Privacy Policy
Last updated: 2026-05-10
Mr Oye (mroye) is a Chrome extension that adds a friendly browser pet to every web page. This page tells you exactly what data we collect — the short answer is almost nothing.
What stays on your device
- Your AI provider key(s) (Anthropic, OpenAI, Gemini, GitHub) — saved in
chrome.storage.local, never transmitted to us.
- Your conversation history with Mr Oye (last 50 entries).
- Your notes, snippets, clipboard history, read-later queue.
- Your focus / Pomodoro stats and domain-time-tracker totals.
- Your highlights vault (selected passages you save). Optionally encrypted with AES-256-GCM if you set a master passphrase — the passphrase never leaves your machine and we cannot recover it.
- Your job-application profile (name / email / phone / links you set for the autofill feature).
- Your meeting transcripts + summaries (last 30, recorded by you via tab-audio capture).
- Your preferences (skin tone, outfits, sound on/off, etc.).
None of this data leaves your device unless you explicitly trigger an AI request, in which case it goes directly from your browser to the AI provider you configured (Anthropic, OpenAI, etc.). We don't proxy or log it.
What we collect on our servers
- Google sign-in (required to use Mr Oye): The extension and mroye.com both require a Google sign-in. We request only
openid, email, and profile scopes. We store your Google subject ID (Google's stable account identifier), email, display name, and profile picture URL, plus first-login and last-login timestamps. We use these to: bind purchases to a real account (so codes can't be sold or shared), recognise you across devices, and identify admin requests (only ziagaggoo@gmail.com has admin rights). We never see your Google password and never request access to Gmail, Drive, or any other Google service.
- Account moderation flag: If we have to block an account for abuse / chargeback fraud, we store a blocked flag and a short block reason on your user record. Blocked accounts are refused sign-in with a 403. You can request unblock by emailing hello@mroye.com from the affected account.
- Account deletion: To delete your account + all linked Pro licenses + device bindings, email hello@mroye.com from the Google email you signed up with. Once executed, this is irreversible; you'll lose any Pro purchase tied to that account. (Admin uses
/admin/users/delete which hard-deletes the user row and cascades to licenses + device records.)
- If you buy Mr Oye Pro: Stripe sends us your email address and the Stripe checkout session ID. We store these alongside the unlock code we issue, bound to the Google account that initiated the purchase. We use this only to (a) re-issue your code if you lose it, (b) revoke a code if it's leaked, (c) refuse a second activation of the same Stripe session against a different Google account.
- License verification: Once every 24 hours, the extension asks our server "is this code still valid?". We respond yes/no based on the revocation list. We log the request count for abuse prevention but not the user's IP beyond what Cloudflare keeps for security.
- Device binding (Pro tier): When you activate a Pro key, the extension generates a random anonymous install ID (UUID, kept on your device) and registers it with the server so the same key can run on up to 5 of your browsers. We store: the install ID, an optional label you can edit ("Work Mac" / "Home PC"), a SHA-256 hash of your User-Agent string (truncated to 16 chars — not reversible to the original UA), and the first / last activation timestamps. No IP address, no fingerprint, no personal data. Devices not used for 90 days are auto-released to free up slots. You can view + remove your devices any time from the activate dialog or by emailing hello@mroye.com.
- Breach checks: When you check whether your email appears in a known data breach, the email is sent to our server which forwards it to Have I Been Pwned (or the free ProxyNova fallback). We don't store the email.
- Anonymous install heartbeat: Once per day the extension sends a random per-install UUID, the extension version, your browser language (e.g.
en-US), and the browser family (Chrome / Firefox / Edge / Safari) to api.mroye.com/install. This lets us count active installs and see which versions are in the wild. No email, no IP stored, no fingerprint, no page or browsing data. The heartbeat ID is deliberately separate from the device-binding ID above so paying users stay anonymous in the heartbeat too.
Permissions
Mr Oye requests:
storage — to save your preferences and notes locally.
tabs — to inject the mascot and enumerate open tabs in the Tab Manager feature.
activeTab — required by the "👁 Vision — Ask Oye about this page" feature. When you click the menu item, we capture a screenshot of the visible viewport via chrome.tabs.captureVisibleTab and send it to a vision-capable AI to answer your question. activeTab grants screenshot access ONLY for the tab you explicitly invoked Mr Oye on, ONLY after your click. There is no background capture, no automatic capture, and no listener that fires on tab navigation. The screenshot is the JPEG of the visible viewport at the moment of your click; it is sent to OpenAI's vision endpoint (either via our Pro AI worker or your BYOK OpenAI key — your choice) and is not stored on our servers.
history — used by Browser Wrapped and Daily Standup; never transmitted off-device.
identity — to run Google sign-in via chrome.identity.launchWebAuthFlow (scopes: openid, email, profile). Required for the activation and login flow.
cookies — used by the Cookie Wipe feature only.
clipboardWrite, notifications, alarms, contextMenus — for the corresponding features.
