oyyo browser extension
Privacy Policy
Last updated: July 14, 2026
What oyyo does and does not do with your data
✓ What it does
- Sends data only to your own oyyo workspace (
https://<tenant>.oyyo.ai). No third parties, no analytics vendors, no ad networks. - When you clip a page or ask about it, it reads the readable page content — including the values in its form fields — because that is the point: capturing what's on the submission or the email.
- Masks Social Security numbers, card numbers, bank routing numbers and labelled dates of birth before anything is sent.
✗ What it does not do
- Never reads, stores or transmits a password. Credential fields are excluded from everything it reads, and it cannot fill them.
- Never submits a form. A human always clicks the button.
- On the fill path, data flows from your workspace to the page — never the page's values back to us. The mapping only sees the form's structure, not what's typed in it.
- Nothing is sold, and nothing trains an outside model.
The detail below says the same thing more precisely. If the two ever seem to disagree, the detail governs.
1. Who this policy covers
This policy covers the oyyo Chrome extension — a side panel for commercial insurance brokers and underwriters. The extension connects to your own agency's oyyo workspace and helps you fill carrier portal forms, search your book of business, and ask questions about the page you're on. It requires an account with an oyyo workspace.
2. Where your data goes
All network traffic from the extension goes to your agency's own oyyo workspace at https://<tenant>.oyyo.ai (and cx.<tenant>.oyyo.ai). There are no third-party servers, no analytics vendors, no advertising networks, and no content delivery networks. The AI assistant is served through your own workspace.
3. What the extension collects
The extension handles the following categories of data. Each is used only to provide the feature you invoked.
3.1 Website content
When you use Clip or ask the assistant about the current page, the extension serializes the readable page content to text and sends it to your workspace. This includes the values of form fields on the page (every non-password field), because the purpose is to capture what is on the submission or the email.
3.2 Personally identifiable information
Carrier forms and broker emails contain insured names, addresses, phone numbers, email addresses and FEINs, so those values are included in the page content above. A client-side scrub masks Social Security numbers, credit-card numbers, bank routing numbers and labelled dates of birth before anything is sent. Names and email addresses are deliberately not masked, because drafting correspondence requires them.
3.3 Health information
Workers' compensation and life & health pages can carry health information. The client-side scrub masks medical record numbers, ICD codes and labelled injury/diagnosis fields before egress. This is a best-effort mitigation, not a guarantee — free text describing an injury may survive it.
3.4 Financial information
Premiums, payroll, revenue and loss history appear on these pages and are included in page content. Credit-card and bank routing numbers are masked before egress, and the extension refuses to auto-fill any field it classifies as an SSN, card, routing number or date of birth.
3.5 Authentication information — not collected
The extension does not collect passwords. It never reads, stores or transmits a password: password fields are excluded from page extraction, the AI page-serializer strips credential fields (password, one-time code, two-factor, security answer, and any field a site marks as a credential slot), and the extension will not auto-fill a credential field. Your oyyo identity is a secure session cookie owned by your own oyyo domain — no authentication token is ever stored in extension storage.
3.6 Personal communications
If you clip or ask about an email thread in webmail, that email's content is sent to your workspace.
3.7 Web history
The extension reads the active tab's URL to know which carrier portal you're on and to match it to a submission. It does not log or transmit a browsing history. Full page URLs are sent to your workspace only as part of an action you take (a clip, a question, a fill). Anonymous usage telemetry records only the site's registrable domain (e.g. "carrier.com"), never the full URL and never a field value.
3.8 User activity
A user-initiated "record a flow" feature records the sequence of interactions on a portal (which control, in what order) so the steps can be replayed later. It is value-blind by construction: field values are never recorded.
3.9 Location — not collected
The extension does not collect location. There is no geolocation.
4. What the extension never does
- Never submits a form. Every submit, bind and purchase control is fenced; a human must click it.
- Never sends page values on the fill path. To decide which of your fields belongs in which form field, oyyo sends only the form's structure — its labels and field types — never the values. Data flows from your workspace to the page, never the reverse.
- Never runs remote code. There is no
eval(), no dynamically-loaded script, and no WebAssembly. All code is in the package, verified by an automated gate at build time. - Never stores or replays a carrier-portal password.
- Never sells or shares your data with third parties, and never uses it for advertising, to train third-party models, or for creditworthiness or lending.
5. Permissions, in plain language
- Side panel — to show the oyyo panel.
- Active tab & per-site access — the extension has no standing access to any website. When you want to use oyyo on a carrier portal, you explicitly grant access to that one site ("Unlock this portal"). Access is per-site and user-granted.
- Scripting — to run the form scanner and filler on a page you have unlocked.
- Tabs — to know which site the active tab is on, so oyyo can offer the right submission.
- Storage — to remember which oyyo workspace you connected to. No credentials are stored.
- Context menus — the right-click "clip to oyyo" entry.
- Web navigation — to detect when you navigate away, so an automated run stops.
- Declarative net request — a security control: while an automated run is active, it blocks that tab from sending data anywhere except oyyo.
6. Data retention
Data the extension sends lives in your agency's own oyyo workspace and is governed by your agency's agreement with oyyo. The extension itself stores only your chosen workspace address, locally in the browser.
7. Your rights and choices
Your agency controls its oyyo workspace. To access or delete data, contact your agency administrator or oyyo. You can revoke the extension's access to any site at any time from Chrome's extension settings, and remove the extension entirely to stop all data collection.
8. Security
Traffic between the extension and your workspace is encrypted in transit. Identity is a secure session cookie on your own oyyo domain; no authentication token is held in extension storage. The extension executes no remote code.
9. Children
oyyo is a professional tool for insurance brokers and underwriters. It is not directed at children and does not knowingly collect data from them.
10. Changes to this policy
We may update this policy to reflect changes to the extension. Material changes will be reflected here with an updated date.
11. Contact
For privacy questions about the extension, contact support@oyyo.ai.