# OpenErrand — Privacy Policy

_Last updated: 2026-06-15_

OpenErrand is a browser extension that runs actions you authorize inside your own
browser. This policy describes exactly what data it handles and where that data goes.
It is written to be verifiable: the protocol and all security-critical code are open
source (Apache-2.0), so you can confirm every claim below against the source.

## The short version

- **Your logins never leave your device.** Credentials you save are encrypted on your
  machine and are sent only to the destination site you're logging into — never to
  OpenErrand, never to a connected app.
- **OpenErrand holds no access to any website until you grant it**, one domain at a time.
- **We don't sell your data, and we don't use it for advertising.** If you pair the
  extension with an app, that app receives task status and a minimized page view — see
  *What leaves your device* and *Data you send to a connected app* below.

## What the extension stores on your device

All of this lives in `chrome.storage.local` on your computer. It is device-bound and is
**not** synced to a Google account or to us.

- **Credential vault** — any logins you choose to save, encrypted with AES-GCM using a
  key derived from your passphrase (PBKDF2). We never receive your passphrase or the
  decrypted contents. A wrong passphrase cannot be recovered by anyone, including us.
- **Connection settings** — relay endpoint, paired-app bindings, trusted signing keys,
  recorded/stored playbooks, and an optional decider endpoint URL.

## What leaves your device, and to where

| Data | Goes to | Notes |
|---|---|---|
| Your **credentials** | the destination site only | Decrypted on-device at the moment of use; never to OpenErrand or a connected app. |
| The **action steps** (navigate/click/fill/upload/extract) | the destination site | This is the task running in your browser. |
| A **minimized page view** (interactive elements — labels and types, **not** values) | only a connected app's decider, and only when a signed recipe runs in app-driven mode | Off entirely for deterministic recipes and for fully local runs. Full screenshots/DOM are off by default and only sent if a signed recipe explicitly enables them. |
| **Status + audit metadata** (that an action occurred: domain + content hash, timestamps) | a connected app / relay you use | Records *that* a capture happened, never its content. Partitioned per tenant. |

If you run a playbook **locally** with no connected app and no decider endpoint, the only
network traffic the extension causes is your browser reaching the destination site —
exactly as if you'd done the steps by hand.

## Site access

The extension ships with **no host permissions**. The first time a recipe needs a
particular site, Chrome prompts you to grant access to that one domain. You can review or
revoke per-site access at any time from Chrome's extension controls. The set of sites the
extension can ever touch is bounded by the domains you've granted, which match the signed
recipe's domain fence.

## What we do *not* do

- We do not collect analytics or telemetry from the extension.
- We do not receive your credentials, your passphrase, or page content.
- We do not sell, rent, or share your data, and we do not use it for advertising or any
  purpose unrelated to running the actions you authorize.

## Data you send to a connected app

If you pair the extension with a third-party app, that app receives the status/audit
metadata and (in app-driven mode) the minimized page view described above. That app's own
privacy policy governs what it does with that data. You can see every connection in the
side panel and unpair any of them — or hit the global kill switch — at any time.

## Self-hosting

OpenErrand can be self-hosted. If you run your own relay, data described as going to "a
relay you use" goes to the server you operate, under your own policies.

## Contact

Questions about this policy: privacy@openerrand.app.