Privacy Policies

UI-Ray Inspector

CSS inspection and UI analysis tool for developers and designers

Last updated: May 25, 2026 · Policy v1.1 · Extension v1.0.2+ · Chrome Web Store ID: hichmhhecmljgpbeenjnaamofeehlkgj

1. Privacy Commitment

UI-Ray Inspector ("the Extension") is developed and maintained by VitrinaDev. This Privacy Policy describes exactly what information the Extension accesses, stores, and transmits, in full compliance with the Chrome Web Store Developer Program Policies (User Data section), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Core commitment: UI-Ray Inspector is designed as a local-first tool. Virtually all functionality operates entirely within your browser. The only external communication is a single, user-initiated license validation request when you choose to activate a paid license — and even then, only a non-identifiable hash is transmitted alongside the license key you entered.

2. Data Collection and Use

2.1 Data the Extension Does NOT Collect

UI-Ray Inspector does not collect, transmit to external servers, store remotely, or share any of the following:

Personal identifiers (name, email address, phone number, physical address)
Browsing history, URLs visited, or page content of websites you view
Health, financial, or other sensitive personal information
Authentication credentials, passwords, or form field contents
Device identifiers, IP addresses, or geolocation data
Behavioral analytics, click streams, or keystroke data
Crash reports or diagnostic telemetry sent to external servers
Cookies or cross-site tracking identifiers

2.2 Data Processed Locally (Never Transmitted)

The following is stored exclusively on your device in chrome.storage.local. It is sandboxed by the browser and inaccessible to any website or other extension.

Data item	Purpose	Transmitted?
`isPremium`	Tracks whether a valid license has been activated	No
`licenseKey`	Stores the license key string after successful validation	Only during the one-time user-initiated validation request
`usageToday`	Daily inspection counter for the free-plan limit (3/day). Resets at midnight.	No
`settings`	User preferences: output format (Tailwind/CSS/React), UI theme, grid overlay, keyboard shortcut	No
`history`	Last 50 copy actions: timestamp, format used, minimal CSS selector (tag + up to 2 classes), first 80 characters of generated output	No

2.3 Data Processed in RAM Only (Discarded on Session End)

Computed CSS properties of the element you hover over (dimensions, colors, typography, borders, layout)
Element bounding rectangle (screen position)
Distance measurements between elements (Alt-key measurement mode)
Colors extracted from the visible area of the active page (up to 500 elements scanned, max 64 results)

None of the above is written to disk or transmitted to any server at any time.

2.4 The Only External Communication — License Validation

The Extension makes exactly one outbound network request, and only when you manually type a license key and click the Activate button. This request is sent to a Cloudflare Worker operated by VitrinaDev:

Field sent	Description	Is it personal data?
`license_key`	The alphanumeric license key you typed in the activation field	No — it is a randomly generated token issued by Lemon Squeezy at purchase time, not linked to your identity within the Extension
`instance_name`	A short, non-reversible hash (e.g., `chrome-ext-3f7a2k1`) derived from the first 40 characters of your browser's User-Agent string, browser language, and screen dimensions	No — the hash is one-directional and cannot be used to reconstruct your User-Agent, language, or resolution. Its sole purpose is to count the number of active browser instances per license key.

This request is transmitted over HTTPS (TLS). The Cloudflare Worker processes the request, returns a valid/invalid response, and does not persist the payload to any database.

3. Browser Permission Justification

The following permissions are declared in the Extension's manifest.json. Each is used exclusively for the stated purpose.

`storage`

What it enables: Reads and writes to chrome.storage.local.
Why it is required: Persists your output format preference (Tailwind, CSS, React), UI theme, keyboard shortcut, grid overlay setting, license activation status, and daily usage counter for the free plan. Without this permission, all settings reset every time the browser closes.

`activeTab`

What it enables: Grants temporary access to the content of the currently focused tab at the moment the user interacts with the Extension.
Why it is required: When you activate the inspector (via the popup button or Alt+Shift+I), the Extension injects an overlay UI into the current page to highlight elements as you hover. Access is strictly limited to the active tab at the time of activation — the Extension cannot access other tabs or background tabs.

`scripting`

What it enables: Programmatically injects JavaScript into a browser tab.
Why it is required: Chrome's Manifest V3 architecture requires this permission to dynamically inject the inspector content script (inspector.js) into the active page when the user toggles the inspector on. The injected script renders the visual highlight overlay, CSS properties panel, and distance measurement lines. The script runs only while the inspector is active and is removed when the user deactivates it or navigates away.

Host Permission: `https://uiray-license-validator.stev70117.workers.dev/`

What it enables: Allows the Extension to make network requests to this specific URL only.
Why it is required: This is the license validation endpoint. The permission is intentionally scoped to a single, explicit URL — the Extension cannot contact any other external server. This narrow host permission is declared so that users, security researchers, and Google reviewers can verify no other domain is reachable by the Extension's network code.

4. Local Storage and Third Parties

Local Storage

All persistent data is stored in chrome.storage.local, sandboxed by the browser to this Extension only. No website, other extension, or external party can access it. Data remains on your device until you uninstall the Extension or manually clear its storage via chrome://extensions → UI-Ray Inspector → Details → Clear site data.

Third-Party Services

Cloudflare Workers (license validation infrastructure): The license validation endpoint is hosted on Cloudflare's infrastructure. Cloudflare acts as a data sub-processor for this single request. As with any HTTPS request, Cloudflare's servers receive your IP address as part of standard network operation — this is an inherent part of internet communication, not sent explicitly by the Extension. Cloudflare's privacy policy: cloudflare.com/privacypolicy.

Lemon Squeezy (licensing and payments): Lemon Squeezy processes billing information (name, email, payment details) when you purchase a license on our website. The Extension itself never has access to your name, email address, or payment information — it only uses the license key you choose to enter. Lemon Squeezy's privacy policy: lemonsqueezy.com/privacy.

Data sales and sharing: VitrinaDev does not sell, rent, license, or share your personal data with any third party for marketing, advertising, analytics, or profiling purposes.

