Chrome extension privacy policy — Zaai Dev

Zaai Dev is a Chrome extension that captures structured design references from web pages — screenshots, short region recordings, HTML, computed styles, palette, fonts, animation data, and media URLs — at the user's explicit request. Every capture is stored locally on the user's device by default.

Zaai Dev also offers an optional workspace at https://zaaidev.com where the user can push individual captures to their own account. Connection and every push are explicit user actions; there is no auto-sync and no background transmission. The extension's local capture features work without ever connecting. Pushing to the workspace requires an active Zaai Dev plan or free trial (see "Optional workspace connection" below).

There is no analytics SDK, no advertising SDK, and no third-party tracking in the extension itself.

What the extension does

Zaai Dev provides four capture modes, each initiated by an explicit user action:

Viewport / full-page capture — taken when the user clicks the "Capture viewport" button in the side panel.
Element capture — taken when the user enters Inspect mode, hovers over the page, and clicks to commit a target element.
Composite capture — multiple elements are selected with Shift+click, then committed with a regular click.
Region recording — the user draws a rectangle over the visible tab and records a short video of that region (e.g. to capture an animation or interaction). The recording is produced from the current tab's pixels only while the user is actively recording.

For each capture, the extension reads only the data needed to reconstruct the design context: a screenshot (or, for recordings, a short video) of the visible area, the HTML of the captured element or page, computed CSS properties of the captured element, the page's color palette and fonts in use, animation metadata, and URLs of media (images, videos) referenced by the captured element.

Form data and scripts are redacted from captured HTML. Before any capture is stored or transmitted, the extension runs a redaction pass over the HTML it reads: it blanks the values of <input>, <textarea>, and <select> controls, strips hidden form fields (which commonly carry CSRF/session tokens), removes password-field values, and empties inline <script> contents. This happens on a clone, so the live page is unaffected.

The extension does not read or store:

Cookies, localStorage, or sessionStorage of any visited site.
Form input values — text, passwords, and payment fields are blanked by the redaction pass described above.
Hidden form fields, or the contents of inline scripts, in captured HTML.
Browsing history, tab activity, or any data from tabs the user did not actively capture from.

Important limitation, stated honestly: captured HTML preserves the page's visible markup and text, and a region recording captures whatever is visibly on screen in the selected rectangle while recording. If a user captures or records an element or page on an authenticated site, any personal information rendered as visible content (e.g. a name in a heading, an order total) is part of that markup or footage and will be included. The redaction pass removes form-control and hidden-field data, not visible page text or pixels. Users should avoid capturing pages containing sensitive personal, financial, or confidential information.

Where data is stored

By default, every capture lives only on the user's device using Chrome's built-in storage APIs:

Capture metadata (titles, URLs of captured pages, tags, collections, notes, extracted CSS and HTML, animation data, palette) — stored in chrome.storage.local.
Screenshot and recording blobs — stored in IndexedDB under the database name zaai-capture.

In this default mode, no data is sent to any server operated by Zaai or any third party.

Optional workspace connection

The extension can be connected to a Zaai Dev workspace at https://zaaidev.com so the user can push individual captures into their own organised library. This is opt-in in two senses:

Connect. The user must explicitly click "Connect" in the side panel header. That click opens an authentication window via Chrome's chrome.identity.launchWebAuthFlow API. Once the user signs in to their Zaai Dev workspace and approves the connection, the workspace returns a long-lived API token. The extension stores that token in chrome.storage.local under the key zaai.workspaceToken.
Push per capture. Even after connecting, no capture is transmitted automatically. The user must click "Send to project" on each individual capture they want to push. Each push transmits, over HTTPS: the capture's metadata JSON (same structured fields the extension already stored locally); the capture's primary screenshot PNG (or, for recordings, the video file); a downscaled thumbnail PNG; and for page captures, optionally a full-page stitched screenshot PNG.

Pushing requires an active plan or trial. Zaai Dev's workspace is a paid product. To push captures, the connected account must have an active subscription or an active free trial (a 14-day trial is available with no credit card required). The extension checks the account's entitlement at https://zaaidev.com/api/extension/entitlement and, if there is no active plan or trial, shows an in-panel prompt to start a trial or upgrade instead of pushing. This check only runs once the user has connected an account; it transmits no capture data. Local capture and local export never require a plan.

If a push fails because the network is offline or the workspace returns a transient error, the capture id is queued in chrome.storage.local under zaai.pendingPushes and retried automatically — both when the browser regains connectivity and on a periodic background timer (the alarms permission) so a queued capture isn't stuck until the side panel is reopened. The user can manually retry or discard the queue from the side panel header. No queued push fires without an originating "Send to project" click.