<all_urls> (content scripts) — so the mascot can appear on any page you visit.
Third parties — what we send and when
Mr Oye only contacts third parties when you explicitly use the related feature. Audio, mic, and screen capture stay local unless a specific feature uploads them (called out individually below).
- Google (Sign-in) — required to use Mr Oye. We use Google's OAuth 2.0 flow via
accounts.google.com and read your basic profile (email, name, picture) once. The OAuth client is shared with our sister site theappsfirm.com (same operator) — the Google consent screen reflects that branding. No ongoing Google API calls are made.
- Bring-your-own AI providers (Anthropic, OpenAI, Gemini, GitHub Models) — only when you paste your own API key and ask a question. Your prompt + your key go directly from your browser to that provider; Mr Oye never sees the request body.
- Mr Oye Pro AI server-side proxy ($19/month subscribers only) — when you ask Mr Oye AI a question without a BYOK key, your prompt is sent to our worker at
api.mroye.com/ai/chat over HTTPS with your identity Bearer token. The worker verifies your active subscription, then forwards the prompt to OpenAI (model: gpt-4o-mini) using a key that lives only on our server. Your prompt + OpenAI's reply leave our worker without being stored. Subject to OpenAI's data-processing policy at openai.com/policies.
- Mr Oye Pro AI Google Cloud TTS (paid tier, server-side) — text we read aloud for $19/mo subscribers is sent to our worker at
api.mroye.com/tts/synthesize, which forwards it to Google Cloud Text-to-Speech using a key on our server. Voice (Chirp3-HD-Puck or Wavenet per language) and char-quota (150,000/month) are enforced server-side. Your text is not stored.
- Google Cloud TTS (BYOK) — if you paste your own Google Cloud TTS API key, text-to-speak goes directly from your browser to Google with your key.
- Stripe — only when you click "Unlock Pro" or "Start Pro AI". Stripe handles the payment; we never see your card. To cancel a $19/mo subscription, use Stripe's hosted billing portal linked from inside the extension and on this site.
- Have I Been Pwned — when you click "Check breaches" (Pro feature only); the email you enter is sent through HIBP's k-anonymity range API.
- Hugging Face (via our mirror at
api.mroye.com/hf/) — only when you opt into Local Whisper STT or Local LLM or Local Kokoro TTS: model files are fetched from public Xenova/* and onnx-community/* repositories proxied through our worker (Cloudflare cache reduces re-downloads). Whisper-tiny.en is ~40MB; Qwen2.5-0.5B-Instruct is ~600MB; Kokoro-82M is ~80MB. Models download once, cache in your browser's IndexedDB, then run fully offline.
- OpenAI Whisper API — when you start Meeting recap with a BYOK OpenAI key configured: the recorded audio blob is uploaded to
api.openai.com for transcription. If no key is set, Mr Oye falls back to local Whisper and the audio never leaves your device.
- Vision / Screenshots — when you click the "👁 Vision" menu item to ask Mr Oye about what's on screen, we take a JPEG screenshot of the visible viewport (NOT the full page, NOT other tabs) and send it to OpenAI's
gpt-4o-mini vision endpoint. Two routes depending on your tier:
• Pro AI ($19/mo) subscribers: image goes to api.mroye.com/ai/chat with your identity Bearer; our worker verifies your subscription, then forwards to OpenAI using our key. We do NOT log or store the image.
• BYOK OpenAI: image goes directly from your browser to api.openai.com/v1/chat/completions using the key you saved in AI Brain.
Both routes are governed by OpenAI's data-processing policy at openai.com/policies. The screenshot is captured only on your explicit click — never on tab navigation, never in the background. If the visible tab is a sensitive page (banking, email, paywalled), that content WILL be in the screenshot; we recommend reviewing what's on screen before clicking Vision.
- mroye.com — for: (a) the ONNX runtime WASM files needed by Local Whisper / Kokoro; (b) the public skill catalog when you browse prompt skills; (c) an anonymous daily install heartbeat (see above); (d) license verification and Stripe webhook handling.
What runs locally only — never on a network
- Phishing / lookalike-domain warning: pure heuristic check on the current hostname against a bundled brand list.
- Privacy / leak scanner: regex pass over the visible page DOM for emails, phones, credit cards, API keys, etc. Never sent anywhere.
- Job-application autofill: matches your saved profile against form fields in the page DOM. No network call.
- Vault lock: AES-256-GCM encryption of the highlights vault using a key derived from your passphrase via PBKDF2 with 200,000 iterations. The key lives only in memory for 30 minutes per unlock and is never transmitted.
Children
Mr Oye is not designed for children under 13. The default system prompt sent to AI providers is kid-safe, but please supervise younger users.
Contact
Questions, takedown requests, lost unlock codes: hello@mroye.com.
← Back to mroye.com