5. Chrome Web Store Policy Compliance

Compliance Statement

UI-Ray Inspector is developed in strict compliance with the Chrome Web Store Developer Program Policies (User Data Privacy requirements):

Single purpose: The Extension has one clearly defined purpose — inspecting and exporting the CSS styles of UI elements on web pages.
Minimum permissions: Only permissions strictly necessary to deliver the inspector functionality are declared. No permissions are requested speculatively or for future use.
No data collection beyond stated purpose: The Extension does not collect, use, or transmit personal data for any purpose other than delivering the features described in this policy.
No deceptive behavior: The Extension does not engage in any behavior not disclosed in this policy or in the Chrome Web Store listing.
Limited use: Any data accessed by the Extension (browser tab content, user selections) is used exclusively to provide the in-page inspection feature and is not retained, transferred, or used for secondary purposes.
Prominent disclosure: This Privacy Policy is publicly accessible without authentication and directly reachable from the URL provided in the Chrome Web Store developer dashboard.

6. Your Rights

EU/EEA (GDPR): You may inspect all locally stored data at any time via chrome://extensions. To delete all data, uninstall the Extension or clear its storage. VitrinaDev holds no server-side records of your data. For complaints, contact the supervisory authority in your country of residence: edpb.europa.eu.

California (CCPA): VitrinaDev does not sell personal information. The Extension does not engage in targeted advertising or cross-context behavioral tracking.

7. Changes to This Policy

When material changes are made, we will update the "Last updated" date above and notify users via Chrome Web Store update notes. Continued use of the Extension after a change is published constitutes acceptance of the revised policy.

8. Contact

Email: coresolutions@catano.xyz
Issues: gitlab.com/Rysut/privacy-policies/-/issues

We will respond within 30 business days.

MailMind

AI writing assistant integrated in Gmail — Bring Your Own Key

Last updated: May 25, 2026 · Policy v1.1 · Extension v1.0.0+

1. Privacy Commitment

MailMind ("the Extension") is developed and maintained by VitrinaDev. This policy is provided in compliance with the Chrome Web Store Developer Program Policies (User Data Privacy), the EU GDPR, and the CCPA.

Core commitment: MailMind is a Bring Your Own Key (BYOK) product. You supply your own Anthropic API key. All AI requests travel directly from your browser to Anthropic's servers under your account — VitrinaDev never receives, stores, or processes your email content. The only data that leaves your device is (a) your email draft text, sent to Anthropic's API when you click an action, and (b) your license key, sent to Lemon Squeezy when you activate a Pro plan.

2. Data Collection and Use

2.1 What MailMind Does NOT Collect

MailMind does not collect, transmit to VitrinaDev servers, or share:

Your email content, subject lines, recipient addresses, or sender information (beyond what you explicitly send to the Anthropic API)
Your inbox, sent mail, drafts, or any emails you have not actively selected for AI processing
Personal identifiers: name, physical address, phone number
Health, financial, or other sensitive personal information
Browsing history or URLs outside of mail.google.com
Behavioral analytics, keystroke data, or click streams
Device identifiers, IP addresses, or geolocation data
Crash reports or diagnostic telemetry

2.2 Data Transmitted to Third Parties (User-Initiated)

Data	Recipient	When	Purpose
Email draft text (compose window body)	Anthropic PBC (`api.anthropic.com`)	Only when you click an action button (Improve, Shorten, Formal, Casual)	AI text generation — returned immediately to your browser
Email draft + visible quoted thread	Anthropic PBC (`api.anthropic.com`)	Only when you click the Reply action	AI reply generation using thread context
Your Anthropic API key	Anthropic PBC (`api.anthropic.com`)	With every AI action request	Authentication header — processed under your Anthropic account
Pro license key	Lemon Squeezy (`api.lemonsqueezy.com`)	Only when you manually enter and activate a license key	License validation — returns valid/invalid status

2.3 Data Stored Locally Only (`chrome.storage.local`)

Data	Purpose	Transmitted?
Anthropic API key (base64-encoded)	Authenticating AI requests	Only as the `x-api-key` header to `api.anthropic.com`
Plan status and license key	Enabling/restricting Pro features	License key only, during manual validation to Lemon Squeezy
Daily usage counter	Enforcing the 10-action free-plan limit	No
Settings (language, insert mode)	User preferences	No
Activity history (Pro only, last 50 entries)	Local history — first 80 chars of input and output	No

API key security note: Your Anthropic API key is stored using base64 encoding (btoa), which is obfuscation — not encryption. Protect your OS account with a strong password and treat the API key as a credential. The key is only read by the Extension's service worker and is never accessible to the content script running inside Gmail.

2.4 Free Plan Limits and Pro-Only Actions

The free plan is limited to 10 AI actions per day, and only the Improve and Shorten actions are available. The Formal, Casual, and Reply actions require a Pro license. These limits are enforced entirely locally using the daily counter stored in chrome.storage.local.

3. Browser Permission Justification

`storage`

What it enables: Read/write access to chrome.storage.local.
Why it is required: Saves your Anthropic API key (base64-encoded), plan status, daily usage counter, language and insert mode preferences, and — for Pro users — a local activity history of the last 50 actions. Without this permission, all settings and license status would be lost each time the browser is closed.

Content Script on `https://mail.google.com/*`

What it enables: Injects a JavaScript file into Gmail pages.
Why it is required: The content script detects Gmail compose windows using a MutationObserver and injects the MailMind toolbar via Shadow DOM isolation. When you click an action button, the script reads the text inside the active compose window's body element (contenteditable div) and forwards it to the Extension's service worker. For the Reply action, the script also reads the visible quoted thread (div.gmail_quote / blockquote[type="cite"]). The content script runs exclusively on mail.google.com and on no other website. It does not read received emails, the inbox, or any part of Gmail outside the active compose window.

Host Permission: `https://api.anthropic.com/*`

What it enables: Network requests to Anthropic's API.
Why it is required: Every AI action (Improve, Shorten, Formal, Casual, Reply) sends a request to api.anthropic.com/v1/messages containing your email draft text and your API key. The request is made directly from your browser. The model used is claude-sonnet-4-20250514, with a maximum response of 600 tokens. This is the core feature of the product — without this permission, no AI text processing is possible.

Host Permission: `https://api.lemonsqueezy.com/*`

What it enables: Network requests to Lemon Squeezy's license API.
Why it is required: When you enter a Pro license key and click Activate, the Extension sends a validation request to api.lemonsqueezy.com/v1/licenses/validate containing only the license key string. The response is a simple valid/invalid status. Without this permission, Pro license activation is not possible. A local cache of the result is stored for 24 hours to avoid repeated validation calls.

