scan even if the source still contains the matching text. If you change your mind, restore it from the Dismissed section at the bottom of the Inbox.

Browser extension

Chrome only, no Firefox

The extension is Manifest V3 Chrome. Edge untested. Firefox and Safari are not planned.

300ms debounce

Text is only checked 300ms after you stop typing. Fast typers won’t see flags until they pause.

15-minute JWT, 30-day refresh token

You’ll stay signed in for up to 30 days of use. Explicit sign-out or account deactivation ends the session within ~15 minutes (when the next JWT refresh fails).

Chrome profiles are independent. Sign in once per profile you use.

It warns, it doesn’t block

Even on a red-severity violation, the extension does not prevent you from sending or submitting. It displays a card — acting on it is your choice.

Password managers are exempt

Well-known password-manager bundle IDs and password-typed inputs are never observed. This is built-in; admins can extend the exempt list via disabledAppsManaged on the Mac app, but the defaults cover most cases.

Mac app

macOS 13 (Ventura) or later required

Earlier macOS versions are not supported. The 13+ floor is because of the SMAppService login-item API.

400ms debounce (slightly longer than the extension)

The Mac app debounces text changes at 400ms, compared to 300ms in the browser. This is to accommodate slower-updating native apps.

Accessibility permission is mandatory

Without it, the app can’t observe any text. The whole app is inert. On managed Macs, IT deploys a PPPC profile so the user never sees the prompt.

No App Sandbox

The Mac app is not sandboxed. System-wide text observation via Accessibility is incompatible with sandboxing — this is the same reason Grammarly, Raycast, and similar tools ship outside the Mac App Store.

Apply Fix doesn’t write back yet

The violation overlay shows the suggested fix, but clicking Apply fix currently copies the suggestion to the clipboard rather than writing it directly into the focused field. Direct write-back via Accessibility is pending.

Clipboard is only read on demand

The Mac app does not watch your clipboard ambiently. The Check clipboard now menu action is the only way it reads the clipboard.

Admin

Invitation tokens expire in 7 days, single-use

After 7 days, the link shows “invitation expired” and the admin must resend. Each token is single-use.

Directory sync is manual

No scheduled or automatic sync. Re-run an import by hand when your directory changes.

Only Admin can manage users

Policy Leads, Policy Editors, and Users cannot see the Users page. Role management is centralized.

Policy area-level role scoping is partial

The UI has an Assign role to policy area button but the modal shows “coming soon” for full per-area scoping. Current release: roles are tenant-wide.

Billing is a placeholder

The /settings page is a placeholder. No payment processing is live. Do not treat any “subscription” or “plan” messaging as functional.

Conventions for this page

When adding a new entry:

Lead with the rule in plain English (a sentence a customer success rep could read aloud).
Explain why the rule exists — a legal constraint, a technical limit, a deliberate product choice.
Describe what the user will actually see when they hit it, so support can recognize the symptom.