The Salesforce GPT Extension does not handle or transmit sensitive information about the browser user.
It only communicates with
Salesforce passing the flow id (extracted from the current page URL) to request flow metadata to display on the screen.
OpenAI passing the page contents or the flow definition to request an explanation or summary.
Nothing else is sent to any other server.
The source code for the extension is available at https://github.com/Fernando-Fernandez/SalesforceGPTExtension