4. Local Storage and Third Parties

Local Storage

All persistent data is stored in chrome.storage.local, sandboxed to this Extension. No website or other extension can access it. Data persists until you uninstall the Extension or clear its storage via chrome://extensions → MailMind → Details → Clear site data.

Third-Party Services

Anthropic PBC: AI text processing is performed by Anthropic's Claude API under your own API account. By default, Anthropic's API terms state that prompts submitted via the API are not used to train their models. VitrinaDev has no access to the content of these API calls. Privacy policy: anthropic.com/legal/privacy.

Lemon Squeezy: Handles license validation (from the Extension) and purchase processing (from our website). The Extension never transmits payment data. Privacy policy: lemonsqueezy.com/privacy.

Data sales and sharing: VitrinaDev does not sell, rent, or share your personal data with any third party for advertising, analytics, or profiling purposes.

5. Chrome Web Store Policy Compliance

Compliance Statement

Single purpose: MailMind's sole purpose is to assist users in writing better emails inside Gmail using AI text processing.
Minimum permissions: Only permissions strictly necessary to inject the toolbar into Gmail, access the AI API, and validate licenses are declared. No speculative or future-use permissions are requested.
Limited use of user data: Email draft text accessed by the Extension is used exclusively to generate the AI response you requested. It is not retained by VitrinaDev, not used for model training, and not shared with any party other than Anthropic (under your own API account).
No deceptive behavior: All Extension behavior is disclosed in this policy and in the Chrome Web Store listing.
Transparent disclosure: This Privacy Policy is publicly accessible without authentication and directly reachable at this URL — not behind a landing page or navigation flow.
User consent: Email content is transmitted only when you explicitly click an action button. No text is captured or transmitted automatically.

6. Your Rights

EU/EEA (GDPR): Processing of email draft text is based on your explicit consent, exercised each time you click an action. Inspect local data at chrome://extensions → MailMind → Details → Local data. Uninstalling clears all local data. VitrinaDev holds no server-side records of your email content. Supervisory authority directory: edpb.europa.eu.

California (CCPA): VitrinaDev does not sell personal information. No targeted advertising or behavioral tracking is performed.

7. Changes to This Policy

We will update the "Last updated" date above when changes are made. For material changes, we will notify users via Chrome Web Store update notes. Continued use after publication constitutes acceptance.

8. Contact

Email: coresolutions@catano.xyz
Issues: gitlab.com/Rysut/privacy-policies/-/issues

We will respond within 30 business days.

MedLink AI

Clinical copilot with PubMed search, drug interaction checks, and AI summaries

Last updated: May 25, 2026 · Policy v1.0 · Extension v1.0.0+

1. Privacy Commitment

MedLink AI ("the Extension") is developed and maintained by VitrinaDev. This Privacy Policy describes exactly what information the Extension accesses, stores, and transmits, in compliance with the Chrome Web Store Developer Program Policies (User Data Privacy), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the HIPAA Safe Harbor de-identification standard (45 CFR §164.514(b)).

Core commitment: MedLink AI is designed with a Privacy-by-Design architecture. API keys are stored only in session memory and are cleared when the browser closes. All medical text is de-identified locally — removing 18 HIPAA-defined PHI categories — before any call to an external AI service. Drug interaction checks are performed entirely offline using a bundled database, with no network request ever made for this feature. The only data transmitted externally is (a) de-identified medical text sent to OpenAI when you explicitly trigger a summary, (b) search queries sent to NCBI PubMed when you explicitly search, and (c) your license key sent to Lemon Squeezy when you activate a Pro plan.

2. Data Collection and Use

2.1 What MedLink AI Does NOT Collect

MedLink AI does not collect, transmit to VitrinaDev servers, or share:

Patient names, dates of birth, ages ≥90, or any of the 18 HIPAA Safe Harbor PHI categories (prior to de-identification; see §2.4)
Your OpenAI API key (stored only in session memory — never persisted to disk)
Raw search queries (stored only as non-reversible SHA-256 hashes for deduplication)
Personal identifiers: your name, home address, phone number
Browsing history beyond the specific page content you explicitly select for processing
Behavioral analytics, click streams, or keystroke data
Device identifiers, IP addresses, or geolocation data
Crash reports or diagnostic telemetry sent to external servers

2.2 Local Storage (`chrome.storage.local` — Never Contains API Keys)

Data item	Purpose	Transmitted?
License key and plan status	Enabling/restricting Pro features	License key only, during manual activation to Lemon Squeezy
Search query hashes (SHA-256, 7-day TTL)	Deduplication to avoid repeating identical PubMed searches	No — hashes are one-directional and cannot reconstruct original queries
User settings (language, UI preferences)	Persisting your configuration	No
Schema version	Used for storage migrations. Schema v2 removes any legacy API keys from local storage.	No

2.3 Session Storage (`chrome.storage.session` — Cleared on Browser Close)

Data item	Purpose	Transmitted?
OpenAI API key	Authenticating AI summarization requests under your own OpenAI account	Only as the `Authorization: Bearer` header to `api.openai.com` when you trigger a summary

API key security: Your OpenAI API key is stored exclusively in chrome.storage.session, which is automatically cleared when the browser closes. It is never written to chrome.storage.local (persistent disk storage). This is a deliberate privacy-protective design decision.

2.4 PHI De-identification — What Happens Before Any AI Call

MedLink AI implements a local de-identification layer that runs entirely on your device before any text is transmitted to OpenAI. The de-identifier removes all 18 categories listed under HIPAA Safe Harbor (45 CFR §164.514(b)(2)), including:

Patient and provider names (labeled entities + heuristic detection)
Geographic data: street addresses, postal/ZIP codes smaller than a 3-digit prefix
Dates (numeric and long-form, in both Spanish and English) and ages ≥90 years
Phone numbers, fax numbers, email addresses
Social Security Numbers (SSN/US), DNI/NIE (Spain), CURP (Mexico)
Medical record numbers (MRN/NHC), health plan beneficiary numbers
Account numbers, certificate and license numbers
Vehicle identification numbers and license plates
Device serial numbers
Web URLs and IP addresses

Only the de-identified text is forwarded to OpenAI. The original text containing potential PHI never leaves your device. De-identification is implemented with bilingual patterns (Spanish and English) to reflect the clinical environments in which the Extension is designed to operate.

