Chrome Extension Privacy

This page covers privacy practices specific to the IndexFox Chrome extension. For the broader IndexFox service (website, dashboard, API), see our main Privacy Policy.

What the extension does

The IndexFox extension lets you sign in to your IndexFox account from your browser, see whether the current tab's domain is in your account, add new websites to your account in one click, and open the IndexFox search widget on pages you own. It works alongside the main IndexFox service at indexfox.ai.

Data we handle

Personal information

• Email address — used only for passwordless sign-in (we send a 6-digit code). Sent to api.indexfox.ai over HTTPS.
• Account session token (JWT) — issued by IndexFox after sign-in. Stored in chrome.storage.local on your device. Used to authenticate API calls from the extension to api.indexfox.ai.

Tab information

• Active tab domain — when you open the extension popup, it reads the domain of the current tab (e.g. example.com) to check whether it's a website in your IndexFox account. The domain is matched locally against the websites we fetch for your account; it is not separately sent to any third party.
• No browsing history — the extension does not record, send, or store the pages you visit, search queries on those pages, or any page content.

Cloudflare Turnstile

• The extension uses Cloudflare Turnstile to protect sign-in from automated abuse. Turnstile is loaded from challenges.cloudflare.com in a sandboxed extension page. It performs an anonymous bot check and may collect telemetry as described in Cloudflare's privacy policy.

What we store, and where

All extension-side state is stored in chrome.storage.local on your own device. It is not synced across browsers or to any IndexFox server. It includes:

• Your IndexFox session JWT
• A cached copy of your IndexFox user object (id, email, plan)

Signing out from the extension clears both. The extension also clears the corresponding token on the indexfox.ai dashboard tab if you're signed in there (single sign-out).

What we don't do

• We do not sell or rent extension data.
• We do not use it for advertising.
• We do not use it to determine creditworthiness or for lending purposes.
• We do not transfer extension data to third parties beyond the strict service providers needed to operate IndexFox (e.g. Cloudflare for Turnstile, our API host).
• We do not read, store, or transmit the contents of pages you visit.

Permissions the extension requests, and why

For full transparency, here is the list of permissions in the extension's manifest and what each is used for:

• activeTab — read the URL of the tab you're currently looking at, so the popup can show whether its domain is in your IndexFox account.
• storage — store your IndexFox JWT and cached user object on your device.
• scripting — inject the IndexFox search widget into the current tab when you click "Search this site".
• tabs — open user-selected websites in new tabs from the extension popup, and read an open indexfox.ai tab's session token for single sign-on.
• Host: api.indexfox.ai — all authentication and account API calls.
• Host: widget.indexfox.ai — source of the IndexFox search widget script.
• Host: challenges.cloudflare.com — Cloudflare Turnstile bot protection on sign-in.
• Host: indexfox.ai, www.indexfox.ai — single sign-on with the IndexFox dashboard.

Your choices

• You can sign out from the extension at any time — this clears all locally stored data.
• You can uninstall the extension to remove it entirely; chrome.storage.local is wiped automatically on uninstall.
• To delete the underlying IndexFox account and its server-side data, sign in at indexfox.ai and use the account deletion flow, or email [email protected].

Changes to this page

If we change what data the extension handles, we'll update this page and bump the extension's version in the Chrome Web Store with release notes.

Contact