The workspace token can be revoked at any time from the user's account at https://zaaidev.com/dev/settings/tokens. A revoked token causes the next push attempt to fail with a clear in-extension prompt to reconnect.

The extension can be disconnected at any time by clearing the zaai.workspaceToken value in chrome.storage.local. Local captures are not affected.

What the workspace does with pushed data

The Zaai Dev workspace at https://zaaidev.com is operated by the same provider as this extension. When the user pushes a capture, the workspace stores it under the user's account, runs AI-driven classification (suggested tags, dominant colours, inferred component type), and makes it available in the user's project library. The workspace has its own privacy policy at https://zaaidev.com/legal/privacy covering its own data handling. The extension's responsibility ends at the HTTPS POST.

Permissions and why they are requested

The extension declares the following Chrome permissions. Each is listed with the specific feature it supports.

sidePanel — Required to render the capture flow and library UI inside Chrome's side panel.
activeTab — Granted temporarily when the user clicks the extension's toolbar icon. Lets the extension access the active tab's content to perform the capture the user just requested. Access ends when the user navigates away.
storage — Stores capture metadata, user-defined tags, collections, the optional workspace token, and the optional pending-pushes queue in chrome.storage.local on the user's device.
scripting — Permits programmatic injection of the capture/extraction logic into the active tab at the moment the user starts a capture or enters Inspect mode. This is the only way the extension's code reaches a page — it does not run an always-on content script on every site you visit. Injection is paired with activeTab, so it only ever touches the tab the user is actively capturing from.
unlimitedStorage — Screenshot and recording blobs in IndexedDB routinely exceed the default browser storage quota. A user with 50+ full-page captures or several recordings can reach 100MB or more. This permission lets the user's own captures grow without artificial limits.
identity — Required only for the optional workspace connection. Used to open chrome.identity.launchWebAuthFlow against https://zaaidev.com/dev/extension-callback so the workspace can mint a token without the extension having to handle the user's password. The permission is harmless to users who never click Connect.
alarms — Runs a periodic background check that retries any captures queued in the offline outbox once connectivity returns, so a push that failed while offline isn't stuck until the side panel is reopened. It schedules a timer only; it reads no page or browsing data.
tabCapture — Required only for region recording. When the user draws a region and clicks Record, the extension captures the active tab's video stream to produce the recording. It is invoked only by that explicit user action and never captures audio or other tabs.
offscreen — Required only for region recording. Chrome service workers cannot use media APIs, so the extension opens a hidden offscreen document that holds the tab's video stream and runs MediaRecorder to encode the cropped region into a video file on the user's device. The offscreen document transmits nothing externally; it only produces the local recording blob.
Host permission https://zaaidev.com/* — Required only for the optional workspace connection. The extension uses this to POST captures to https://zaaidev.com/api/captures, fetch the user's projects from https://zaaidev.com/api/projects, and check entitlement at https://zaaidev.com/api/extension/entitlement. No other host is contacted via this permission, and the extension declares no broad host access to the sites you browse — page access is on-demand via activeTab + scripting only.

Third-party services

The extension itself uses no third-party SDKs — no analytics, no error reporting, no advertising, no AI APIs, no cloud storage SDKs.

The optional workspace at https://zaaidev.com (which the user explicitly chooses to connect to) is operated by the same provider as the extension. It is therefore a first-party service for the user, not a third-party transfer of data.

User control over their own data

View, edit, tag, annotate, or delete any individual capture from the side panel or the library dashboard.
Export all captures as a single JSON file (including base64-inlined screenshots) using the "Export all" button. The user is the sole recipient of this file.
Disconnect the workspace by clearing the zaai.workspaceToken key in chrome.storage.local, or by revoking the token at https://zaaidev.com/dev/settings/tokens. Either action stops the extension from pushing further captures and is reversible by reconnecting.
Bulk-delete or wipe everything by uninstalling the extension. Chrome automatically removes the extension's chrome.storage.local data on uninstall; the IndexedDB database (zaai-capture) is also cleared. Captures already pushed to the workspace are not affected by uninstalling the extension — those are managed from the workspace account directly.

Children's data

Zaai Dev is a tool for designers, agencies, and developers. It is not directed at children under 13 and does not knowingly collect data from children.

Changes to this policy

If this policy is updated, the "Effective date" at the top will be revised and a summary of the change will be added to a change log on this page. Material changes to data handling will be communicated in-extension before the change takes effect.

Contact

For questions, concerns, or data requests related to this extension, contact: support@zaaidev.com.

This document describes the privacy behaviour of the Zaai Dev Chrome extension at version 1.0.0. The Zaai Dev workspace web app at https://zaaidev.com has its own privacy policy covering server-side data handling once a user has explicitly pushed a capture to their account.