2.5 Data Transmitted to External Services (User-Initiated)

Data	Recipient	When	Purpose
De-identified medical text (max 6,000 characters)	OpenAI (`api.openai.com`)	Only when you explicitly trigger a summary	AI summarization using model `gpt-4o-mini`, max 700 tokens response
Search query (max 500 characters)	NCBI E-utilities (`eutils.ncbi.nlm.nih.gov`)	Only when you explicitly submit a PubMed search	Retrieval of biomedical literature. Requests include `tool=MedLinkAI` and a contact email per NCBI usage policy requirements.
Pro license key	Lemon Squeezy (`api.lemonsqueezy.com`)	Only when you manually enter and activate a license key	License validation — returns valid/invalid status

2.6 Drug Interaction Checks — Fully Offline

Drug interaction checks are performed 100% offline using a bundled database file (data/drugInteractions.json). No network request is ever made for this feature. The integrity of the database file is verified on load using a SHA-256 hash comparison against a known constant before the data is used.

2.7 Content Script Behavior — What Stays on the Page

The content script runs on all websites (https://*/* and http://*/*) to detect text selections. It is designed with a Zero Trust architecture:

On mouseup, the content script sends only {hasSelection: true, length: N} to the background service worker — never the selected text itself.
The selected text is only transmitted to the background when the service worker explicitly requests it via a GET_PAGE_CONTEXT message — and only after you have initiated an action.
Text payloads are hard-capped at 2,000 characters before de-identification and transmission.
Every inter-component message is validated before processing (Zero Trust messaging pattern). Background pending actions store only {type, tabId, timestamp} — never the text payload — to prevent PHI from appearing in extension memory.

3. Browser Permission Justification

`storage`

What it enables: Read/write access to both chrome.storage.local (persistent) and chrome.storage.session (cleared on browser close).
Why it is required: Persists license status, hashed search queries (deduplication), and user settings. API keys are stored only in chrome.storage.session for security. Without this permission, all settings and session state would be lost.

`sidePanel`

What it enables: Displays the Extension's UI in Chrome's native side panel.
Why it is required: MedLink AI's interface — including the summary view, PubMed search, and drug checker — is presented in the side panel so it does not obstruct the clinical content you are reading. This is the primary UI surface of the product.

`contextMenus`

What it enables: Adds items to the browser's right-click context menu.
Why it is required: When you select text on a web page and right-click, a "Summarize with MedLink AI" option appears. This is a primary trigger for the summarization feature and provides a faster workflow than switching to the side panel.

`activeTab`

What it enables: Temporary access to the content of the currently focused tab when the user interacts with the Extension.
Why it is required: Used to retrieve the selected text from the active page when you trigger a summarization action, ensuring the Extension reads only what you have explicitly selected at the moment of action.

Content Script on All Sites (`https:///`, `http:///`)

What it enables: Injects a lightweight JavaScript listener into web pages.
Why it is required: Medical professionals use a wide variety of clinical portals, EHR systems, journal websites, and databases. The Extension must be able to detect text selections on any site so that users can trigger summaries from any clinical source. The content script is minimal and privacy-preserving by design (see §2.7): it never reads or transmits the actual text autonomously.

Host Permission: `https://eutils.ncbi.nlm.nih.gov/*`

What it enables: Network requests to NCBI's PubMed E-utilities API.
Why it is required: The PubMed search feature sends queries to NCBI's public biomedical literature API. Without this permission, literature search is not possible.

Host Permission: `https://api.openai.com/*`

What it enables: Network requests to OpenAI's API.
Why it is required: AI summarization is powered by OpenAI's gpt-4o-mini model via the user's own API key (BYOK model). The request is made directly from your browser. Without this permission, AI summarization is not possible.

4. Local Storage and Third Parties

Local Storage

All persistent data is stored in chrome.storage.local, sandboxed to this Extension only. Session data (API keys) is stored in chrome.storage.session and is automatically deleted when the browser closes. No website or other extension can access either storage area. Data in chrome.storage.local persists until you uninstall the Extension or clear its storage via chrome://extensions → MedLink AI → Details → Clear site data.

Third-Party Services

OpenAI (AI summarization): Summarization is performed by OpenAI's gpt-4o-mini model under your own OpenAI API account. VitrinaDev has no access to the content of these API calls. Only de-identified text is transmitted. OpenAI's privacy policy: openai.com/policies/privacy-policy.

NCBI E-utilities (PubMed search): PubMed search queries are sent to the National Center for Biotechnology Information's public API. NCBI is operated by the U.S. National Library of Medicine (NLM), a division of the National Institutes of Health. NCBI privacy policy: nlm.nih.gov/web_policies.

Lemon Squeezy (licensing and payments): Processes billing information when you purchase a license on our website. The Extension itself never has access to your payment information. Lemon Squeezy's privacy policy: lemonsqueezy.com/privacy.

Data sales and sharing: VitrinaDev does not sell, rent, or share your personal data — including any medical information — with any third party for advertising, analytics, or profiling purposes.

5. HIPAA Considerations

De-identification and Safe Harbor

MedLink AI is not a HIPAA-covered entity or business associate. However, the Extension is designed for use in clinical environments where users may encounter Protected Health Information (PHI). VitrinaDev has implemented a local de-identification layer consistent with the HIPAA Safe Harbor method (45 CFR §164.514(b)) to reduce the risk of PHI transmission:

All 18 Safe Harbor PHI identifiers are targeted by the de-identification algorithm before any text is sent to OpenAI.
De-identification runs locally on your device — the original text never leaves your browser.
Users are responsible for verifying that de-identified output meets the requirements of their own organization's HIPAA compliance policies before use in clinical workflows.
Drug interaction checks — which may involve patient medication lists — are performed entirely offline and no data is ever transmitted for this feature.

6. Chrome Web Store Policy Compliance

Compliance Statement

Single purpose: MedLink AI is a clinical decision-support tool for healthcare professionals, providing AI-assisted summarization, PubMed literature search, and offline drug interaction checking.
Minimum permissions: Only permissions strictly necessary for the stated features are declared. The broad content script host permission (https://*/*) is required because clinical content is accessed across a wide variety of medical websites and EHR systems.
Limited use of user data: Selected text is used exclusively to generate the AI summary you requested. It is de-identified before transmission and not retained by VitrinaDev.
No deceptive behavior: All Extension behavior is disclosed in this policy and in the Chrome Web Store listing.
Prominent disclosure: This Privacy Policy is publicly accessible without authentication and directly reachable at this URL.
User consent: Text is transmitted to external services only when you explicitly trigger an action (summary or PubMed search). No text is captured or transmitted automatically.

