To deliver automated summaries, timestamps, and smart captures directly inside your browser side panel, EchoFlow requires specific permissions. In line with Google's Least Privilege principles, we only request permissions that are absolutely necessary for the core functionalities of the extension.
Below is a transparent breakdown of all requested permissions, host permissions, and the exact reasons they are needed.
1. Main Extension Permissions
Allows EchoFlow to temporarily read the title and URL of the web page you currently have open, only when you launch the extension. This triggers the content extraction engine.
Required to inject a lightweight script into the page to extract text, clean up noisy elements (like ads), and detect "Next Page" pagination to combine multi-part articles.
Used specifically on YouTube to capture frames (screenshots) of key visual changes, enabling the "Smart Capture" feature which visualizes the timeline summary.
Required to store user preferences, custom prompt definitions, theme configurations, API keys, and your local summary history securely within your browser.
Prevents browser storage limits from causing errors when saving large transcripts of long lectures, video databases, or local image assets.
Enables the direct download of generated summaries, transcripts, and capture packs as Markdown files or ZIP archives to your computer.
Authenticates your Google account securely to check your Pro subscription status via Firebase and to authorize direct file backups to your Google Drive.
Allows you to paste copied external texts directly into the summarizer input window with a single click, without having to manually select and press Ctrl+V.
Lets you manage and update your Chrome Reading List (adding articles for future reading or deleting digested ones) directly from the EchoFlow sidebar.
Listens to browser tab changes to ensure that when you navigate to a new page, the side panel updates its state to match your current active context.
Integrates the UI directly into the native Google Chrome Side Panel, so you can read, summarize, and learn side-by-side without covering your main webpage.
Used to modify CORS and HTTP headers securely when requesting content from integrations like Notion, and to strip out tracking cookies during content extraction.
2. Host Permissions (Domain Access)
EchoFlow requires access to specific domains to communicate with external APIs securely without intermediate servers.
Needed to extract body text on news platforms, blogs, and documents from any domain that you explicitly ask to summarize.
Routes all summarization tasks directly to Google's official Gemini API servers. This ensures your API keys and data are never sent to third-party intermediary servers.
Allows direct connections to Notion API endpoints so you can export your summaries and notes directly into your Notion databases.
Used exclusively for verifying Pro subscription state and handling secure user licensing status.