AgenticERP Connection Extension — Privacy Policy
Last updated: 2026-06-21
The AgenticERP Connection Extension (“the extension”) links a workspace’s dedicated connector machine to its AgenticERP Omnichannel account. This policy describes what the extension accesses and why. It covers two build profiles — the public store build and the enterprise (managed) build — which differ only in whether provider connectors are enabled.
What the extension does (both builds)
- Pairs the device to a workspace using a one-time code entered by an administrator.
- Generates a non-extractable cryptographic key in the browser (WebCrypto ECDSA P-256). Only the public key is registered with AgenticERP; the private key never leaves the device and cannot be exported.
- Maintains an authenticated heartbeat to
*.agenticerp.cloudso the workspace knows the connector is online.
Data we access
| Data | Purpose | Stored where |
|---|---|---|
| Device key pair (non-extractable private key + public key) | Authenticate the device to AgenticERP | Locally, in the browser’s IndexedDB; the private key is non-extractable and cannot be read out |
| Install id | Identify the device installation for pairing/management | Locally (chrome.storage.local) |
| Short-lived device token | Authenticate API/WebSocket calls to AgenticERP | Locally; refreshed automatically, revocable server-side |
| Browser/OS name + extension version | Device management + minimum-version enforcement | Sent to AgenticERP at pairing/heartbeat |
Public store build — what it does NOT do
The build published on the Chrome Web Store / Edge Add-ons requests only storage,
alarms, and the single first-party host https://*.agenticerp.cloud/*. In this build
the extension:
- Does not read, collect, or transmit the content of any third-party website (it has no permission to).
- Does not read or export browser cookies.
- Does not contain or load remote code (CSP forbids
evaland remotely hosted scripts). - Does not sell or share data with third parties.
The content script runs only on *.agenticerp.cloud and performs a nonce handshake so the
AgenticERP web app can detect that the extension is installed — it reads no page data.
Enterprise (managed) build — provider connectors
For workspaces that deploy the extension to a dedicated connector machine via managed install (Google Admin / GPO force-install), an administrator may additionally grant optional, per-provider host permissions (e.g. LINE, Zalo, Meta). Only then, and only for a provider the administrator has explicitly enabled, does the extension:
- Read that provider’s conversation activity on the connector machine’s own logged-in session and forward the relevant messages/comments to the workspace’s own AgenticERP instance so they appear in its Inbox.
- Act on the workspace’s behalf for that provider (send a message, reply to a comment, mark a thread seen), strictly within a server-issued capability allowlist.
In this build the extension still:
- Requests each provider’s host permission optionally, at the moment that provider is
enabled — never
<all_urls>, never up-front. - Sends only scrubbed event data; it does not export the provider’s cookies, password, or 2FA secrets, and does not bypass any login challenge.
- Is governed server-side by a capability policy, a kill switch, and a circuit breaker — an administrator can disable any provider (or the whole extension) instantly, which stops all reading/acting.
- Reads nothing for any provider that has not been enabled, and nothing on any site outside the granted
provider hosts and
*.agenticerp.cloud.
Provider connectors are enabled by a workspace only after its own review of the relevant provider’s Terms of Service; AgenticERP gates each capability behind that policy.
Data sharing & retention
Authentication data and (in the enterprise build) provider activity are shared only with the workspace’s own AgenticERP instance, for the sole purpose of running that workspace’s messaging connectors. An administrator can revoke a device at any time, which immediately invalidates its tokens, WebSocket session, and lease. Uninstalling the extension or choosing “Unpair & clear data” removes all locally stored data, including the device key.
Contact
Questions: privacy@agenticerp.cloud
This page is the canonical privacy policy referenced by the AgenticERP Connection Extension’s Chrome Web Store and Edge Add-ons listings.