7. Your Rights

EU/EEA (GDPR): Processing of medical text is based on your explicit consent, exercised each time you trigger a summary. Inspect local data at chrome://extensions → MedLink AI → Details → Local data. Uninstalling clears all local data. Session storage (API keys) is cleared when the browser closes. VitrinaDev holds no server-side records of your data. Supervisory authority directory: edpb.europa.eu.

California (CCPA): VitrinaDev does not sell personal information. No targeted advertising or behavioral tracking is performed.

8. Changes to This Policy

9. Contact

Email: coresolutions@catano.xyz
Issues: gitlab.com/Rysut/privacy-policies/-/issues

We will respond within 30 business days.

BillableGuard – Legal Focus Suite

Billable time tracker and professional focus enforcement for legal teams

Last updated: May 26, 2026 · Policy v1.0 · Extension v1.0.0+

1. Privacy Commitment

BillableGuard ("the Extension") is developed and maintained by VitrinaDev. This Privacy Policy describes exactly what information the Extension accesses, stores, and transmits, in full compliance with the Chrome Web Store Developer Program Policies (User Data Privacy), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Core commitment: BillableGuard is a 100% local extension. All your time entries, matters, and billing data are stored exclusively on your device. The only external network request the Extension ever makes is a license validation call to LemonSqueezy when you activate or periodically renew a Premium license — and only your license key and a static instance identifier are transmitted. No personal data, no browsing history, and no time records ever leave your device.

2. Data Collection and Use

2.1 Data the Extension Does NOT Collect

BillableGuard does not collect, transmit to external servers, store remotely, or share any of the following:

Personal identifiers (name, email address, phone number, physical address)
Time entries, matter names, client names, or any billing records
Browsing history or full page content of websites you visit
Health, financial, or other sensitive personal information
Authentication credentials, passwords, or form field contents
Device identifiers, IP addresses, or geolocation data
Behavioral analytics, click streams, or keystroke data
Crash reports or diagnostic telemetry
Cookies or cross-site tracking identifiers
DOM content from any page — no content scripts are ever injected

2.2 Data Stored Locally on Your Device

All application data is stored exclusively in chrome.storage.local, sandboxed by the browser and inaccessible to any website or other extension. Optionally, billing settings can be mirrored across devices via chrome.storage.sync (see §2.3).

Storage key	Contents	Purpose	Transmitted?
`session`	Active timer state: start timestamp, matter ID, UTBMS code, status	Continue an in-progress session across popup and side panel opens	No
`timeEntries`	Completed time entries: duration, billed amount, matter reference, SHA-256 integrity hash	Billable time log and reporting	No
`matters`	Matter registry: client name, matter name, matter number	Categorize time by legal matter	No
`settings`	Billing preferences: hourly rate, currency, increment, rounding rule, alert toggle, sync toggle	Personalize billing calculations	No (unless `chrome.storage.sync` is enabled — see §2.3)
`subscription`	License state: plan tier, license key hash, instance ID, activation and validation timestamps	Determine free vs. Premium feature access	License key and instance ID only, during validation (see §2.4)

2.3 Optional Settings Sync (`chrome.storage.sync`)

If you enable the "Sync settings across devices" toggle in the Config tab, your billing preferences (settings key) are written to chrome.storage.sync, which Google synchronizes across devices where you are signed into Chrome. This sync is performed by Google's infrastructure and is subject to Google's Privacy Policy, not this policy. Time entries, matters, session state, and license state are never written to chrome.storage.sync. You can disable sync at any time from the Config tab.

2.4 The Only External Network Request — License Validation

BillableGuard makes exactly one type of external network request: license validation with LemonSqueezy. This occurs when you activate a Premium license key, and once daily to confirm an active license remains valid.

Endpoint: https://api.lemonsqueezy.com/v1/licenses/*

What is sent:
— license_key: The license key you entered at activation.
— instance_name: A static, non-personal identifier (BillableGuard_Chrome).

What is NOT sent: No browser data, no usage data, no time entries, no matter names, no IP address (beyond the standard TCP connection inherent to any HTTPS request), no personal information.

Purpose: To confirm your license is valid and active.

No other outbound network requests are ever made. The Extension does not contact any analytics service, telemetry endpoint, or third-party API of any kind.

2.5 Tab URL Access — Focus Classification

BillableGuard reads the URL of your active browser tab to determine whether the current website is a billable legal platform (e.g., Westlaw, PACER, LexisNexis) or a non-billable distraction. This classification happens entirely within the Extension's background service worker:

Tab URLs are processed in memory only and are never stored beyond the current alarm tick (1-minute interval).
Tab URLs are never transmitted to any server.
No DOM content is accessed. No content scripts are injected into any page.
The tabs permission is used exclusively to call chrome.tabs.query() to read the active tab's URL string for classification purposes.

3. SHA-256 Integrity

Each time entry is stamped with a SHA-256 integrity hash computed locally in your browser using the Web Crypto API (SubtleCrypto.digest()). This hash allows you to verify that individual entries have not been altered after creation, providing audit-readiness for billing records. No cryptographic keys leave the device, and no hash computation involves any external server.

4. Browser Permission Justification

The following permissions are declared in the Extension's manifest.json. Each is used exclusively for the purpose stated.

`storage`

What it enables: Read/write access to chrome.storage.local and optionally chrome.storage.sync.
Why it is required: All application state — sessions, time entries, matters, billing settings, and license status — is persisted on-device. Without this permission, all data would be lost every time the browser is closed.

`sidePanel`

What it enables: Displays the Extension's persistent side panel via the Chrome Side Panel API.
Why it is required: The side panel (Log, Matters, Reports tabs) provides a persistent view of live sessions and completed entries without requiring the popup to stay open. Available in Chrome 116+.

`tabs` and `activeTab`

What it enables: Read the URL of the currently active browser tab.
Why it is required: Used exclusively by chrome.tabs.query() to classify the active tab's domain as billable (legal platform) or non-billable (distraction), triggering focus alerts when relevant. No DOM access occurs. No URLs are stored or transmitted.

