Privacy Policy — DURUM.ai Chrome Extension
Last updated: 2026-04-19 Effective date: 2026-04-19 Publisher: Durum Marketing LLC, 312 West 2nd Street, Casper, WY 82601, United States Contact: info@durum.ai
This privacy policy explains what data the DURUM.ai Chrome Extension ("Extension") collects, why it collects it, how it is used, and the choices you have.
1. Data collected by the Extension
The Extension processes the following categories of data:
1.1 Account credentials (user-initiated)
When you sign in through the Extension popup, you provide your email address and password (or a Google OAuth token) to authenticate with the GrowthOS platform (hosted on Supabase). Credentials are transmitted over HTTPS to *.supabase.co and are never stored in the Extension itself.
Stored: A Supabase session token (JWT) in chrome.storage.local, used to authorize subsequent API calls. The token expires automatically (refreshed every 55 minutes).
1.2 Meta Ads Manager entity metadata (page read-only)
While you browse Meta Ads Manager (*.facebook.com/adsmanager/*), the Extension reads the DOM of the page to identify the entities (Campaign / Ad Set / Ad) currently displayed — specifically their display names and, when available, Meta IDs (ad_id, adset_id, campaign_id). The Extension does not read form fields, passwords, or any Meta personal data.
Stored: Nothing. Entity metadata is only used to query the GrowthOS backend for matching CRM metrics.
1.3 CRM metrics retrieved from GrowthOS (for display)
The Extension queries a secure RPC endpoint (get_entities_metrics_batch on Supabase) with the entity IDs/names from the page, and receives back:
- Aggregated spend, clicks, and event counts
- Calculated metrics (CPA, ROAS, health score)
- AI-generated recommendations
These metrics belong to your own CRM data (scoped to your client_key via Supabase Row-Level Security).
Stored: Cached locally for 5 minutes (metrics) and 15 minutes (recommendations) in chrome.storage.local, then discarded. Caches are cleared on logout or active-client switch.
1.4 User preferences (user-initiated)
- Active client selection (for multi-client agency users)
- Custom CSS selector overrides (advanced users only,
chrome.storage.sync) - Diagnostic mode toggle (boolean,
chrome.storage.local) - Diagnostic log ring buffer (200 entries, only when Diagnostic mode is enabled)
2. Data NOT collected
The Extension does not collect, store, transmit, or share:
- Your Meta account credentials, cookies, or access tokens
- The content of ads, creatives, or messaging beyond entity names
- Browsing history outside Meta Ads Manager
- Form inputs, private messages, or any other personal data
- Analytics, telemetry, crash reports, or usage tracking
- IP addresses (beyond what HTTPS connections naturally expose to our backend)
The Extension has no tracking pixel, no third-party analytics SDK, and no advertising identifier.
3. How data is used
The Extension's sole purpose is to display your CRM metrics inside Meta Ads Manager. Data collected is used only for that purpose:
- Authentication — verify you are a valid GrowthOS user
- Entity identification — match visible Meta entities with your CRM data
- Display — render CRM metrics as additional columns in Meta's table
- Caching — short-lived local caches to reduce backend load and improve responsiveness
No data is sold, rented, or shared with advertisers or marketing partners.
4. Data sharing
Data is shared only with:
- Supabase Inc. (cloud database and auth provider for GrowthOS) — subject to Supabase's privacy policy: https://supabase.com/privacy
- Google LLC (when you choose Google OAuth login) — per Google's privacy policy: https://policies.google.com/privacy
We do not share your data with any other third parties.
5. Data retention
- Session tokens — automatically expire after 1 hour; refreshed or deleted on logout
- Metrics cache — 5 minutes, then auto-purged
- Recommendations cache — 15 minutes, then auto-purged
- Diagnostic buffer — 200 entries in memory only, cleared when Diagnostic mode is disabled
- Preferences (active client, selectors) — persist until you uninstall the extension or explicitly reset
Server-side data retention is governed by the GrowthOS platform privacy policy: https://docs.durum.ai/privacy
6. Your rights
Under Québec Law 25 and GDPR, you have the right to:
- Access the data we hold about you
- Rectify inaccurate data
- Delete your account and associated data
- Restrict processing
- Portability of your data
- Object to processing
- Withdraw consent at any time
To exercise any right, contact info@durum.ai. We will respond within 30 days.
To immediately stop all Extension activity: uninstall the Extension from chrome://extensions. All locally cached data is removed on uninstall.
7. Required permissions and justifications
| Permission | Justification |
|---|---|
storage | Store session token, user preferences, and short-lived caches in chrome.storage.local/sync. |
alarms | Trigger automatic session token refresh every 55 minutes. |
identity | Enable optional Google OAuth sign-in flow via chrome.identity.launchWebAuthFlow. |
scripting | Re-inject the content script on already-open Meta Ads Manager tabs after install/update (no user action required). |
tabs | Identify the active Meta Ads Manager tab when the user clicks "Refresh" in the popup. |
host_permissions: https://*.facebook.com/* | Read Meta Ads Manager DOM to identify visible entities. Required for the core feature. |
host_permissions: https://*.supabase.co/* | Authenticate and query the GrowthOS backend. Required for the core feature. |
8. Children
The Extension is not directed at children under 16. We do not knowingly collect data from minors.
9. Changes to this policy
Material changes to this policy will be communicated via the Extension popup and by email to the address associated with your GrowthOS account. Continued use of the Extension after a policy update constitutes acceptance.
10. Governing law
This policy is governed by the laws of the State of Wyoming, United States, and Québec's Law 25 for Québec-resident users.
Any dispute arising from this policy or the use of the Extension shall be resolved in the courts of Wyoming.
11. Contact
- Privacy: info@durum.ai
- Support: info@durum.ai
- Postal: Durum Marketing LLC, 312 West 2nd Street, Casper, WY 82601, USA