Privacy Policy

Last updated: May 10, 2026

Lexiora is a browser extension and companion web service that lets you look up words and sentences on any web page. This policy explains what data Lexiora handles when you use it, why we handle it, where it goes, how long we keep it, and how to reach us with questions or requests.

The extension and service are operated by the Lexiora team ("Lexiora", "we", "us"). If you have any question about this policy, write to hello@lexiora.app.

1. What Lexiora collects

Account information

When you create an account or sign in, we collect:

  • Your email address.
  • A password hash — only if you sign up with email and password. Passwords are hashed by our authentication provider; we never store or see the plaintext.
  • Your Google account email and basic profile — only if you choose "Sign in with Google". The OAuth scopes we request are openid, email, and profile.

Lookups

Each time you ask Lexiora to explain a word or sentence, the extension sends the following to our backend:

  • The highlighted text you selected.
  • Your source language and target language preferences.
  • Your authentication token, so we can attribute the lookup to your account and apply your daily usage credits.

Lexiora does not collect, transmit, or store:

  • The URL, title, or contents of the page you are viewing.
  • Anything outside the text you explicitly selected.
  • Your browsing history, location data, or device fingerprint beyond the standard HTTP request metadata your browser sends.
  • Form inputs, passwords, or other content you type into pages.

Local preferences

The extension stores a few items on your device only, in chrome.storage.local:

  • Your authentication session, so you stay signed in.
  • Your default target language.
  • The list of websites where you have disabled Lexiora.

These items never leave your browser unless you sign in (in which case the session token is also recognised by our backend so it can authenticate your requests).

2. How we use your data

We use the data described above only to:

  • Generate the explanation, definition, translation, or chat reply you asked for.
  • Save your lookups to your own history so you can review them later in your account.
  • Authenticate you and keep your session active.
  • Enforce the daily usage limits ("credits") tied to your account.
  • Diagnose errors, prevent abuse, and improve reliability of the service.

We do not:

  • Sell, rent, or trade your data.
  • Use it to build advertising profiles or to serve ads.
  • Use your highlighted text or chats to train AI models.
  • Use it for any purpose unrelated to the user-facing functionality of the extension.

Lexiora's use of any data obtained through Google OAuth APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Human review of the data above is restricted to: (a) cases where you have given explicit consent, (b) what is required for security, fraud, or abuse prevention, (c) what is required by law, and (d) trusted service providers acting on our behalf under written confidentiality obligations.

3. Where your data goes

When you use Lexiora, the highlighted text and minimum context travel to a small set of services. Each receives only what is needed to render your result.

Service What is sent Why
Lexiora backend
backend.lexiora.com (Cloudflare Workers)
Highlighted text, language preferences, and your authentication token. To generate the AI explanation and store the lookup against your account.
Supabase
supabase.com — auth and database
Account credentials, hashed passwords, session tokens, and your lookup history. To authenticate you and persist your account data.
OpenAI API
openai.com — language model
The highlighted text as part of the prompt. No account identifiers. To produce the explanation. OpenAI's API terms state that inputs sent through the API are not used to train their models.
Google Translate
translate.googleapis.com
The highlighted text and the source/target language pair. For the auxiliary translation displayed alongside the explanation.
Wikipedia
{lang}.wikipedia.org
The highlighted term, in the URL path of an unauthenticated REST request. To fetch the encyclopedic summary, when one exists.
Free Dictionary API
freedictionaryapi.com
The highlighted term, in the URL path of an unauthenticated REST request. To fetch the dictionary entry, when one exists.
Google Sign-In
accounts.google.com
Standard OAuth handshake parameters. Only invoked if you choose "Sign in with Google".

These third parties operate under their own privacy policies. We send them only the data noted above. We do not sell, rent, or otherwise transfer your data to any party outside this list.

4. Data retention

  • Account data is kept for as long as your account exists.
  • Lookup history is kept on your account so that you can review past lookups. It is removed when you delete the lookup, or when you delete your account.
  • Operational logs (errors, request counts) are kept by our backend and infrastructure providers for up to 30 days for debugging and abuse prevention.
  • Local extension data remains on your device until you sign out, uninstall the extension, or clear extension storage in your browser.

5. Your rights and choices

No matter where you live, you can:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Delete your account and the data associated with it.
  • Receive an export of your account data.
  • Withdraw consent for further processing (which means closing your account).

To exercise any of these rights, write to hello@lexiora.app. We will respond within 30 days.

If you live in the European Economic Area or the United Kingdom, you also have rights under the GDPR, including the right to lodge a complaint with your local data protection authority. If you live in California, you have rights under the CCPA / CPRA, including the right to know, the right to delete, and the right to non-discrimination for exercising those rights.

6. Security

Account passwords are hashed by our authentication provider (Supabase) using industry-standard algorithms; we never see or store plaintext passwords. All traffic between the extension, our backend, and third-party services is encrypted in transit using TLS. Authentication tokens are stored only in your browser's extension storage, scoped to the extension's own context.

7. Permissions the extension requests

Lexiora requests the minimum browser permissions it needs to work:

  • storage — to save your session, language preference, and per-site enable/disable list on your device.
  • identity (Chrome only) — to run the Google Sign-In flow when you choose it. Not requested in browsers that do not support it.
  • Host permission for all URLs (<all_urls>) — so the content script can detect the text you highlight on any page. Lexiora does not read page content; it reads the active text selection only after you select something, and it does not transmit page URLs or page contents.

8. Cookies and similar technologies

The extension itself does not set or read cookies. Our marketing website at lexiora.com uses Google Analytics (gtag) in production to measure aggregate visits. Google Analytics runs only on the website, never inside the extension.

9. Children

Lexiora is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect data from children. If you believe a child has created an account, write to hello@lexiora.app and we will delete it.

10. International data transfers

Our backend runs on Cloudflare's global edge network, and our database and authentication provider (Supabase) and language model provider (OpenAI) operate primarily from data centres in the United States. By using Lexiora you understand that your data may be processed in countries other than your own. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for these transfers.

11. Changes to this policy

We will update this page if the data we handle, the services we use, or our purposes change. Material changes will be announced in the extension UI or by email if you have an account. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any question, request, or complaint about this policy or about data Lexiora holds: hello@lexiora.app.