Chrome Extension Privacy Policy

GoalPair for Recruiters · Last updated: April 2026

Summary

  • The extension reads only the URL of the tab you are actively viewing on linkedin.com.
  • It never reads, copies, or stores the contents of any LinkedIn page.
  • The URL is sent to the GoalPair backend to match against GoalPair candidate records you are authorised to view as a recruiter.
  • Your sign-in credentials are used only to obtain an API token and are not stored by the extension.
  • No third-party analytics, advertising, or tracking code is included.

1. What We Collect

  1. Your recruiter email and password — submitted once when you sign in. The password is transmitted over HTTPS to goalpair.com (or your configured GoalPair instance) and is not stored by the extension.
  2. An API bearer token — issued by the GoalPair backend after a successful sign-in. Stored in chrome.storage.local so you stay signed in between browser sessions. Revoked on sign-out.
  3. The URL of the active LinkedIn tab — observed via chrome.tabs.onUpdated and sent to the GoalPair lookup endpoint when you are on a linkedin.com/in/<slug> URL. The URL is not persisted by the extension; the backend logs only aggregate request metadata consistent with its general operation.

2. What We Do Not Collect

  • Any content from LinkedIn pages (names, headlines, connections, messages, posts, etc.). The extension does not inject code into LinkedIn pages and does not read the page DOM.
  • Browsing history outside of LinkedIn.
  • Analytics, device identifiers, or marketing identifiers.

3. Backend Endpoints Used

Data sent to goalpair.com is handled under GoalPair's main privacy policy. The extension uses the following endpoints and nothing else:

  • POST /api/extension/login/
  • POST /api/extension/logout/
  • POST /api/extension/lookup/
  • POST /api/extension/save/
  • POST /api/extension/mark-hired/
  • POST /api/extension/follow/

No endpoint stores the raw LinkedIn URL beyond what is needed to return a match; saved records reference GoalPair user IDs, not LinkedIn URLs.

4. Third-Party Services

The extension makes no requests to any third party. All network traffic is between your browser and the GoalPair backend.

5. Permissions Justification

  • sidePanel — renders the GoalPair UI in Chrome's Side Panel.
  • storage — stores the recruiter's bearer token in chrome.storage.local so sign-in persists across browser sessions.
  • tabs — required to receive chrome.tabs.onUpdated URL change events and to read the active tab's URL.
  • Host permission for *://*.linkedin.com/* — required for chrome.tabs.onUpdated to fire on LinkedIn navigations. No code runs on LinkedIn pages.
  • Host permission for goalpair.com and subdomains — allows the side panel to call the GoalPair JSON API.

6. Your Controls

  • Sign out from the side panel to revoke your token and remove it from local storage.
  • Uninstall the extension from chrome://extensions/ to remove all locally stored data (including the token).
  • Contact support@goalpair.com to request deletion of recruiter-associated data from the backend.

7. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. Material changes will also be announced in the extension's listing release notes.

8. Contact

Questions: support@goalpair.com

Main site policy: goalpair.com/privacy-policy

← Back to Home