← Back to Home

Chrome Extension Privacy

Privacy practices for the IndexFox Chrome extension

Last updated: May 2026

This page covers privacy practices specific to the IndexFox Chrome extension. For the broader IndexFox service (website, dashboard, API), see our main Privacy Policy.

What the extension does

The IndexFox extension lets you see whether the current tab's domain is in your IndexFox account, add new websites to your account in one click, and open the IndexFox search widget directly on the page you're currently on. Sign-in happens on indexfox.ai in a normal browser tab — the extension simply detects that you're signed in and uses that session.

Data we handle

Personal information

  • Email address — collected only on indexfox.ai itself during sign-in (the extension does not handle sign-in directly). It is sent to api.indexfox.ai by the website, not by the extension.
  • Account session token (JWT) — after you sign in on indexfox.ai, the extension reads the resulting session token via a content script on indexfox.ai/www.indexfox.ai only, and stores it in chrome.storage.local on your device. Used to authenticate API calls from the extension to api.indexfox.ai.

Tab information

  • Active tab domain — when you open the extension popup, it reads the domain of the current tab (e.g. example.com) to check whether it's a website in your IndexFox account. The domain is matched locally against the websites we fetch for your account; it is not separately sent to any third party.
  • No browsing history — the extension does not record, send, or store the pages you visit, search queries on those pages, or any page content.

The IndexFox widget

When you click "Search this site" on a page where you own the domain, the extension injects the IndexFox search widget loader into the current tab.

  • The widget loader script (vendor/indexfox.js) is bundled inside the extension package on the Chrome Web Store — it is not downloaded from a remote server at runtime. Chrome verifies the file at install time as part of the signed package.
  • The loader then opens an iframe pointing at widget.indexfox.ai to render the search UI. The iframe is a separate browsing context owned by IndexFox; the extension does not read its contents and has no permission to do so.
  • Search queries you type into the widget are sent to widget.indexfox.ai by the iframe (not by the extension itself).

What we store, and where

All extension-side state is stored in chrome.storage.local on your own device. It is not synced across browsers or to any IndexFox server. It includes:

  • Your IndexFox session JWT
  • A cached copy of your IndexFox user object (id, email, plan)

Signing out from the extension clears both. The extension also clears the corresponding token on the indexfox.ai dashboard tab if you're signed in there (single sign-out).

What we don't do

  • We do not sell or rent extension data.
  • We do not use it for advertising.
  • We do not use it to determine creditworthiness or for lending purposes.
  • We do not transfer extension data to third parties beyond the strict service providers needed to operate IndexFox (our API host).
  • We do not read, store, or transmit the contents of pages you visit.
  • We do not load any remotely hosted JavaScript. All of the extension's code, including the IndexFox widget loader, is shipped inside the extension package.

Permissions the extension requests, and why

For full transparency, here is the list of permissions in the extension's manifest and what each is used for:

  • activeTab — read the URL of the tab you're currently looking at, so the popup can show whether its domain is in your IndexFox account.
  • storage — store your IndexFox JWT and cached user object on your device.
  • scripting — inject the locally-bundled IndexFox widget loader (vendor/indexfox.js) into the current tab when you click "Search this site".
  • tabs — open user-selected websites in new tabs from the extension popup (IndexFox sign-in page, dashboard, and entries in your "Your websites" list).
  • Host: api.indexfox.ai — all authentication-protected account API calls (list your websites, add a website, fetch your user object).
  • Host: indexfox.ai, www.indexfox.ai — detect that you are signed in to the IndexFox website (single sign-on) via a content script that reads the session token from those pages only.

Your choices

  • You can sign out from the extension at any time — this clears all locally stored data.
  • You can uninstall the extension to remove it entirely; chrome.storage.local is wiped automatically on uninstall.
  • To delete the underlying IndexFox account and its server-side data, sign in at indexfox.ai and use the account deletion flow, or email [email protected].

Changes to this page

If we change what data the extension handles, we'll update this page and bump the extension's version in the Chrome Web Store with release notes.

Contact

For questions about the extension's data practices:

Email: [email protected]