Webinar - Jun 18 | How Fyxer used AI to run 541 experiments
Register Now
7,834
Sign In
Book a Demo
Start for Free
Back to All Legal Pages

Browser Extensions and the Visual Editor

Effective Date:

Browser Extensions and the Visual Editor

This section describes how the GrowthBook Visual Editor browser extension handles your data. The extension is an optional tool you install from the Chrome Web Store to create A/B test variations visually on your own websites. The privacy practices described below apply only when you install and use the extension; they are in addition to the practices described elsewhere in this notice.

Data the extension stores on your device

The extension uses your browser's built-in `chrome.storage.sync` to store the following on your local device (and, if you have Chrome Sync enabled, on Google's servers under your Google account):

  • The API host URL of the GrowthBook instance you have connected the extension to (e.g. `https://api.growthbook.io` for customers using GrowthBook Cloud, or a self-hosted URL).
  • A Personal Access Token (PAT) that the GrowthBook web application generates on your behalf so the extension can call the GrowthBook API. The PAT is scoped to your user account and can be revoked at any time from your GrowthBook account settings.
  • User interface preferences including theme (light/dark) and language (English, Spanish, Portuguese, German).
  • Cached AI suggestions keyed to the experiment you are editing, retained for up to 7 days, used only to avoid unnecessary round-trips to the AI service.

The extension does not read your cookies, your browsing history (beyond the active tab URL as described below), the contents of forms on pages you visit, your saved passwords, or any other browser data.

Data the extension sends to GrowthBook

When you actively use a feature of the extension, the following data is transmitted to the GrowthBook back-end at the API host you configured:

  • AI prompt text that you type or select when using AI mode to generate variation suggestions.
  • A "DOM digest" of the page you are editing: a structured catalog of element selectors, HTML tag names, short text snippets (truncated to 200 characters), and a small set of attributes (e.g. `id`, `name`, `aria-label`) for elements the AI needs to reason about. The digest is capped in size and does not include scripts, stylesheets, the full page HTML, or the contents of any form fields.
  • Reference image bytes (encoded as base64) only when you explicitly enable "use current image as context" on the AI image-generation flow.
  • The active tab URL at the moment you create a new experiment, so that the GrowthBook back-end can record it as the experiment's editor URL.
  • Standard request metadata, including your PAT in the `Authorization` header and the organization ID derived from that PAT.

Third-party AI providers

The extension does not call any third-party service directly. When you use AI mode, the GrowthBook back-end forwards your prompt and DOM digest to an AI provider (Anthropic, Google, OpenAI, or xAI) configured by your organization in GrowthBook's AI settings. The choice of provider is controlled by your organization administrator; the extension itself has no visibility into which provider processes a given request. The provider's privacy and data-retention practices apply to that data once it leaves the GrowthBook back-end.

Data the extension does not collect

To be explicit, the extension does not:

  • Send telemetry, analytics, or user-activity tracking of any kind to GrowthBook or to any third party.
  • Read your browsing history outside of the single tab URL described above.
  • Read or transmit form field values, saved credentials, cookies, or `localStorage` contents from the pages you visit.
  • Execute JavaScript or modify the DOM of any page until you explicitly open the side panel and take an action.

User-authored JavaScript

The extension allows you, the user, to author JavaScript snippets in the side panel's code editor and execute them on your own A/B test pages by clicking a "Run on page" button. Such snippets are stored only in your own GrowthBook account (alongside the rest of your A/B test variation data) and are never transmitted to any other party. The extension does not download or execute
JavaScript from any source other than the snippets you yourself have authored in your GrowthBook account.

Auto-connect flow

To avoid requiring you to manually copy and paste credentials, the extension supports an "auto-connect" flow: when you click the Connect with GrowthBook button in the side panel, a tab opens at `https://app.growthbook.io/visual-editor/connect` (or your self-hosted equivalent). Because you are already signed in to GrowthBook in that tab, that page mints a Visual Editor PAT
on your behalf and posts it back to the extension via the browser's `postMessage` API. The extension's content script verifies the sender's origin against a strict allowlist (`app.growthbook.io`, GrowthBook's staging environment, or the origin of the API host you previously configured) before storing the credential. Messages from any other origin are silently rejected.

Your choices

  • Revoke access at any time by deleting the Visual Editor PAT from your GrowthBook account settings, or by uninstalling the extension (which removes all locally stored data).
  • Disconnect without uninstalling by opening the gear menu in the side panel and clicking Disconnect, which removes the stored PAT but keeps the API host so reconnecting is one click away.
  • Disable AI features entirely at the organization level via the GrowthBook web application's AI settings. With AI disabled, the extension's AI mode is non-functional and no prompt or DOM-digest data is sent.
  • Uninstall the extension. All data will be removed from your device.

Contact

For questions about this section or to request that GrowthBook delete data associated with your Visual Editor PAT, contact privacy@growthbook.io or refer to the general contact information at the top of this notice.

Table of Contents

Example H2