WebWright is a browser extension that uses AI to help you interact with web pages. Your privacy matters — this policy explains exactly what data the extension handles and how.
The following data is stored in your browser's local storage (chrome.storage.local) and never leaves your device unless you explicitly trigger an action that requires an LLM call:
WebWright sends data to third-party LLM providers only when you initiate an action (chat, agent task, or research). The data sent includes:
Data is sent to whichever provider you configure in Settings:
Each provider has its own privacy policy governing how they handle data you send. WebWright does not control or have access to data once it reaches the provider's API.
WebWright does not sell, rent, trade, or share your personal information with any third party for any purpose. The only outbound network calls are the LLM API calls you initiate, sent to the provider you configured.
This section is the authoritative, code-verified justification for every permission WebWright declares in its manifest — the same wording used in the Chrome Web Store developer dashboard. Every API named here is grep-verifiable against the open-source code on GitHub.
chrome.tabs.query, (2) inject the content script that extracts page-element data, and (3) capture screenshots of the user's current page via chrome.tabs.captureVisibleTab — for Chat-Pro and the agent's vision escalation. Every use is triggered by an explicit user action in the sidebar. The extension never reads or screenshots any tab in the background.chrome.scripting.executeScript is used to (a) inject the content script that enumerates interactive page elements (buttons, links, inputs, dropdowns, including shadow-DOM elements) for the LLM to reason about, and (b) execute the chosen actions — click, type, select, scroll, navigate — back on the page. Injection happens only on user-initiated flows. The extension never injects scripts on background tabs, on undirected tabs, or runs remote or dynamically-fetched code.chrome.storage.local. The extension stores: (1) user settings — chosen LLM provider, endpoint URL, API keys, and model preferences across the 8 supported providers; (2) the Personal Info Vault — name, age, address, and custom fields the user opts to save for form-filling; (3) saved Workflows — recorded action sequences; (4) research report history; (5) the active chat session's messages. All data stays in the user's browser — nothing is transmitted to any WebWright-controlled server, and there is no such server. chrome.storage.sync is not used, so data never leaves the device.chrome.sidePanel.setPanelBehavior({openPanelOnActionClick: true}) is called once at startup so that clicking the WebWright toolbar icon opens sidepanel/sidepanel.html, which hosts the chat view, agent action log, research drawer, workflow controls, Personal Info Vault, and Settings. The side panel is the only UI surface the extension uses — no popup, no content-script overlay, no injected iframe. Opening is always user-initiated.chrome.tabs.create opens new tabs when the user's goal targets a different site (e.g. "open YouTube and search for…") and opens the final research report; chrome.tabs.update navigates the agent's working tab — Research Mode drives one tab through up to 10 source URLs in sequence; chrome.tabs.remove closes the working tab when a research run is aborted; chrome.tabs.sendMessage carries the message channel between side panel, service worker, and content script; chrome.tabs.query, chrome.tabs.get, and chrome.tabs.onUpdated read tab metadata (URL, title) and detect navigation completion. Used only on tabs related to the user's running task. The extension never enumerates, monitors, or reads content from unrelated tabs.history.pushState() without triggering a full page reload, so chrome.tabs.onUpdated never fires for those transitions. WebWright registers one chrome.webNavigation.onHistoryStateUpdated listener that filters strictly by details.tabId === agentState.tabId and details.frameId === 0. When it fires, the agent loop knows the page state has changed and re-extracts interactive elements before issuing the next action. No other webNavigation events are subscribed to. Never used for browsing-history collection, cross-tab monitoring, or any background activity.Input.* command — Input.dispatchMouseEvent, Input.dispatchKeyEvent, Input.insertText — rather than as a synthetic DOM event. This is required because modern frameworks (React, Vue, Angular, Svelte) ignore most synthetic DOM events but accept CDP-dispatched input as real user activity. The same approach is used by the official Chrome DevTools Recorder, Puppeteer, and Playwright. chrome.debugger.attach({tabId}, "1.3") runs when an Agent Mode task starts on the user's tab; chrome.debugger.detach runs when the task ends. Network.enable is also called solely to count pending requests via Network.requestWillBeSent and Network.loadingFinished events for page-load detection — request and response bodies are never inspected. The debugger is never used for Storage.* (no cookie or localStorage access), DOM introspection, JavaScript evaluation in the page context, traffic interception, credential harvesting, or any background activity. Scoped to one tab, only while an agent task is running.<all_urls>) — required because the user — not the developer — decides at runtime which site the agent operates on. WebWright is a general-purpose agent: when the user types "open YouTube and search for…" or runs Research Mode across whichever 10 sites Google returns, the target URL comes from the user's instruction, not from any pre-defined list. A narrow host pattern would prevent the extension from doing what the user installed it for. The host permission is used to (a) auto-inject content/content.js on the page the user directs the agent at (declared with matches: ["<all_urls>"], all_frames: true so iframe-based UI like Stripe checkout works), (b) capture screenshots via chrome.tabs.captureVisibleTab when vision escalation or Chat-Pro requires it, and (c) drive chrome.tabs.update for agent navigation. The extension never reads, screenshots, or injects scripts into any page without an explicit user-initiated task. No background scraping, telemetry, or analytics — there is no developer-controlled server to send anything to.WebWright is an autonomous AI browser agent that performs user-instructed tasks on web pages — navigating, clicking, filling forms, summarizing page content, and conducting multi-source research — by combining LLM reasoning with DOM and visual page understanding. It is not just an LLM wrapper: WebWright perceives the page (DOM + vision), reasons about it with the LLM the user configures, and takes real actions on the user's behalf.
