Back to Privacy Policy

Chrome Extension Privacy Policy

Last Updated: April 14, 2026

This Privacy Policy applies specifically to the Gennai Chrome Extension ("the Extension"), published on the Chrome Web Store by NUVIO LAB - FZCO, the company behind Gennai (https://www.gennai.io). It explains what information the Extension accesses, how it processes that information, and the limits we place on ourselves. It supplements, and does not replace, the main Gennai Privacy Policy, which covers your use of the Gennai web application.

1. Single Purpose

The Extension has a single purpose: to capture invoice PDF documents from supported online billing portals and upload them to your authenticated Gennai account so they can be organized in your Gennai dashboard. The Extension does not perform any unrelated function.

2. Supported Billing Portals

The Extension only activates on the following billing portals, which are declared in the Extension's manifest:

  • Stripe (invoice.stripe.com and other Stripe subdomains that serve invoice PDFs)
  • OpenAI billing (platform.openai.com)
  • Google Ads and Google Payments (ads.google.com, payments.google.com)
  • Meta Ads (business.facebook.com)
  • Amazon order history (amazon.com, amazon.es, amazon.co.uk, amazon.de, amazon.fr, amazon.it)
  • LinkedIn Ads (linkedin.com)
  • Cloudflare (dash.cloudflare.com)
  • Google Cloud billing (console.cloud.google.com)
  • Vercel (vercel.com)
  • Gennai itself (gennai.io), solely to receive your sign-in token after you authenticate

On any other website, the Extension is inactive and has no access to the page.

3. Information the Extension Accesses

The Extension accesses only the following categories of information:

  • Authentication token and basic profile: After you sign in to Gennai in your browser, the Gennai website sends an authentication token, plus your name and email address, to the Extension using Chrome's externally_connectable messaging API. This message is only accepted from the exact origins https://www.gennai.io and https://gennai.io.
  • Invoice PDF files: When you click the "Import to Gennai" button we inject on a supported portal, or when you download an invoice PDF from a supported portal while auto-capture is enabled, the Extension downloads or reads that PDF file.
  • Invoice metadata visible on the page: To help you identify and deduplicate invoices, the Extension reads fields that are already visible on the billing page (for example, order number, date, total amount, supplier name). It does not read anything outside the current billing portal page.
  • Download event metadata: When auto-capture is enabled, the Extension listens to browser download events (URL, filename, MIME type). It only reacts to downloads that match known invoice URL patterns for the supported portals listed above. All other downloads are ignored.
  • Your explicit preferences: Whether auto-capture is enabled, your selected Amazon region, and (optionally) your Meta Business ID that you provide in the Extension popup.

4. Information the Extension Does NOT Access

The Extension is deliberately scoped. It does not:

  • Read, store, or transmit the content of any website outside the supported billing portals listed above
  • Read your emails, messages, passwords, or form inputs on any site
  • Track your browsing history
  • Record keystrokes or mouse movement
  • Read or write cookies for purposes other than your own authenticated request to the billing portal you are on
  • Inject third-party scripts, advertising, or analytics into any page
  • Load or execute any code from a remote server — all Extension code is packaged in the version you install

5. How the Extension Uses the Information

Information accessed by the Extension is used exclusively to:

  • Authenticate requests to your Gennai account using the bearer token
  • Upload captured invoice PDFs, together with minimal context (the source portal, the page URL the PDF came from, and a timestamp) to your Gennai account
  • Display your name, email, and remaining invoice credits in the Extension popup
  • Prevent duplicate uploads by remembering which invoices have already been imported on your device
  • Show status indicators and notifications in the page when a capture is in progress, succeeds, or fails

The Extension does not use any captured information for advertising, profiling, resale, analytics about you, or training AI or machine learning models.

6. Where the Data Is Sent

The Extension communicates only with the Gennai backend over HTTPS. Specifically:

  • POST https://www.gennai.io/api/extension/upload — sends the captured PDF (base64-encoded), the source portal identifier, the page URL the PDF was captured from, and a timestamp.
  • GET https://www.gennai.io/api/extension/status — verifies your token and retrieves your plan and remaining credits so the popup can display them.

The Extension does not send data to any other server. Downloads of invoice PDFs from the supported billing portals themselves happen directly between your browser and that portal, using the credentials you have already established with it.

Once a PDF reaches the Gennai backend, it is stored and processed under the terms of the main Gennai Privacy Policy, which covers the AI-based data extraction, storage in our cloud infrastructure, optional synchronization to Google Drive, and export to accounting integrations you have explicitly connected to your Gennai account.

