Privacy Policy

Last updated: April 2026 · Applies to SimpleReview Chrome Extension

Summary: SimpleReview collects only the minimum data needed to function: a session token stored locally on your device to avoid repeated logins, and the element context you explicitly choose to review. Your data is never sold or used for advertising. AI processing runs via Codex (OpenAI) through the platform's subscription — no browsing history or page content is collected outside of what you explicitly select.

1. Data We Collect and Why

The following table describes each category of data SimpleReview collects, its purpose, and legal basis under GDPR:

Data	Source	Purpose	Legal basis (GDPR Art. 6)	Storage
JWT session token (authentication token after Google Sign-In)	Issued by our server after you authenticate; sent from the terminal page via `postMessage`	Allows the extension to reopen your AI terminal session without requiring you to log in again each time	Performance of a contract (Art. 6(1)(b))	`chrome.storage.local` on your device only; never sent to third parties; cleared when you uninstall the extension or it expires
Element context (tag name, text, CSS path of the element you click "Fix it" on)	Collected only when you explicitly click the "Fix it" button on a specific element	Builds the review prompt sent to the AI; includes tag, visible text, and DOM path of the selected element only	Performance of a contract (Art. 6(1)(b))	Stored temporarily in `chrome.storage.session` (cleared when the browser session ends); transmitted to our AI terminal as part of the prompt
Page URL and title (of the tab where you click "Fix it")	Active tab, only when you click "Fix it"	Included in the review prompt so the AI understands the context of the element	Performance of a contract (Art. 6(1)(b))	Transmitted to our AI terminal as part of the prompt; not stored independently
Screenshot (visible viewport of the page at the moment of "Fix it")	Captured via `html-to-image` library only if the page's Content Security Policy allows it; skipped silently if blocked	Gives the AI visual context to identify layout or design issues	Performance of a contract (Art. 6(1)(b))	Uploaded once to `op.wpmix.net/upload` (public temporary storage); URL appended to the AI prompt; not linked to your account
Google account email and display name	Google Sign-In (OAuth 2.0), only when you authenticate in the side panel	Authentication and workspace identification in the AI terminal	Performance of a contract (Art. 6(1)(b))	Stored on our server linked to your workspace; retained until you delete your account
IP address (from server access logs)	Automatically when you connect to our service	Security monitoring and abuse prevention	Legitimate interest (Art. 6(1)(f))	Server access logs retained for up to 14 days, then automatically deleted

We do not collect: browsing history, content of web pages you visit (beyond the single element you explicitly select), location data, microphone or camera data, or financial information.

2. What the Extension Does NOT Do

Does not read or transmit the content of pages you visit without your explicit action
Does not inject scripts into pages until you click the extension icon
Does not have broad host_permissions — it cannot access arbitrary websites you browse
Does not track which websites you visit
Does not record keystrokes or form inputs
Does not run in the background when the side panel is closed

3. Chrome Extension Permissions

SimpleReview requests the following permissions and uses them strictly as described:

activeTab — reads the URL/title of the current tab and injects the element inspector only when you click the extension icon. Access ends when the tab changes.
scripting — injects the element hover/inspector script and the review bridge into the active tab when you click the icon. Scripts are injected only into the tab you explicitly activate the extension on.
sidePanel — opens the AI chat in Chrome's native side panel.
storage — saves your session JWT locally (chrome.storage.local) and temporarily buffers element context (chrome.storage.session).
tabs — used to open a preview URL when the AI creates a file (e.g., a fixed page), and to capture a screenshot of the visible tab when you click "Fix it".

The extension has no host_permissions declared in its manifest. It does not have blanket access to websites you visit.

4. Cookies and Local Storage

SimpleReview does not use tracking cookies or advertising cookies. The extension uses:

chrome.storage.local (sr_auth) — stores your JWT session token locally to avoid re-login on each sidebar open.
chrome.storage.session (reviewElementContext) — temporarily stores the selected element context between the "Fix it" click and the side panel opening. Cleared automatically when the browser session ends.

5. Third-Party Services

Service	Data Shared	Purpose	Location	Their Privacy Policy
OpenAI (Codex)	Your review prompt (element context + page URL). AI processing runs through the platform's Codex subscription.	AI-powered code fix generation	USA	openai.com/policies/privacy-policy
Anthropic (Claude)	Your review prompt, if you select Claude as the AI agent	Alternative AI-powered code fix generation	USA	anthropic.com/privacy
Google OAuth	Email address and display name (from Google account, on sign-in)	Authentication in the AI terminal	USA	policies.google.com/privacy
op.wpmix.net (our service)	Screenshot image (JPEG, visible viewport only), if captured	Temporary public URL for screenshot in AI prompt	Finland, EU (Hetzner)	This policy
simpledashboard.wpmix.net (our service)	Review prompt, session JWT, element context	AI terminal — executes the code fix in your isolated workspace	Finland, EU (Hetzner)	This policy

6. Data Retention

JWT session token (sr_auth): Stored in chrome.storage.local until it expires or you uninstall the extension.
Element context: Stored in chrome.storage.session — cleared when the browser session ends (typically on browser close).
Uploaded screenshots: Stored temporarily on op.wpmix.net; not linked to your identity; may be purged after 7 days.
Server access logs (IP addresses): Retained for up to 14 days, then automatically deleted.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to erasure (Art. 17): Request deletion of your account and all associated data.
Right to data portability (Art. 20): Request your data in a machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

The lead supervisory authority for OnOut OÜ (Estonia) is the Estonian Data Protection Inspectorate (aki.ee).

8. Children's Privacy

SimpleReview is not directed at children under 13. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top will reflect any changes.

10. Contact and Data Controller

Data controller: OnOut OÜ
Trading name: NoxonThemes
Country of registration: Estonia, EU
Email: [email protected]
Website: onout.org