GenSpend Tracker — Privacy

What the extension reads

• The URL, HTTP method, and request body of POST requests that your browser sends to declared vendor API hosts (Magnific, Kling, Topaz, Luma, Freepik, ElevenLabs, Suno, Runway, Canva, Adobe Firefly, Midjourney, Pika, Ideogram, Pixverse, Google AI Labs).
• For multipart uploads with image files, the image dimensions (width × height) — read client-side via createImageBitmap. The image bytes themselves are not transmitted.
• Configuration values you enter into the extension options page: your GenSpend bearer token and backend URL.

What the extension does NOT read

• Tabs or URLs outside the declared vendor host list.
• Response bodies — Chrome Manifest V3 does not permit this, and the extension makes no attempt to capture them.
• Cookies, password fields, or browsing history.
• Personally identifiable information of any kind.
• Analytics, advertising, or fingerprinting signals.

Where the data is transmitted

Captured request metadata is POSTed to one endpoint: the backend URL you configure in the extension options page. By default this is https://genspend.synthden.ai/api/track. The extension does not transmit data to any other third party.

Local storage

The extension uses chrome.storage.local to persist your bearer token, backend URL, and a small retry queue of events that failed to transmit (typically because the user was offline). The queue drains as soon as connectivity returns and is capped to prevent unbounded growth.

Retention and deletion

Data transmitted to your GenSpend backend follows the retention policy of that backend. To revoke the extension’s access at any time, rotate or revoke the bearer token in GenSpend Settings and the extension will be unable to transmit any new events. Removing the extension from Chrome also clears all locally stored configuration.

Website analytics & cookies

The GenSpend website uses Google Analytics 4 to understand how visitors use the site. Analytics cookies are off by default and are only set after you accept them in the consent banner — you can decline, and analytics stays disabled. This applies to the website only; the browser extension itself uses no analytics and sets no cookies, as described above.

Permissions and why

webRequest

Observe (read-only) the URL and small request bodies of POSTs that go to declared vendor API hosts. The extension does not block, modify, or redirect any requests.

storage

Persist the user-supplied bearer token, backend URL, and the retry queue across browser restarts.

alarms

Periodically flush the retry queue so failed events recover without the user needing to keep the popup open.

Host permissions (vendor sites)

Inject the request-capture content script only on the vendor sites we explicitly support. Each host listed in the manifest corresponds to a vendor whose AI-generation events the user has asked GenSpend to track.

Host permissions (genspend.synthden.ai)

Transmit captured events to the GenSpend backend the user configured. This is the only off-vendor host the extension contacts.