Privacy policy

Summary

• We collect nothing.
• We have no advertising identifiers and no advertising network integrations.
• We collect anonymous, opt-out usage analytics (Google Analytics for Firebase) — product-interaction events like which screens you open and whether a chat succeeded — to find and fix friction. It is not linked to your identity, is never used for cross-app/website tracking, contains no page or chat contents, and can be turned off anytime in settings.
• Everything xgoose stores is stored locally on your device via browser.storage.local (the standard Safari Web Extension storage API), which on Apple platforms is backed by your device’s protected UserDefaults.

What xgoose stores locally

All of the following live only on your device and are deleted when you remove the extension from Safari:

• The LLM provider you chose (e.g. Google Gemini, OpenAI, a custom endpoint).
• The API key you typed in.
• The base URL and model name you configured.
• The list of skills you have enabled or disabled.
• Per-site memory text that the AI chooses to remember on each origin (e.g. “the user wants HKG and uses MPM”).
• Conversation history for the current tab (reset when you click “New chat” or close the tab).

What gets sent off your device

The only network traffic xgoose originates is when you actively chat:

• Your message text + a snapshot of the active page’s URL/title + any per-site memory + the tool definitions you have enabled → the LLM API endpoint that you configured (e.g. https://generativelanguage.googleapis.com/, https://api.openai.com/, your own LiteLLM proxy, etc.).
• Skill calls may make HTTPS requests to the same origin as the page you are viewing (e.g. a Discourse forum’s REST API) on behalf of the AI. These are first-party API calls — equivalent to what your browser is already doing when you scroll the site.

We do not relay, log, or proxy any of this traffic. It goes directly from your device to the LLM endpoint of your choice and to the site you are already visiting.

What we do NOT do

• We do not collect advertising identifiers, run ad networks, or use analytics to track you across other apps or websites. Our analytics are anonymous, contain no page or chat contents, and are opt-out.
• We do not generate or transmit any device identifier.
• We do not track you across sites or sessions.
• We do not sell, share, or rent data — there is no data to sell.
• We do not load remote JavaScript or auto-update skill code.
• We do not access your browsing history or DOM unless you open the chat panel or a skill is explicitly active for the origin.

Third parties

When you pick an LLM provider, you become a customer of that provider. Their privacy policy governs anything that happens after your message leaves your device. The common ones:

• Google Gemini: https://policies.google.com/privacy
• OpenAI: https://openai.com/policies/privacy-policy

We have no relationship with these providers; xgoose is a thin client.

Children

xgoose does not knowingly collect any personal data. It is not directed at children under 13.

Changes to this policy

If we ever change this policy, the new version replaces this file at the same URL. Material changes will also be called out in the project’s GitHub release notes.

Contact

Questions? Email [email protected].