The extension is free, open-source under the MIT License, and architecturally privacy-preserving: there is no WebWright-controlled server, no telemetry, no analytics, and no data is collected by the developer. All user data stays in the browser via chrome.storage.local; outbound traffic goes only to the LLM provider the user configures. All permissions described above exist exclusively to support this single purpose.
WebWright does not load or execute any remote code. Every line of JavaScript is bundled in the published package; nothing is fetched and executed at runtime.
The extension makes HTTPS API calls to the LLM provider the user configures (Ollama Cloud, Ollama Local, OpenAI, Anthropic Claude, Google Gemini, DeepSeek, xAI Grok, or a user-defined endpoint), but these calls return text/JSON data that the extension parses into action objects — the LLM responses are never executed as code. The extension also performs normal page loads via chrome.tabs.update when the agent navigates on the user's behalf, but the loaded page is rendered by the browser, not executed in the extension's context.
Specifically, the extension never uses eval(), new Function(), document.write() with remote content, <script src=> to remote domains, dynamic import() with a URL, or remote-fetched code passed to chrome.scripting.executeScript.
WebWright's use of information received from any user data, including any data accessed via the user's browser session or via any provider API, will adhere to the Chrome Web Store User Data Policy — Limited Use requirements. Specifically:
All settings, API keys, personal information, recorded workflows, and research reports are stored in chrome.storage.local, which is sandboxed per-extension by the browser and encrypted at rest on supported platforms. WebWright never transmits this data to any first-party server. Network traffic from the extension goes only to the LLM provider endpoint you configured, over HTTPS.
API key safety is your responsibility. The API keys you paste into Settings may be tied to billing accounts at OpenAI, Anthropic, Google, xAI, DeepSeek, or other providers. Treat these keys as you would a password:
The agent acts autonomously on your behalf based on your instructions. Because it can navigate, click, type, submit forms, and interact with any website you direct it to, the user is solely responsible for all actions taken by the agent, including but not limited to:
You are expected to review the agent's actions and use the extension responsibly. By installing, enabling, or using WebWright, you acknowledge and agree to these terms and conditions in full. If you do not agree, please uninstall the extension.
WebWright is not directed to or intended for use by children under the age of 13 (or the equivalent minimum age in the user's jurisdiction). The developer does not knowingly collect any personal information from children. If you believe a child has used this extension to enter personal information, please uninstall it; because all data is stored locally on the user's device, removing the extension or clearing extension storage permanently deletes that data.
WebWright does not collect, transmit, or retain any personal data on developer-controlled servers. As a result, the data-subject rights granted by laws such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar regulations are inherently satisfied:
Data sent to your chosen LLM provider is governed by that provider's privacy policy and your contractual relationship with them. Contact them directly to exercise rights with respect to data they have received.
The only authentic sources for WebWright are:
If you obtained this extension from any other source — a third-party download site, a forwarded ZIP file, an unofficial mirror — we cannot vouch for its integrity. Modified copies may contain code that violates this policy. Please re-install from one of the authentic sources above.
This Privacy Policy and the Disclaimer of Liability are governed by and construed in accordance with the laws of India, without regard to its conflict-of-law principles. Any disputes arising out of or in connection with the use of WebWright shall be subject to the exclusive jurisdiction of the competent courts located in India. Where mandatory local consumer-protection laws apply, those laws shall continue to apply to the extent required.
If this policy is updated, the "Last updated" date at the top will change. Significant changes will be noted in the extension's release notes.
For privacy questions, data-subject requests, security reports, or any other concerns, you can reach the developer at:
Email is the recommended channel for privacy or security matters; please do not include passwords, API keys, or other secrets in the initial message.