OpenErrand — Privacy Policy
Last updated: 2026-06-15
OpenErrand is a browser extension that runs actions you authorize inside your own browser. This policy describes exactly what data it handles and where that data goes. It is written to be verifiable: the protocol and all security-critical code are open source (Apache-2.0), so you can confirm every claim below against the source.
#The short version
- Your logins never leave your device. Credentials you save are encrypted on your machine and are sent only to the destination site you're logging into — never to OpenErrand, never to a connected app.
- OpenErrand holds no access to any website until you grant it, one domain at a time.
- We don't sell your data, and we don't use it for advertising. If you pair the extension with an app, that app receives task status and a minimized page view — see What leaves your device and Data you send to a connected app below.
#What the extension stores on your device
All of this lives in chrome.storage.local on your computer. It is device-bound and is
not synced to a Google account or to us.
- Credential vault — any logins you choose to save, encrypted with AES-GCM using a key derived from your passphrase (PBKDF2). We never receive your passphrase or the decrypted contents. A wrong passphrase cannot be recovered by anyone, including us.
- Connection settings — relay endpoint, paired-app bindings, trusted signing keys, recorded/stored playbooks, and an optional decider endpoint URL.
#What leaves your device, and to where
| Data | Goes to | Notes |
|---|---|---|
| Your credentials | the destination site only | Decrypted on-device at the moment of use; never to OpenErrand or a connected app. |
| The action steps (navigate/click/fill/upload/extract) | the destination site | This is the task running in your browser. |
| A minimized page view (interactive elements — labels and types, not values) | only a connected app's decider, and only when a signed recipe runs in app-driven mode | Off entirely for deterministic recipes and for fully local runs. Full screenshots/DOM are off by default and only sent if a signed recipe explicitly enables them. |
| Status + audit metadata (that an action occurred: domain + content hash, timestamps) | a connected app / relay you use | Records that a capture happened, never its content. Partitioned per tenant. |
If you run a playbook locally with no connected app and no decider endpoint, the only network traffic the extension causes is your browser reaching the destination site — exactly as if you'd done the steps by hand.
#Site access
The extension ships with no host permissions. The first time a recipe needs a particular site, Chrome prompts you to grant access to that one domain. You can review or revoke per-site access at any time from Chrome's extension controls. The set of sites the extension can ever touch is bounded by the domains you've granted, which match the signed recipe's domain fence.
#What we do not do
- We do not collect analytics or telemetry from the extension.
- We do not receive your credentials, your passphrase, or page content.
- We do not sell, rent, or share your data, and we do not use it for advertising or any purpose unrelated to running the actions you authorize.
#Data you send to a connected app
If you pair the extension with a third-party app, that app receives the status/audit metadata and (in app-driven mode) the minimized page view described above. That app's own privacy policy governs what it does with that data. You can see every connection in the side panel and unpair any of them — or hit the global kill switch — at any time.
#Self-hosting
OpenErrand can be self-hosted. If you run your own relay, data described as going to "a relay you use" goes to the server you operate, under your own policies.
#Contact
Questions about this policy: privacy@openerrand.app.