1 Introduction
SFMQameleon Aid ("the Extension") is a Chrome browser extension whose single purpose is to help Salesforce Marketing Cloud (SFMC) users manage Data Extensions, eject Journey contacts, and streamline daily administrative tasks within the SFMC platform.
This Privacy Policy explains what data the Extension accesses, how it is used, and how it is protected. We are committed to transparency and to complying with the Chrome Web Store Developer Program Policies, including the Limited Use requirements.
2 Data Collection
2.1 Personally Identifiable Information (PII)
The Extension does not collect, transmit, or store any Personally Identifiable Information.
The Extension does not require you to create an account, log in through the Extension, or provide any personal details. It operates entirely within your existing authenticated SFMC browser session.
2.2 Non-Personal / Technical Data
The Extension processes the following categories of non-personal, technical data — all of which remain on your local machine or within your authenticated SFMC session:
| Data | Storage Location | Retention | Purpose |
|---|---|---|---|
| CSRF security token | Chrome session storage (in-memory) | Up to 1 hour; cleared on session end | Authenticates API requests to SFMC on your behalf |
| SFMC instance identifier | Chrome session storage (in-memory) | Service worker lifetime | Routes API calls to the correct SFMC instance |
| SFMC business/account name | Chrome session storage (in-memory) | Service worker lifetime | Displays your current SFMC account context |
| Data Extension form state | Browser localStorage | 24 hours (auto-expires) | Preserves unsaved form input between popup sessions |
| Journey form state | Browser localStorage | 24 hours (auto-expires) | Preserves unsaved journey form input |
| Folder hierarchy cache | Browser localStorage | 15 minutes (auto-expires) | Reduces redundant API calls for folder navigation |
| Search query cache | Browser localStorage | 3 minutes (auto-expires) | Caches recent search terms for performance |
| Saved templates | Browser localStorage | Until manually deleted by user | Stores user-created Data Extension templates locally |
| Settings profiles | Browser localStorage | Until manually deleted by user | Stores user-created configuration profiles locally |
| Active UI state | Browser localStorage | Until overwritten | Remembers which tab/view was last active |
2.3 What We Do NOT Collect
- No analytics or telemetry of any kind
- No browsing history, keystrokes, or form data outside of the Extension's own UI
- No cookies or authentication credentials
- No data from websites other than SFMC domains
- No usage statistics, crash reports, or performance metrics
3 Data Usage (Limited Use Disclosure)
All data accessed by the Extension is used solely to provide its core functionality. Specifically:
- CSRF tokens are used exclusively to authenticate API requests to SFMC, replicating the security mechanism that SFMC's own web interface uses. Tokens are never sent to any endpoint other than the SFMC instance from which they originated.
- Tab URL information is read only to detect whether the active tab is an SFMC page and to determine the correct SFMC instance subdomain for API routing. No browsing history is recorded.
- Script injection is performed only on SFMC pages to extract the current account/business name displayed in the SFMC header and to detect Data Extension context from page structure. No user data, credentials, or page content beyond these specific elements is accessed.
- Local storage caches are used exclusively to preserve your in-progress work (form fields, templates, settings) between Extension popup sessions, reducing the need to re-enter information.
-
All network requests are sent exclusively to authenticated SFMC API endpoints on the following domains:
*.exacttarget.com*.marketingcloudapps.com*.exacttargetapis.com*.marketingcloudapis.com
The Extension does not use any collected data for purposes unrelated to its single purpose. Data is never used for advertising, marketing, credit assessment, lending, or any purpose beyond providing the Extension's stated features.
4 Data Sharing and Third Parties
The Extension does not share, sell, trade, or transfer any user data to third parties — under any circumstances.
- No data is transmitted to the Extension developer or any external server.
- No third-party analytics, advertising, or tracking services are integrated.
- All third-party libraries (React, Tailwind CSS, Framer Motion, Lucide Icons, Headless UI) are open-source UI libraries that run entirely client-side and do not collect or transmit data.
- The Extension contains no remote code loading; all code is bundled at build time.
5 Data Security
The Extension employs the following security measures:
Encryption in Transit
All communication with SFMC servers occurs over HTTPS (TLS-encrypted connections). Host permissions are restricted to HTTPS-only endpoints.
CSRF Protection
Uses SFMC's own CSRF token mechanism with time-limited caching (1-hour TTL) and automatic invalidation on authorization failures.
Session-Scoped Storage
Sensitive data is stored in Chrome's session storage API, automatically cleared when the browser session ends and not accessible to web pages or other extensions.
Minimal Permissions
Only three Chrome API permissions are requested (storage, tabs, scripting) with host access limited to SFMC domains.
No Remote Code Execution
The Extension does not fetch or execute remote scripts. All functionality is contained within the locally installed extension bundle.
6 User Rights and Data Retention
6.1 Accessing Your Data
All data stored by the Extension resides in your browser's local storage and Chrome's session storage. You can inspect this data at any time:
- localStorage: Open Chrome DevTools (F12) on any SFMC page, navigate to Application > Local Storage, and look for keys prefixed with
qameleon_. - Session storage: Managed by Chrome internally for the Extension's service worker and cleared automatically on session end.
6.2 Deleting Your Data
You can delete all Extension data at any time by:
- Within the Extension: Use the Settings tab to delete individual templates or profiles, or clear form caches.
- Via Chrome: Navigate to
chrome://extensions, find SFMQameleon Aid, and click "Remove." This will delete all associated localStorage and session storage data. - Via DevTools: Manually remove any
qameleon_-prefixed keys from localStorage.
6.3 Data Retention
- Temporary caches (CSRF tokens, form state, folder cache, search queries) expire automatically within minutes to hours as documented in Section 2.2.
- Templates and settings profiles persist until you manually delete them or uninstall the Extension.
- No data is retained on any external server, as no data is ever transmitted externally.
6.4 Data Portability
The Extension provides built-in export/import functionality for templates and settings profiles, allowing you to download your configuration as JSON files and import them into another browser instance.
7 Changes to This Policy
If we make material changes to this Privacy Policy, we will:
- Update the "Last Updated" date at the top of this document.
- Include a summary of changes in the Extension's Chrome Web Store listing update notes.
- For significant changes affecting data collection or sharing, increment the Extension version and provide a visible notice in the Extension's update changelog.
We encourage you to review this policy periodically.
8 Contact
If you have questions, concerns, or requests regarding this Privacy Policy or the Extension's data practices, please contact:
+ Permissions Justification
| Permission | Type | Justification |
|---|---|---|
| storage | Chrome API | Persist CSRF tokens and SFMC instance identifiers in session storage, plus local caching of preferences, templates, and form state. |
| tabs | Chrome API | Query the active tab's URL to detect SFMC pages and determine the correct instance subdomain for API routing. No browsing history is read or stored. |
| scripting | Chrome API | Execute targeted scripts on SFMC pages to extract the current account name and detect Data Extension context. Scripts run only on SFMC domains. |
| *.exacttarget.com | Host | SFMC legacy platform endpoints for journey management APIs and CSRF token retrieval. |
| *.exacttargetapis.com | Host | SFMC REST API endpoints. Wildcard needed for multi-tenant architecture. |
| *.marketingcloudapps.com | Host | Primary SFMC application API for Data Extension CRUD, folder navigation, record management, and contact exit operations. |
| *.marketingcloudapis.com | Host | SFMC Marketing Cloud API endpoints. Wildcard needed for multi-tenant architecture. |