`alarms`

What it enables: Schedule recurring background events.
Why it is required: Drives a 1-minute tick for live focus classification and daily license validation. The service worker is stateless (Manifest V3) and cannot run continuously — alarms are the correct MV3 mechanism for periodic background tasks.

`notifications`

What it enables: Display system-level browser notifications.
Why it is required: Surfaces non-billable domain drift alerts ("You've been on YouTube for 8 minutes") and session-saved confirmations. Notifications are generated locally from data already on your device and contain no external data.

`contextMenus`

What it enables: Adds items to the browser right-click context menu.
Why it is required: Provides a quick-access Start/Stop timer and Open Panel shortcuts accessible from anywhere without opening the popup.

Host Permission: `<all_urls>`

What it enables: Classify any tab URL against the billable platform list.
Why it is required: Legal professionals use a wide variety of platforms (court portals, research databases, document management systems). The Extension must be able to classify any URL as billable or non-billable without knowing in advance which domains you will use. This permission grants no DOM access — the Extension does not inject content scripts and never reads page content. It is used solely to call chrome.tabs.query() on the active tab's URL string.

5. Data Sharing

VitrinaDev does not sell, rent, or share your data with any third parties. The only external service the Extension communicates with is LemonSqueezy, solely for license validation as described in §2.4.

LemonSqueezy processes billing information (name, email, payment details) when you purchase a license on our store page. The Extension itself never has access to your name, email address, or payment information — it only uses the license key you choose to enter. LemonSqueezy's privacy policy: lemonsqueezy.com/privacy.

Data sales and sharing: VitrinaDev does not sell, rent, license, or share your personal data — including your time records, matter names, or billing information — with any third party for marketing, advertising, analytics, or profiling purposes.

6. Data Retention and Deletion

All data is stored exclusively on your device and is under your full control:

You can delete individual time entries or matters from within the Extension at any time.
Removing the Extension from Chrome immediately and permanently deletes all locally stored data (chrome.storage.local).
If chrome.storage.sync is enabled, clearing synced settings requires signing out of Chrome or managing sync data at chrome://settings/syncSetup.
VitrinaDev holds no server-side copies of your data and cannot recover it on your behalf.

7. Chrome Web Store Policy Compliance

Compliance Statement

BillableGuard is developed in strict compliance with the Chrome Web Store Developer Program Policies (User Data Privacy requirements):

Single purpose: The Extension has one clearly defined purpose — tracking billable time, managing legal matters, and enforcing professional focus habits for legal professionals.
Minimum permissions: Only permissions strictly necessary to deliver the stated functionality are declared. The broad <all_urls> host permission is required exclusively for URL classification and grants no DOM access.
No data collection beyond stated purpose: Tab URLs accessed for focus classification are never stored or transmitted. All other data (entries, matters, settings) remains on-device.
No deceptive behavior: The Extension does not engage in any behavior not disclosed in this policy or the Chrome Web Store listing.
Limited use: Tab URL data is used exclusively for real-time focus classification during the current alarm tick and is discarded immediately after. It is not retained, profiled, or used for secondary purposes.
Prominent disclosure: This Privacy Policy is publicly accessible without authentication and directly reachable from the URL provided in the Chrome Web Store developer dashboard.
No remote code execution: The Extension follows Manifest V3 security best practices — no eval(), no inline scripts, strict Content Security Policy, no remote code loaded at runtime.

8. Your Rights

EU/EEA (GDPR): You may inspect all locally stored data at any time via chrome://extensions → BillableGuard → Details → Local data. To delete all data, uninstall the Extension or clear its storage from that same page. VitrinaDev holds no server-side records of your data. For supervisory authority contacts: edpb.europa.eu.

California (CCPA): VitrinaDev does not sell personal information. The Extension does not engage in targeted advertising or cross-context behavioral tracking.

9. Children's Privacy

BillableGuard is a professional tool intended for adults in the legal industry. It is not directed at children under 13, and VitrinaDev does not knowingly collect any information from children.

10. Changes to This Policy

11. Contact

Email: bliys010@gmail.com

We will respond within 30 business days.

AccessiWeb — A11yBridge

Accessibility suite for the web — TTS, OCR, dyslexia profiles, colorblind filters & more

Last updated: May 29, 2026 · Policy v1.0 · Extension v1.1.0+

1. Privacy Commitment

AccessiWeb ("the Extension") is developed and maintained by VitrinaDev. This Privacy Policy describes exactly what information the Extension accesses, stores, and transmits, in full compliance with the Chrome Web Store Developer Program Policies (User Data Privacy), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Core commitment: AccessiWeb is a local-first accessibility tool. All your preferences, usage statistics, and trial counters are stored exclusively on your device and never transmitted to VitrinaDev servers. The only external network request is a license validation call to LemonSqueezy — and only when you choose to activate a paid plan. OCR runs locally via WebAssembly. Text-to-speech runs via the browser's native TTS engine. No page content, browsing history, or personal data ever leaves your browser.

2. Data Collection and Use

2.1 Data the Extension Does NOT Collect

AccessiWeb does not collect, transmit to VitrinaDev servers, store remotely, or share any of the following:

Personal identifiers (name, email address, phone number, physical address)
The content of web pages you visit, read, or have read aloud
Browsing history, visited URLs, or tab titles
Form field content, passwords, or authentication credentials
Health, financial, or other sensitive personal information
Images processed through OCR (processed in local browser memory only)
Audio captured via the Web Speech API (processed locally by Chrome)
Device identifiers, IP addresses, or geolocation data
Behavioral analytics, click streams, or keystroke data
Crash reports or diagnostic telemetry
Cookies or cross-site tracking identifiers

2.2 Data Stored Locally on Your Device (`chrome.storage.local`)

The following is stored exclusively on your device. It is sandboxed by the browser and inaccessible to any website or other extension.

Storage key	Contents	Purpose	Transmitted?
`aw_license`	License key, anonymous instance ID, plan tier, activation timestamp, validation timestamp, expiry	Determine free vs. Premium feature access	License key + instance ID only, during activation/validation (see §2.4)
`aw_instance_id`	A short anonymous identifier (`aw-{8 random chars}`) generated locally at install time	Identify the browser instance to LemonSqueezy without linking to a person	Only to LemonSqueezy during license validation (see §2.4)
`aw_trial`	Monthly trial counter: `{ month: "YYYY-M", ocr: N, captions: N }`	Enforce the 10-use/month free trial limit for OCR and Captions. Resets automatically each calendar month.	No
`aw_stats`	Local usage counters: TTS uses, OCR uses, caption sessions, sites visited, usage streak, unlocked achievements	Power the gamification dashboard and achievement system (entirely local)	No

2.3 Data Synced Across Devices (`chrome.storage.sync`)

Your accessibility preferences are optionally synced across your Chrome devices via chrome.storage.sync. This sync is performed by Google's infrastructure and is encrypted end-to-end by Google — VitrinaDev never has access to this data in any form.

