Extension Privacy Notice
Last updated: May 23, 2026
This Extension Privacy Notice describes the data collection and processing practices of Skode Technologies Private Limited ("Skode," "we," "us," or "our"), a private limited company incorporated in India with registered office at Thirumangalath, Chelavur, Kozhikode – 673571, Kerala, India, when you install and use the Skode Flow Chrome browser extension (the "Extension"). The Extension is provided by Skode as part of the Skode Flow messaging platform and overlays your existing Flow inbox on top of web pages you visit, so you can message customers without leaving the page you are working on.
This notice applies to you as the installer and end-user of the Extension — typically an employee, agent, or contractor of a business that subscribes to Skode Flow. That business is the data controller for all customer data the Extension transmits to its Skode Flow account (for example, the phone number or email address of a customer whose record you open in your CRM). Skode acts as a data processor on that business’s behalf under the terms of our Data Processing Agreement. Your primary relationship for privacy rights regarding customer data handled through the Extension is therefore with your employer or the business whose Flow account you are signed into; see § 8 below for how rights requests are handled.
The Extension reads data from web pages only on your explicit click, never passively or in the background. It does not scrape, index, log, or transmit any page content unless you click the "Open chat in Skode Flow" button next to a phone number or email address — and even then, it sends only that single value (plus your auth token) to your own Skode Flow backend. Skode does not receive page content, browsing history, keystrokes, or any other data the Extension does not need to do its job. See our Privacy Policy, Cookie Policy, Data Processing Agreement, and Sub-Processors page for further detail.
1. Data the Extension Reads from Web Pages
When you are signed into the Extension and visit a web page on a host the Extension is permitted to run on (see § 3 for permission scope), the Extension may read the following data locally inside your browser, but only the values described below leave your browser, and only when you take an explicit action:
1.1 Detected Contact Identifiers (read locally, transmitted only on click)
- Phone numbers visible in form fields (e.g.
<input type="tel">) or in visible page text near a recognizable label. - Email addresses visible in form fields (e.g.
<input type="email">) or in visible page text. Email-field detection may be disabled in early releases of the Extension. - These values are used only to (a) render a chat button next to them on the page, and (b) look up an existing conversation in your Skode Flow account when you click that button.
1.2 No Other Page Content Is Read
- The Extension does not read full page content, paragraphs, articles, form values other than the contact identifiers above, passwords, session cookies of the host page, or any other personal data.
- The Extension does not log your browsing history, the URLs you visit, or the pages you stay on. The page URL is referenced only at runtime to decide whether the Extension is permitted to operate on that host (per Chrome’s permission model).
1.3 Data You Provide Inside the Extension
- Messages you compose: text, files, or templates you send through the Extension are transmitted to your own Skode Flow backend, never to Skode-operated servers (Skode hosts the Flow backend on your behalf as a processor; see § 5).
- Authentication credentials: when you sign in via Skode Flow’s single-sign-on flow, the resulting access token is stored in the Extension’s local storage (see § 2). Your password is never seen or stored by the Extension.
2. Local Storage Inside the Extension
The Extension uses Chrome’s chrome.storage.local API to remember small amounts of data between sessions, scoped to the Extension itself and not accessible to any website you visit. Nothing in this list is ever transmitted to Skode-operated infrastructure.
| Key | Purpose | Duration |
|---|---|---|
| skode-flow.session | The access token (and associated metadata: user id, org id) issued by your Skode Flow backend on sign-in. Used to authenticate requests to your Flow account. | Until you sign out, the token expires, or you uninstall the Extension |
| skode-flow.baseUrl | The URL of your Skode Flow backend (e.g. https://flow.skode.ai or your self-hosted Flow instance). Set during sign-in. | Until you change it or uninstall the Extension |
| skode-flow.enabled-sites | The list of additional websites you have explicitly granted the Extension permission to run on (e.g. Google My Business, LinkedIn, your custom CRM). | Until you revoke the per-site permission or uninstall |
| skode-flow.telemetry-opt-in | Whether you have opted in to anonymous usage telemetry (see § 4). Default: off. | Until you change it or uninstall |
The Extension does not persistently cache message content, conversation history, attachments, or customer contact details inside the browser beyond the in-memory lifetime of an open conversation window. Closing the Extension or signing out clears all such in-memory data.
3. Chrome Permissions Used by the Extension
Google’s extension framework requires every permission the Extension declares to be justified by a user-visible feature. The Extension uses the minimum permissions necessary for its function:
| Permission | Why the Extension needs it |
|---|---|
storage | Persist the session token, your Flow URL, and your preferences in chrome.storage.local across browser restarts. |
host_permissions for supported CRMs | Run the content-script that injects the chat button next to phone or email fields on Zoho and Salesforce pages. Required at install time so the Extension works out-of-the-box on those domains. The Extension reads only the contact identifiers described in § 1. |
optional_host_permissions for any other site | Run on additional websites (e.g. Google My Business, LinkedIn, your internal CRM) only after you explicitly grant per-domain permission through Chrome’s prompt. You can revoke per-site permission at any time from the Extension popup or from Chrome’s extension settings. |
contextMenus | Add a right-click "Open in Skode Flow" menu item that works on any phone number or email address you highlight on any page. The Extension reads only the text you have explicitly selected; nothing else. |
The Extension does not request the history, bookmarks, downloads, cookies, tabs (beyond what is needed for the sign-in tab), webNavigation, or webRequest permissions. It cannot read, modify, or block any web traffic, nor can it observe pages you have not granted it permission to run on.