7. Local Storage on Your Device

The Extension uses chrome.storage.local, which is scoped to the Extension and isolated from all websites, to store:

  • Your Gennai authentication token
  • Your name and email address (to display in the popup)
  • A list of invoice identifiers that have already been imported, to prevent duplicates
  • Whether auto-capture is enabled (a boolean)
  • A local history of up to 50 recent captures (filename, supplier name, timestamp, invoice ID) so the popup can display recent activity
  • Deduplication keys derived from recently captured URLs, with a 60-second window
  • Your selected Amazon region preference and, optionally, the Meta Business ID you choose to save

This data never leaves your device except through the two Gennai API endpoints described in section 6, and only when you trigger a capture or open the popup.

8. Chrome Permissions and Why We Request Them

  • storage: to store the authentication token, your preferences, and the import/capture history described in section 7.
  • activeTab: to attach our "Import to Gennai" button to the specific billing page you are currently viewing.
  • downloads: to detect, when you have enabled auto-capture, that you have initiated a download of an invoice PDF from a supported portal, so the Extension can automatically import it.
  • scripting: required in Manifest V3 to read invoice PDFs that the billing portal serves as an in-memory blob: URL. Some portals, such as Meta Ads, use this pattern, which cannot be re-fetched from the Extension's service worker. The Extension uses chrome.scripting.executeScript only on the active tab of a supported portal, solely to read that specific blob.
  • Host permissions for each supported portal listed in section 2 are required so the Extension can inject its content script on those pages and so its service worker can re-download signed invoice URLs served by those portals. Access to gennai.io is required so the Extension can receive your sign-in token.

9. Security Measures

  • All network communication with Gennai and with billing portals happens over HTTPS.
  • The Extension maintains an internal allowlist of billing-portal URL patterns, and refuses to download a file with your session cookies from any URL outside that allowlist, even if instructed to do so by an injected script. This is a defense against cross-origin exfiltration.
  • The Extension validates that a captured file is a PDF (by checking the magic header bytes) and enforces a 15 MB maximum size before uploading.
  • External sign-in messages are accepted only from the exact origins https://www.gennai.io and https://gennai.io, with no subdomain or suffix matching.
  • The Extension contains no remote code, no obfuscated code, and no dynamic code evaluation (eval, new Function). Its Content Security Policy restricts scripts to those bundled with the Extension.
  • Authentication tokens that leave the Extension are transmitted only to the Gennai backend, as a standard Authorization: Bearer header. On the server side, OAuth tokens for third-party integrations are encrypted at rest using AES-256-GCM.

10. Data Sharing and Sale

We do not sell, rent, or share data collected by the Extension with third parties for their own purposes. The only transfer of data that takes place is the upload of your captured invoices to your own Gennai account, which you control.

We do not use data collected by the Extension for advertising, user profiling, credit evaluation, or any purpose unrelated to the single purpose declared in section 1. We do not use it to train generalized AI or machine-learning models.

11. Retention and Deletion

  • On your device: Data stored locally by the Extension is cleared when you sign out from the Extension popup, when you uninstall the Extension, or when you clear extension data in your Chrome settings.
  • On the Gennai backend: Invoices you upload through the Extension are retained according to the retention rules in the main Gennai Privacy Policy. You can delete individual invoices from your Gennai dashboard at any time, or request full account deletion by contacting privacy@gennai.io.

12. Your Controls

  • You can enable or disable auto-capture at any time from the Extension popup.
  • You can sign out from the Extension popup, which clears the authentication token and user profile from local storage.
  • You can uninstall the Extension from chrome://extensions, which removes it entirely along with its local storage.
  • You can revoke access to your Gennai account at any time from your Gennai dashboard; revoking access invalidates the token the Extension holds.

13. Children's Privacy

The Extension is intended for business use and is not directed at individuals under the age of 13. We do not knowingly collect personal information from children.

14. Changes to This Policy

If we change how the Extension handles data, we will update this page, update the "Last Updated" date above, and, when the change is material, communicate it through the Extension popup or via email to registered Gennai users.

15. Contact

For any question or request related to the Extension's handling of your data, please contact us at:

Email: privacy@gennai.io
Website: https://www.gennai.io
Publisher: NUVIO LAB - FZCO

By installing and using the Gennai Chrome Extension, you acknowledge that you have read and understood this Privacy Policy.