Privacy Policy — Triform Connect

Last updated: 2026-04-21.

Triform Connect ("the extension") is a browser extension that lets you pair your Chrome browser with a Triform server you choose. This policy explains what data the extension touches, what it stores, and where data flows.

Summary in one paragraph

The extension does not send any data to Triform the company. All data flows exclusively between your Chrome and the Triform server you picked at pair time. The extension stores a device-scoped API key, your chosen Triform server URL, and a stable per-install identifier locally on your machine in chrome.storage.local. Cookies from sites you are signed in to are forwarded to your Triform server only when you initiate a sync (either on connect or by clicking "Save my cookies to Triform" in the popup), and can be revoked at any time by clicking "Forget" on the paired browser in the Triform portal's Settings → Devices tab.

What the extension accesses

The extension uses these Chrome APIs:

  • chrome.cookies — to detect which Triform instances you're signed in to (so the popup can list them) and to forward your sign-in cookies to sites you're authenticated to, when you explicitly sync them.
  • chrome.tabs — to list your currently open tabs so the Triform portal can show them, and to drive tabs when a Triform agent requests an operation.
  • chrome.scripting — to execute agent-requested operations (click, type, screenshot, read page content, run JavaScript) in your tabs when an agent requests them via the paired WebSocket.
  • chrome.offscreen — to run invisible browsing contexts when your paired browser's visibility setting is offscreen.
  • chrome.storage — to persist your server URL, API key, element identity, and a per-install machine hint locally.

What data leaves your device

Only to the Triform server you paired with (and only over HTTPS + WSS):

  • Device metadata at pair time: user agent, operating system, browser name, extension version, and an opaque per-install random "machine hint". Used by the Triform server to register your browser as a first-class element and to resolve the same browser across reinstalls.
  • Cookies when you initiate a sync — the cookie jar (or domain-filtered subset if your Triform administrator configured allowed_domains) is sent over the paired WebSocket. Used by Triform agents to access sites you're signed in to on your behalf.
  • Tab snapshots: tab URL, title, active status, and Chrome's favicon URL, for tabs that aren't extension pages or chrome:// / devtools://. Updated on every tab open / close / navigate.
  • Per-operation payloads: when an agent requests an operation (goto, click, etc.), the request and response are forwarded over the paired WebSocket. The extension doesn't send anything the agent didn't ask for.

What data does NOT leave your device

  • Your browsing history outside of what you're already telling Triform via the tab snapshots
  • Page content that no agent has requested
  • Cookies for domains you didn't sync
  • Keystrokes, mouse movements, or clipboard contents
  • Any data to any party other than the Triform server you paired with. The extension has no telemetry, no analytics, and no "phone home" to Triform the company.

What the extension stores locally

In chrome.storage.local (persists across Chrome restarts):

  • serverUrl — the Triform server you paired with.
  • authToken — a device-scoped API key (trif_…) minted by the server at pair time. Survives Chrome restarts because it needs to — these keys are designed to live for months. Session-only storage for shorter-lived tokens (triform_token JWT cookies) stays in chrome.storage.session.
  • elementId, elementSlug, circleSlug — identifiers for the browser element and circle you paired with.
  • deviceName — the device name you typed at pair time (e.g. "Mac").
  • machineHint — a 16-byte random identifier generated at install time. Lets the Triform server recognise the same physical browser across Chrome auto-updates and reinstalls, so you don't accumulate orphan element records. Never leaves the pairing protocol; never used for cross-site tracking.

How to remove your data

  • Forget the paired browser — open the Triform portal, go to Settings → Devices, click Forget on the entry for this browser. The Triform server soft-deletes the element, revokes every API key tied to that pairing, and the extension's stored state is cleared on the next interaction.
  • Uninstall the extension — Chrome clears all of the extension's chrome.storage data.
  • Delete your Triform circle — you control the server-side data via the normal Triform account controls.

Third parties

None. The extension communicates exclusively with the Triform server you choose. If that Triform server is operated by a third party (e.g. you paired with someone else's Triform instance), their privacy policy applies to the data you send them — consult it before pairing.

Changes

Material changes to this policy will be announced in the extension's release notes and in this document's "Last updated" header.

Contact

For privacy questions, open an issue on the repository or email the maintainer listed on the extension's store page.