4. How Data Is Used
Data handled by the Extension is used solely to:
- Authenticate you to your Skode Flow account so you can read and send messages.
- Look up an existing conversation by phone number or email address when you click a chat button or pick a contact identifier from a page.
- Send messages, files, and templates you compose to the recipient of an existing conversation, or to a new conversation you start, via your Skode Flow backend.
- Maintain a live connection to your Skode Flow backend (via WebSocket) so new messages appear in real time.
- If you have opted in to telemetry, transmit anonymous, aggregated usage events (e.g. "sign-in succeeded," "message sent," "extension loaded") to Skode to help improve reliability. No message content, contact identifiers, or page content is ever transmitted as telemetry.
Skode does not use Extension data for its own marketing, business intelligence, model training, advertising, or any purpose unrelated to providing the Extension as a processor to the business whose account you are signed into.
5. Data Sharing
- With your business / Skode Flow account: All data transmitted by the Extension is sent to the Skode Flow account configured by the business that employs or contracts you. That business is the data controller for that data; what they do with it within their Flow account is governed by their own internal policies and the Data Processing Agreement between them and Skode.
- With Skode (as processor): Skode receives data only insofar as necessary to operate the Skode Flow backend on the business’s behalf. Skode does not use Extension data for any purpose other than providing the service.
- Sub-Processors: The Extension itself uses no sub-processors. The Skode Flow backend it talks to uses the sub-processors listed on our Sub-Processors page. No additional vendors are introduced by installing the Extension.
- No advertising: Skode does not sell or share Extension data with advertisers, data brokers, ad networks, or any third party for advertising or tracking purposes. The Extension serves no ads.
6. Data Storage and Retention
- In your browser: Only the items listed in § 2 are stored, and only inside the Extension’s private storage area. Nothing the Extension stores is accessible to other websites or to other extensions you have installed.
- On the Skode Flow backend: Messages, attachments, and conversations you send through the Extension are stored by the Skode Flow backend on the same terms as messages sent through the Flow web app, the Flow mobile app, or any other Flow client. Retention is governed by the data controller’s configuration of their Flow account, by the Data Processing Agreement, and by our Data Deletion Policy.
- Encryption: All data sent by the Extension is encrypted in transit (TLS 1.2+) and at rest (AES-256) once stored on the Skode Flow backend.
- Uninstall: Uninstalling the Extension from Chrome immediately deletes all local storage listed in § 2. Server-side data (messages, conversations) is unaffected by uninstall and continues to live in the business’s Skode Flow account.
7. Opt-Out, Removal, and Control
You can control data handled by the Extension in the following ways:
- Do not install: The Extension collects no data unless you install it and sign in.
- Sign out: Signing out from the Extension popup immediately clears the session token and stops the Extension from making any further requests to your Skode Flow backend.
- Revoke per-site permission: Sites you have enabled through
optional_host_permissionscan be revoked one at a time from the Extension’s settings panel or fromchrome://extensions. Revoking the permission immediately stops the Extension from running on that site. - Disable telemetry: Telemetry is off by default and can be toggled off at any time in the Extension’s settings panel.
- Uninstall: Uninstalling the Extension from
chrome://extensionsremoves all locally stored data described in § 2. - Data-deletion request: To delete the server-side messages and conversations sent through the Extension, contact the business whose Flow account you are signed into — that business is the data controller and is responsible for fulfilling your request. The business can instruct Skode, through the Data Processing Agreement, to delete data associated with you; Skode will action those instructions in line with our Data Deletion Policy.
8. Your Privacy Rights
Depending on your location, you may have the right to access, rectify, delete, restrict, or port your personal data, or to object to its processing, under the GDPR, UK GDPR, California CCPA/CPRA, the Indian Digital Personal Data Protection Act 2023, or other applicable law. Because the business that operates the Skode Flow account is the data controller, privacy-rights requests should be directed to that business in the first instance. If you cannot identify or reach the business, or if your request relates to data processed by Skode itself as part of providing the Extension, you may contact Skode at privacy@skode.ai and we will help you identify the relevant controller and route your request.
For details on how data-subject requests are handled, see our Data Subject Request Policy. EU and UK residents may also contact our EU Representative. Indian residents may contact our Grievance Officer.
9. Children's Privacy
The Extension is intended for business use by employees, agents, and contractors of businesses that subscribe to Skode Flow. It is not directed at children under 16 years of age. We do not knowingly enable the collection of personal data from children through the Extension. If you believe a child has interacted with the Extension, please contact us at legal@skode.ai.
10. Changes to This Notice
We may update this Extension Privacy Notice from time to time. The updated notice will be posted on this page with a revised effective date. Material changes will be announced in the Extension’s release notes and, where required by law, by direct notice to affected users. We encourage you to review this notice periodically.
11. Contact Us
For questions about this Extension Privacy Notice:
- Email: legal@skode.ai
- Privacy queries: privacy@skode.ai
- Privacy Policy: View our Privacy Policy
- Data Processing Agreement: View the DPA
- Sub-Processors: View Sub-Processors