Preference data synced	Examples
Accessibility profile	`dyslexia`, `colorblind-deuter`, `high-contrast`, `motor`, `none`
Feature toggles	Reader Mode, Focus Mode, Semantic Highlight, Auto-describe images, Keyboard Nav
TTS parameters	Speech rate, pitch, volume, language
Typography settings	Font size, line height
Custom profiles (Premium)	Named configurations with all above settings; created and named by you

Sync can be disabled at any time from chrome://settings/syncSetup. When sync is disabled, all preferences are stored only in chrome.storage.local. Google's privacy policy governs how Chrome Sync data is handled: policies.google.com/privacy.

2.4 External Network Request — License Validation

AccessiWeb makes exactly one type of external network request: license validation with LemonSqueezy. This occurs when you activate a Premium license, and once every 7 days to silently confirm the license remains valid.

Endpoint: https://api.lemonsqueezy.com/v1/licenses/*

What is sent:
— license_key: The license key you entered at activation.
— instance_name: The anonymous local identifier aw-{8 random chars} generated at install time. It is not linked to your identity, email, or any personal information.

What is NOT sent: No page content, no browsing history, no usage statistics, no personal identifiers, no IP address beyond the standard TCP handshake.

Caching: The validation result is cached in chrome.storage.local for 7 days. The Extension continues to function offline during this period.

Purpose: To confirm your license is valid and determine which Premium features to unlock.

This request is only made for users who have activated a Premium plan. Free plan users make no external network requests of any kind.

3. How Specific Features Handle Data

Text-to-Speech (TTS)

TTS is powered by chrome.tts, the browser's built-in speech synthesis engine. When you trigger TTS (via Alt+Shift+R or by clicking a paragraph), the text string of the selected element is passed to chrome.tts.speak(). This text is never transmitted to any VitrinaDev server. Speech synthesis is handled entirely by the browser and the local or system-provided voices. No page content is stored after the TTS session ends.

OCR — Optical Character Recognition

OCR is powered by Tesseract.js, a WebAssembly (WASM) library bundled directly into the Extension. When you trigger OCR on an image, the image data is processed entirely within your browser's JavaScript engine — no image data is ever sent to any server. The extracted text is displayed inline and discarded when you navigate away. The OCR use count is incremented in aw_trial (free plan) or aw_stats (Premium) locally.

Real-Time Captions (Web Speech API)

Real-time captions use the Web Speech API (SpeechRecognition), which is a browser-native API. In Chrome, the audio recognition engine is provided by Google. Depending on your Chrome configuration, audio may be processed on Google's servers — this is governed by Google's privacy policy, not by VitrinaDev. AccessiWeb does not intercept, store, or transmit the audio or transcription. To avoid any cloud audio processing, you may disable captions or use a browser configured for offline speech recognition.

Colorblind Filters & Accessibility Profiles

Colorblind filters (deuteranopia, protanopia, tritanopia) are implemented as SVG filter elements injected into the page's DOM. All processing is purely visual and local — no color data, pixel data, or page content is captured or transmitted.

Reader Mode

Reader Mode hides non-content elements (ads, sidebars, modals) using CSS class injection and highlights paragraphs as you scroll using the browser's IntersectionObserver API. No page content is read or transmitted by the Extension.

Image Auto-Description

The Extension scans images for existing accessibility attributes (aria-label, figcaption, filename) and surfaces them as visible tooltips. It does not use any AI service or external API to generate descriptions — no image data leaves the browser.

Gamification & Achievements

Usage counters (TTS uses, OCR uses, caption sessions, sites visited, streaks) and unlocked achievements are stored exclusively in chrome.storage.local. They are never transmitted to VitrinaDev or any third-party analytics service. The achievement system functions entirely offline.

4. Browser Permission Justification

`storage`

What it enables: Read/write access to chrome.storage.local and chrome.storage.sync.
Why it is required: Persists your accessibility profile, TTS settings, feature toggles, trial counters, usage statistics, and license state. Without this permission, all preferences reset every time the browser closes.

`tts`

What it enables: Access to the browser's built-in text-to-speech engine.
Why it is required: Powers the core Read Aloud feature. Without this permission, the Extension cannot convert page text to speech. The tts permission grants access only to the speech synthesis API — it does not grant access to any microphone or audio input.

`activeTab`

What it enables: Temporary access to the content of the currently active tab when the user interacts with the Extension.
Why it is required: Used to inject accessibility styles (dyslexia fonts, high-contrast mode, colorblind filters) into the active page when you enable a profile from the popup or floating panel. Access is strictly limited to the moment of user interaction.

`scripting`

What it enables: Programmatically inject JavaScript and CSS into browser tabs.
Why it is required: Required by Manifest V3 to dynamically apply accessibility feature scripts (keyboard navigation enhancements, focus mode overlay, semantic highlighting) to the active page. Scripts are injected only when you explicitly activate a feature.

Content Scripts on All Sites (`<all_urls>` host permission)

What it enables: Injects lightweight listener scripts at page load on any website.
Why it is required: Accessibility needs to work on every website — court portals, news sites, government pages, corporate intranets. The Extension cannot know in advance which sites you need accessibility support on. The content scripts apply your saved profile preferences (font, contrast, spacing) automatically when a page loads. They do not read, log, or transmit page content.

Content script behavior: Content scripts respond to your saved preferences (e.g., apply dyslexia profile) and listen for your explicit actions (e.g., Alt+Shift+R to read aloud). They do not scrape, index, or record page content. Text passed to the TTS engine is used only for speech synthesis and is not stored or transmitted.

5. Data Sharing

VitrinaDev does not sell, rent, or share your data with any third parties for advertising, analytics, or profiling purposes. The only external services the Extension communicates with are:

LemonSqueezy — license validation only (Premium users, see §2.4). Privacy policy: lemonsqueezy.com/privacy.
Google (Chrome Sync) — encrypted preference sync across your Chrome devices (see §2.3). Privacy policy: policies.google.com/privacy.
Google (Web Speech API) — only when you activate the Real-Time Captions feature; audio may be processed by Google depending on Chrome's configuration (see §3). Privacy policy: policies.google.com/privacy.

