Docyrus Chrome Extension — Privacy Notice
Last updated: 2026-05-18
This notice describes how the Docyrus Chrome extension ("the Extension") handles information on your device. It supplements, and is incorporated into, the Docyrus Privacy Policy at https://docyrus.com/privacy-policy/. Where the two conflict for the Extension specifically, this notice controls.
1. What the Extension does
The Extension opens the Docyrus workspace (Cody, Docy, Opsy, Studio) in a Chrome side panel and lets the Docyrus AI assistant inspect and act on a tab you choose, on your behalf — for example, reading the page, filling a form, clicking an element, taking a screenshot, or summarizing console/network output. All assistant actions are initiated by you.
2. Information the Extension handles
The Extension processes the following categories of data. We list, for each, what is processed, where it goes, and how long it is kept.
2.1 Authentication information
- What: Your Docyrus account access and refresh tokens issued via OAuth 2.0 with PKCE, and your Docyrus profile (name, email, tenant) returned by Docyrus when you sign in.
- Where: Stored locally on your device using chrome.storage. Tokens are sent only to Docyrus's authorization and API servers (api.docyrus.com by default, or the self-hosted endpoint configured at install time).
- How long: Until you sign out, uninstall the Extension, or the refresh token expires.
2.2 Tab content the assistant operates on
When you ask the Docyrus assistant to act on a tab, the Extension may, for that single user-initiated request, read:
- the tab's URL and title;
- DOM structure, visible text, and form-field values needed to fulfil the request (e.g. "summarize this page", "fill this form");
- screenshots of the tab's viewport or full page;
- console messages and network request metadata from the tab;
- cookies scoped to the tab's origin, when needed to describe session state.
This data is transmitted to the Docyrus AI backend for the duration of the request so the assistant can answer you. It is not retained on Docyrus servers beyond the conversation's normal retention window (see §4 below), and it is never sold, shared with advertisers, or used to build a profile of your browsing.
Cookies retrieved via chrome.cookies are used only to describe state to you in the assistant's reply and are not stored by the Extension.
2.3 Local Docyrus desktop app bridge
If you also run the Docyrus desktop app on the same machine, the Extension connects to it over http://localhost / http://127.0.0.1 to list the local Docyrus projects you have already started in the desktop app. No data leaves your device through this bridge.
2.4 Extension preferences
UI state (sidebar/inspector collapsed, last-active tab, pinned target-tab id) is stored locally in chrome.storage. It is never transmitted off your device.
3. Permissions and why we need them
| Permission | Purpose |
|---|---|
| sidePanel | Render the Docyrus workspace in Chrome's side panel. |
| storage | Persist authentication tokens, tenant selection, and UI preferences locally. |
| tabs, activeTab | Identify the tab you want the assistant to operate on. |
| scripting | Inject the assistant's read/fill/click helpers into the tab you've targeted, on demand. |
| webNavigation | Detect when navigation in the target tab completes so the assistant can wait for the page before reading it. |
| debugger | Capture full-page screenshots, console messages, and network request data for the target tab when you ask the assistant to inspect it. The debugger is attached only to your chosen tab, only while the operation is running, and is detached immediately afterwards. |
| cookies | Read cookies for the target tab's origin when you ask the assistant about its session state. Cookies are never sent to Docyrus servers. |
| identity | Run the Docyrus OAuth 2.0 sign-in flow via chrome.identity.launchWebAuthFlow. We do not call Google identity APIs. |
| host_permissions (https://*/*, http://localhost/*, http://127.0.0.1/*) | https://*/* so the assistant can operate on whichever site you direct it to; loopback hosts so the Extension can talk to the Docyrus desktop app, when installed. |
4. How long Docyrus retains data sent from the Extension
- Authentication tokens: until you sign out or revoke them. Stored only on your device by the Extension; Docyrus's auth server keeps the matching refresh-token record per its standard retention policy.
- Assistant conversation content (including page snapshots, screenshots, console/network excerpts): retained as part of your Docyrus chat history under the same retention rules as any other Docyrus conversation; you can delete a conversation at any time from the Docyrus workspace.
- Cookies read via chrome.cookies: processed in memory for the single assistant turn; not stored.
- Local preferences and the pinned-tab id: kept until you uninstall the Extension or clear extension storage.
5. What we do not do
- We do not sell or rent your data.
- We do not transfer your data to third parties for advertising, analytics-resale, or any purpose unrelated to operating the Docyrus assistant.
- We do not use your data to determine creditworthiness or for lending purposes.
- We do not monitor tabs in the background. The Extension only reads a tab when you direct the assistant to act on it.
- We do not capture keystrokes, mouse movements, or form input outside of an action you explicitly request.
- We do not use remote code. All JavaScript and WebAssembly shipped with the Extension is bundled in the package distributed via the Chrome Web Store.
6. Third parties
The Extension communicates only with:
- the Docyrus API and authorization server (api.docyrus.com, or the self-hosted Docyrus endpoint you configure);
- a local Docyrus desktop app on localhost / 127.0.0.1, if you have installed it;
- whichever site you direct the assistant to operate on (those requests originate from your browser as part of normal navigation, not from Docyrus servers).
No analytics, advertising, or crash-reporting SDKs are bundled.
7. Your choices
- Sign out of the Extension to clear locally stored tokens.
- Uninstall the Extension to remove all locally stored data.
- Delete conversations in the Docyrus workspace to remove server-side records of assistant interactions, including any page content the assistant processed.
- Revoke the Extension's OAuth grant at any time from your Docyrus account settings.
8. Children
The Extension is not directed to children under 13 (or the equivalent minimum age in your jurisdiction) and we do not knowingly process their data.
9. Changes
We will update the "Last updated" date above when this notice changes. Material changes (new categories of data, new third-party recipients) will be announced in the Docyrus workspace before they take effect.
10. Contact
Privacy questions or requests (access, deletion, correction): privacy@docyrus.com.