Permissions & privacy

The Toado extension is granted a broad permission set because it has to inspect arbitrary pages. This page lists every permission and explains why we need it.

Permissions in the manifest

Permission	Why we need it
activeTab	Capture data from the active tab when you click the extension icon.
alarms	Schedule periodic offline-queue retries when the API is unreachable.
identity	OAuth handoff for sign-in.
scripting	Inject the content scripts that hook console, network, and errors at document_start.
storage	Save preferences, the offline queue, and the per-origin default project.
tabs	Read the URL and title of the active tab; open the new ticket in a new tab after capture.
unlimitedStorage	The offline queue can hold dozens of MB worth of captures (screenshots and network bodies); the standard storage quota is too small.
webNavigation	Detect page navigations so we can close stale capture sessions and reset buffers.
host_permissions: <all_urls>	Inject content scripts on every page (so capture works on any site you visit).

<all_urls> is the broadest possible host permission. We need it because we cannot know in advance which sites you will want to capture from. The data boundary below clarifies what we do with that access.

What leaves your browser

When you click capture, the following is sent over HTTPS to your Toado backend:

• The screenshot PNG.
• The console log entries (level, args serialized, timestamps, stack traces).
• The network log entries (method, URL, status, headers, body where allowed by size cap, timing).
• Uncaught errors and unhandled promise rejections.
• Performance entries.
• The tab’s URL and title.
• Capture metadata (timestamp, capture id, extension version).

That payload is the entire trust boundary. Nothing else leaves your browser as part of a capture.

What never leaves your browser

• Cookies, local storage, session storage, IndexedDB.
• Form input values (we do not capture what you type).
• Anything from a tab other than the active one at the moment of capture.
• DOM nodes (we capture the rendered pixels, not the HTML tree).
• Browsing history.

What can leave outside of captures

• Telemetry (off by default in EU regions, on elsewhere; configurable in Options). Anonymous extension version, OS, capture counts, error counts. No page content, no URLs.
• Error reports (configurable separately). Extension-side errors with stack traces. Includes Chrome version and OS. No page content.

Storage on your machine

The extension stores locally:

• Your auth session (refreshed via OAuth).
• Your default project and per-origin project memory.
• Your preferences.
• The offline queue (pending captures, when the API is unreachable).

Cleared by Reset extension in the Options page, or by uninstalling.

Treatment of sensitive pages

The extension does not classify pages. If you click capture on a page with sensitive data, the data goes into the capture. Treat capture like any other “send to a server” action.

Mitigations:

• Turn on Review before submit in Options. The capture preview shows what will be sent, including redactions, and you can scrub or cancel.
• Use the redaction tool to mask regions before the capture leaves your machine (when Redact image regions on capture is on).
• Add custom redaction patterns for things you want auto-replaced server-side.
• Do not capture pages with truly sensitive data.

Redaction is not deletion

Annotation-layer redaction masks the rendered image, but the raw screenshot bytes still exist on the server. For data you must not have on the server, use Redact image regions on capture so the redaction is baked in before upload, or do not capture the page.

Incognito and private mode

Disabled by default. To enable: chrome://extensions/ › Toado › Allow in incognito. When enabled, captures from incognito tabs work the same way as regular tabs.

Permissions we do not request

• No reading of cookies or storage on other sites.
• No tab discovery beyond the active tab.
• No clipboardRead or clipboardWrite.
• No nativeMessaging.
• No bookmarks, history, downloads, geolocation.
• No permissions (we do not request additional permissions at runtime).

Where the source code lives

The Toado extension is closed source as of v0.1.4. We plan to publish a public-audit-friendly read-only mirror; until then, the security audit summary in Security is the closest equivalent.

Where to next

• Security for the broader trust model.
• Data retention for how long captures live on the server.
• Capturing › edge cases for what does and does not get captured.