6. Data Retention and Deletion

All data is stored on your device and is under your full control:

Usage statistics and achievement data can be reset from the Extension's options page.
Removing the Extension from Chrome immediately and permanently deletes all chrome.storage.local data.
To clear synced preferences, disable Chrome Sync for the Extension at chrome://settings/syncSetup.
VitrinaDev holds no server-side copy of your data and cannot recover it on your behalf.

7. Chrome Web Store Policy Compliance

Compliance Statement

AccessiWeb is developed in strict compliance with the Chrome Web Store Developer Program Policies (User Data Privacy requirements):

Single purpose: The Extension's sole purpose is to improve web accessibility for users with dyslexia, visual impairments, color blindness, motor difficulties, and attention disorders.
Minimum permissions: Each declared permission is strictly necessary for the stated accessibility feature. The broad <all_urls> host permission is required because accessibility must work on any website the user visits.
Limited use of user data: Page text accessed for TTS is used exclusively to generate speech and is not retained, transmitted, or used for secondary purposes. Images processed by OCR are never sent outside the browser.
No deceptive behavior: All Extension behavior is disclosed in this policy and in the Chrome Web Store listing.
Prominent disclosure: This Privacy Policy is publicly accessible without authentication and directly reachable at this URL.
User consent: TTS, OCR, and Captions are activated only by explicit user action. No content is processed or transmitted automatically.

8. Your Rights

EU/EEA (GDPR): Processing of page text for TTS is based on your explicit consent, exercised each time you trigger the feature. Inspect local data at chrome://extensions → AccessiWeb → Details → Local data. Uninstalling clears all local data. VitrinaDev holds no server-side records of your content. For supervisory authority contacts: edpb.europa.eu.

California (CCPA): VitrinaDev does not sell personal information. The Extension does not engage in targeted advertising or cross-context behavioral tracking.

9. Children's Privacy

AccessiWeb is a general accessibility tool usable by people of all ages. It does not knowingly collect any information from children under 13, and no personal data is collected from any user regardless of age.

10. Changes to This Policy

11. Contact

Email: bliys010@gmail.com

We will respond within 30 business days.

UI-Ray Inspector

1. Privacy Commitment

2. Data Collection and Use

2.1 Data the Extension Does NOT Collect

2.2 Data Processed Locally (Never Transmitted)

2.3 Data Processed in RAM Only (Discarded on Session End)

2.4 The Only External Communication — License Validation

3. Browser Permission Justification

storage

activeTab

scripting

Host Permission: https://uiray-license-validator.stev70117.workers.dev/

4. Local Storage and Third Parties

Local Storage

Third-Party Services

5. Chrome Web Store Policy Compliance

Compliance Statement

6. Your Rights

7. Changes to This Policy

8. Contact

MailMind

1. Privacy Commitment

2. Data Collection and Use

2.1 What MailMind Does NOT Collect

2.2 Data Transmitted to Third Parties (User-Initiated)

2.3 Data Stored Locally Only (chrome.storage.local)

2.4 Free Plan Limits and Pro-Only Actions

3. Browser Permission Justification

storage

Content Script on https://mail.google.com/*

Host Permission: https://api.anthropic.com/*

Host Permission: https://api.lemonsqueezy.com/*

4. Local Storage and Third Parties

Local Storage

Third-Party Services

5. Chrome Web Store Policy Compliance

Compliance Statement

6. Your Rights

7. Changes to This Policy

8. Contact

MedLink AI

1. Privacy Commitment

2. Data Collection and Use

2.1 What MedLink AI Does NOT Collect

2.2 Local Storage (chrome.storage.local — Never Contains API Keys)

2.3 Session Storage (chrome.storage.session — Cleared on Browser Close)

2.4 PHI De-identification — What Happens Before Any AI Call

2.5 Data Transmitted to External Services (User-Initiated)

2.6 Drug Interaction Checks — Fully Offline

2.7 Content Script Behavior — What Stays on the Page

3. Browser Permission Justification

storage

sidePanel

contextMenus

activeTab

Content Script on All Sites (https://*/*, http://*/*)

Host Permission: https://eutils.ncbi.nlm.nih.gov/*

Host Permission: https://api.openai.com/*

4. Local Storage and Third Parties

Local Storage

Third-Party Services

5. HIPAA Considerations

De-identification and Safe Harbor

6. Chrome Web Store Policy Compliance

Compliance Statement

7. Your Rights

8. Changes to This Policy

9. Contact

BillableGuard – Legal Focus Suite

1. Privacy Commitment

2. Data Collection and Use

2.1 Data the Extension Does NOT Collect

2.2 Data Stored Locally on Your Device

2.3 Optional Settings Sync (chrome.storage.sync)

2.4 The Only External Network Request — License Validation

2.5 Tab URL Access — Focus Classification

3. SHA-256 Integrity

4. Browser Permission Justification

storage

`storage`

`activeTab`

`scripting`

Host Permission: `https://uiray-license-validator.stev70117.workers.dev/`

2.3 Data Stored Locally Only (`chrome.storage.local`)

`storage`

Content Script on `https://mail.google.com/*`

Host Permission: `https://api.anthropic.com/*`

Host Permission: `https://api.lemonsqueezy.com/*`

2.2 Local Storage (`chrome.storage.local` — Never Contains API Keys)

2.3 Session Storage (`chrome.storage.session` — Cleared on Browser Close)

`storage`

`sidePanel`

`contextMenus`

`activeTab`

Content Script on All Sites (`https:///`, `http:///`)

Host Permission: `https://eutils.ncbi.nlm.nih.gov/*`

Host Permission: `https://api.openai.com/*`

2.3 Optional Settings Sync (`chrome.storage.sync`)

`storage`

`sidePanel`

`tabs` and `activeTab`

`alarms`

`notifications`

`contextMenus`

Host Permission: `<all_urls>`

2.2 Data Stored Locally on Your Device (`chrome.storage.local`)

2.3 Data Synced Across Devices (`chrome.storage.sync`)

`storage`

`tts`

`activeTab`

`scripting`

Content Scripts on All Sites (`<all_urls>` host permission)