Privacy & permissions

How Cordy handles your data — bring-your-own-key, browser-direct, no backend, no telemetry — plus a plain-language guide to every permission and how to revoke it.

Cordy is built so your data stays yours. This page explains exactly what is sent, where it's stored, the one-time consent you'll see, and what each Chrome permission is for.

The short version

  • Bring your own key. You use your own provider API keys; there's no Cordy account.
  • Browser-direct, no backend. Prompts go straight from your browser to the provider you configured. Cordy runs no server of its own — it can't see, proxy, or store your traffic.
  • No telemetry. Cordy collects no usage analytics and reports to no server.
  • Local-first. Conversations, settings, bookmarks, and keys live on your device. Keys are encrypted.
  • Permissions on demand. Reading page content, history, and bookmarks are optional and requested at first use — never silently at install.

What's sent, and when

Cordy sends data only when you act — when you send a chat message or run a text action (translate, explain, summarize, read aloud). At that point, your text plus any page content you've attached goes to the AI provider you configured. Nothing is sent in the background, and nothing is collected about your browsing.

If you use a local, on-device model, even that send stays on your machine — see Local & on-device AI.

Where your data is stored

  • API keys — encrypted and stored only on this device, through Cordy's secure storage. Never uploaded anywhere except to the provider you use them with.
  • Conversations, settings, bookmarks, saved tabs — stored in local browser storage on your device.
  • Nothing syncs to a Cordy server, because there isn't one.

The first time you send anything to a cloud model, Cordy shows a one-time dialog — "Send to a cloud AI service?" — that spells out what's sent, that it goes only to the provider you configured, and that your keys and conversations stay on your device. You accept it once.

This single gate covers every cloud path — chat, translation, context compaction, summarization, bookmark classification, and cloud text-to-speech — and it is fail-closed: if you haven't consented, cloud requests don't go out. Local, on-device models never trigger it.

You can withdraw consent at any time in Settings → Data & privacy; you'll be asked again before the next cloud request.

Permissions

Chrome extensions declare permissions. Cordy splits them into a small always-on set and a larger optional set that's requested only when you use the relevant feature.

Always-on (requested at install)

PermissionWhat it's for
sidePanelShow Cordy's side-panel interface
storageSave your settings, conversations, and saved items locally
tabs / activeTabSee tab titles/URLs and manage tabs for the tab tools and switcher
scriptingRun Cordy's in-page features on sites you've allowed
contextMenusThe right-click Quote to AI item
offscreenRun local model and text-to-speech work in a background document
alarmsSchedule housekeeping (auto-archiving, storage cleanup, keeping the worker alive)

Notably, this set does not include broad access to website content — reading a page's text requires the optional site access below.

Optional (requested at first use)

PermissionWhat it's forWhen it's asked
Site access (host)Run in-page features and read the current page's contentWhen you enable In-Page Features
historySearch and show your browsing history, and @history mentionsWhen you first use history
bookmarksManage and sync your bookmarksWhen you first open the bookmark manager or sync
browsingDataClear cache/cookies/storage for a site (the "clean site data" action)When that action first runs
topSitesSuggest quick linksWhen relevant

Why there's no "read all your data" warning

Because Cordy declares no install-time host permissions, Chrome doesn't show the alarming "read and change all your data on all websites" warning at install. Site access is instead an optional permission you grant from a button when you want in-page features — and Cordy registers its in-page script only after you allow it.

Granting and revoking access

  • Site access — grant or Revoke under Settings → General → In-Page Features. Revoking stops Cordy running on pages; chat and panel features keep working.
  • History / bookmarks — granted at first use; manage or remove them from Chrome's extension settings.
  • Cloud consentWithdraw consent under Settings → Data & privacy.

After a major upgrade, optional site access can reset. If in-page features stop working, re-enable them once — see Installation.

Prompt-injection safety

A page you read can contain text that tries to hijack the assistant. Cordy treats all browser-derived data — page content, selections, and tool results — as untrusted, kept separate from your instructions, so a malicious page can't issue commands. Destructive tools always require your explicit approval.

Exporting and deleting your data

Everything is under Settings → Data Management:

  • Backup Data — export your conversations, settings, saved tabs, and bookmarks to a file. (Wallpaper images and API keys are not included, so re-enter keys after restoring.)
  • Restore Data — import a backup.
  • Delete All — permanently remove chat messages and related data.
  • Selective Delete — remove just chats, paragraph anchors, or bookmarks.

Removing the extension also deletes its local data — export a backup first if you want to keep it.

Logs

Cordy keeps local, sanitized warning and error logs to help with troubleshooting. They exclude your messages, model replies, and API keys, and nothing is uploaded. You can export them as JSON to attach to a bug report, or clear them, under Settings → Logs.