Locker

Locker Extension — Privacy Policy

Last updated May 2, 2026

The Locker browser extension lets you pick files from your Locker workspace, your computer, or generate new ones with AI, then drop them into any file input on the web. This page describes what data the extension touches and where it goes. It applies only to the extension itself; the rest of Locker is governed by the main Locker privacy policy.

Data the extension handles

  • Your Locker session. The extension authenticates by riding the same browser cookie your Locker tabs use. Sign-in is performed in a normal Locker tab; the extension never sees, stores, or transmits your password.
  • Workspace metadata. When the file picker is open, the extension calls the Locker API to list folders and files in the workspace you have selected. Nothing is fetched when the picker is closed.
  • File contents. A file is only downloaded when you explicitly pick it — at that moment the bytes are placed directly into the page's file input. Locker doesn't keep a copy outside your workspace.
  • AI generation inputs. When you use Generate with AI, your prompt and any files you attach (from your computer or your workspace) are sent to the Locker server, which forwards them to the AI provider that generates the file. The provider's privacy practices apply to that step; Locker does not retain a copy of the generated file unless you choose to save it back into your workspace.
  • Local extension state. The extension stores a boolean "signed in" flag and the slug of your last-active workspace in chrome.storage.local. Both stay on your device.

Data the extension does not handle

  • We do not read page content, scrape forms, or transmit any information about the sites you visit.
  • We do not modify any DOM element other than the file input you click on. The picker dialog renders inside an isolated shadow DOM and unmounts when you close it.
  • We do not run analytics, tracking pixels, or telemetry from the extension. There is no third-party SDK shipped with the extension code.
  • We do not share data with advertisers, brokers, or affiliates.

Why the extension requests broad permissions

  • host_permissions: <all_urls> — the file-input intercept content script must be allowed to run on any site so it can replace the OS file picker the moment you click an upload button. The script does nothing visible until you click such an input.
  • tabs — used only to open the Locker sign-in tab and this privacy page in new tabs.
  • scripting — required by Manifest V3 to register the intercept content script.
  • storage — used for the local "signed in" flag and last-active workspace slug described above.
  • activeTab — used so the popup can read the active tab's URL when you sign in, scoping the auth bounce to your current tab.

Data retention

Data the extension stores locally (the sign-in flag and active workspace slug) lives in your browser's extension storage and is removed when you uninstall the extension or sign out. File bytes picked from Locker are kept only in memory long enough to inject them into the target page's file input and are not persisted by the extension. Files generated by AI exist in memory while the preview is on screen and are discarded if you start over or close the dialog without using them.

Children's privacy

The Locker extension is intended for users 13 years of age or older.

Changes

If we materially change how the extension handles data, we'll update this page and bump the “Last updated” date above. Continued use of the extension after such a change constitutes acceptance of the revised policy.

Contact

Questions or requests about extension data can be sent to privacy@locker.dev.