Last updated: May 10, 2026
Lexiora is a browser extension and companion web service that lets you look up words and sentences on any web page. This policy explains what data Lexiora handles when you use it, why we handle it, where it goes, how long we keep it, and how to reach us with questions or requests.
The extension and service are operated by the Lexiora team ("Lexiora", "we", "us"). If you have any question about this policy, write to hello@lexiora.app.
When you create an account or sign in, we collect:
openid, email, and
profile.
Each time you ask Lexiora to explain a word or sentence, the extension sends the following to our backend:
Lexiora does not collect, transmit, or store:
The extension stores a few items on your device only, in
chrome.storage.local:
These items never leave your browser unless you sign in (in which case the session token is also recognised by our backend so it can authenticate your requests).
We use the data described above only to:
We do not:
Lexiora's use of any data obtained through Google OAuth APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Human review of the data above is restricted to: (a) cases where you have given explicit consent, (b) what is required for security, fraud, or abuse prevention, (c) what is required by law, and (d) trusted service providers acting on our behalf under written confidentiality obligations.
When you use Lexiora, the highlighted text and minimum context travel to a small set of services. Each receives only what is needed to render your result.
| Service | What is sent | Why |
|---|---|---|
| Lexiora backend backend.lexiora.com (Cloudflare Workers) | Highlighted text, language preferences, and your authentication token. | To generate the AI explanation and store the lookup against your account. |
| Supabase supabase.com — auth and database | Account credentials, hashed passwords, session tokens, and your lookup history. | To authenticate you and persist your account data. |
| OpenAI API openai.com — language model | The highlighted text as part of the prompt. No account identifiers. | To produce the explanation. OpenAI's API terms state that inputs sent through the API are not used to train their models. |
| Google Translate translate.googleapis.com | The highlighted text and the source/target language pair. | For the auxiliary translation displayed alongside the explanation. |
| Wikipedia {lang}.wikipedia.org | The highlighted term, in the URL path of an unauthenticated REST request. | To fetch the encyclopedic summary, when one exists. |
| Free Dictionary API freedictionaryapi.com | The highlighted term, in the URL path of an unauthenticated REST request. | To fetch the dictionary entry, when one exists. |
| Google Sign-In accounts.google.com | Standard OAuth handshake parameters. | Only invoked if you choose "Sign in with Google". |
These third parties operate under their own privacy policies. We send them only the data noted above. We do not sell, rent, or otherwise transfer your data to any party outside this list.
No matter where you live, you can:
To exercise any of these rights, write to hello@lexiora.app. We will respond within 30 days.
If you live in the European Economic Area or the United Kingdom, you also have rights under the GDPR, including the right to lodge a complaint with your local data protection authority. If you live in California, you have rights under the CCPA / CPRA, including the right to know, the right to delete, and the right to non-discrimination for exercising those rights.
Account passwords are hashed by our authentication provider (Supabase) using industry-standard algorithms; we never see or store plaintext passwords. All traffic between the extension, our backend, and third-party services is encrypted in transit using TLS. Authentication tokens are stored only in your browser's extension storage, scoped to the extension's own context.
Lexiora requests the minimum browser permissions it needs to work:
storage — to save your session,
language preference, and per-site enable/disable list on your
device.
identity (Chrome only) — to run
the Google Sign-In flow when you choose it. Not requested in
browsers that do not support it.
<all_urls>)
— so the content script can detect the text you highlight on any
page. Lexiora does not read page content; it reads the active
text selection only after you select something, and it does not
transmit page URLs or page contents.
The extension itself does not set or read cookies. Our marketing website at lexiora.com uses Google Analytics (gtag) in production to measure aggregate visits. Google Analytics runs only on the website, never inside the extension.
Lexiora is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect data from children. If you believe a child has created an account, write to hello@lexiora.app and we will delete it.
Our backend runs on Cloudflare's global edge network, and our database and authentication provider (Supabase) and language model provider (OpenAI) operate primarily from data centres in the United States. By using Lexiora you understand that your data may be processed in countries other than your own. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for these transfers.
We will update this page if the data we handle, the services we use, or our purposes change. Material changes will be announced in the extension UI or by email if you have an account. The "Last updated" date at the top reflects the most recent revision.
For any question, request, or complaint about this policy or about data Lexiora holds: hello@lexiora.app.