Privacy Policy – Tamash WebMCP Tester & AI Agent

Tamash accesses page and browser data only as needed to provide WebMCP tool discovery, tool execution, Agent Mode, and reusable Flow features. No data is collected by VibeTestQ.

This Privacy Policy explains how the Tamash — WebMCP Tester Chrome extension (“Tamash”, “the extension”, “we”, “us”) accesses, uses, stores, and shares data when you use the extension.

Tamash is a browser-side tool that intercepts WebMCP tools registered by web applications, lets you inspect and call those tools manually, and optionally runs an AI agent that drives the page using those tools. All processing happens inside your Chrome browser. No data is sent to VibeTestQ servers.

This policy applies to the extension itself. If you separately use the VibeTestQ website, contact forms, or other services, those interactions may be governed by separate terms or privacy disclosures.

What Tamash Requires — Chrome Permissions

The following permissions are declared in the extension manifest and are required for the stated purposes:

<all_urls> host permission — the extension must inject its WebMCP interceptor script into any tab the user opens, since WebMCP-enabled apps can be hosted on any domain
scripting — used to inject the WebMCP interceptor into the page's MAIN JavaScript context (required to wrap document.modelContext.registerTool() before the page's own scripts run) and to execute tool calls requested by the user
activeTab — used to target tool discovery and execution at the tab the user is currently viewing
storage — used to persist user-configured AI provider settings (sync) and credentials and flows (local) across browser sessions
sidePanel — used to render the TAMASH side panel alongside the browsed page
tabs — used to detect tab switches and page navigations so the Tool Tester and Agent can refresh their tool list automatically
LLM API host permissions (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, ollama.com) — required for the Agent tab to make direct fetch() calls to the AI provider you choose to configure
Remote MCP host permissions (mcp.atlassian.com, api.githubcopilot.com) — required for the Agent tab to call Jira or GitHub Remote MCP endpoints when you configure them

Information the Extension Can Access

WebMCP tool definitions — the names, descriptions, and input schemas of tools that the active page registers via document.modelContext.registerTool(). This is the core data the extension is built around.
Tool inputs and outputs — parameter values you enter in the Tool Tester or Flow editor, and the results returned by the page when a tool is called
Page URL and title — used to identify the active tab in the Agent runtime panel and in __agent_getTabInfo
User-entered extension settings — selected AI provider, model, base URL, and API key; Remote MCP server credentials (Jira / GitHub)
Saved flows — flow names, step sequences, and tool parameters that you create or import in the Flow tab
User prompts — text you type into the Agent tab's goal field

The extension does not read cookies, localStorage, browsing history, or any page content beyond what is returned by WebMCP tool calls. It does not auto-generate tools by scraping DOM elements.

How the Extension Uses This Information

All access to data is used solely to provide the extension's core features:

Tool Tester — loads the active page's WebMCP tool list, displays each tool's schema, and calls tools with the parameters you enter
Agent — sends your goal, the tool manifest, and tool results to the AI provider you configure; receives tool call instructions from the AI and executes them on the active page
Flow — stores and replays sequences of tool calls you define; no AI is involved at run time
Remote MCP — when you configure Jira or GitHub, sends tool-call requests with authentication headers to those providers on your behalf when the agent requests a remote tool
Connection verification — sends a minimal test request to your configured AI provider or Remote MCP endpoint when you click Test API Key or Test
Settings persistence — saves your provider, model, API key, Remote MCP credentials, and flows in Chrome storage so they survive browser restarts

What the Extension Stores

Tamash stores configuration in Chrome extension storage on your local device only.

chrome.storage.sync (may sync across Chrome profiles if browser sync is enabled):
- agentProvider — selected AI provider (e.g. openai)
- agentModel — selected model name
- agentBaseUrl — custom base URL override (empty for cloud providers)
chrome.storage.local (device-only, never synced):
- agentApiKey — the API key you enter for the selected provider
- agentConfigSaved — flag indicating credentials have been saved
- remoteMcpServers — Jira and/or GitHub Remote MCP credentials (URLs, auth tokens)
- tamashFlows — saved flows (name, steps, tool parameters, creation timestamp)

API keys and Remote MCP credentials are stored in chrome.storage.local only. They are never placed in chrome.storage.sync and are never transmitted to VibeTestQ. They are sent only to the third-party endpoint you configure (your chosen AI provider or Jira/GitHub).

Tamash does not operate an account system and does not upload any stored data to VibeTestQ servers.

When Data Is Transmitted to Third Parties

Data leaves your device only in the following cases, and only when triggered by your own actions:

Agent Mode — AI provider: when you press Run, your goal prompt, the WebMCP tool manifest, and tool results are sent to the AI provider you configured (OpenAI, Anthropic, Google, or Ollama). This happens only during an active agent run and only to the provider you chose.
Remote MCP Servers: if you have configured a Jira or GitHub Remote MCP server, the agent sends tool-call requests and your authentication credentials to those providers when the AI requests a remote tool. Remote MCP is entirely opt-in and requires manual configuration.
Test API Key / Test connection: when you click the test button in Settings or the Remote MCP editor, a minimal verification request is sent to the configured provider to confirm the credentials work.

Tamash does not transmit data to VibeTestQ. It does not send any telemetry, analytics, crash reports, or usage data anywhere.

Third-Party Services

When you use Agent Mode or Remote MCP features, your data is handled by third-party services under their own privacy policies.

OpenAI — openai.com/privacy
Anthropic — anthropic.com/privacy
Google — policies.google.com/privacy
Ollama — ollama.com/privacy
Atlassian (Jira Remote MCP) — atlassian.com/legal/privacy-policy
GitHub (GitHub Remote MCP) — GitHub Privacy Statement
Chrome Sync (Google) — if your browser profile has Chrome Sync enabled, settings stored in chrome.storage.sync may be handled by Google according to its privacy policies

You are responsible for reviewing the privacy terms of the third-party services you choose to connect.

Data Retention

Settings stored in Chrome extension storage remain until you change them, clear the extension's storage, or uninstall the extension
Tool outputs and agent run logs are held in-memory for the current browser session only; they are not persisted across restarts
Saved flows (tamashFlows) persist in chrome.storage.local until you delete them from the Flow tab or uninstall the extension
Retention practices of AI providers and Remote MCP endpoints are governed by those third-party services

User Control and Choices

You choose whether to configure an AI provider and API key — Tool Tester and Flow tabs work without any AI credentials
You choose whether to add Remote MCP servers — the Agent tab works without them
You can edit or delete your API key, Remote MCP credentials, and saved flows directly from the extension's Settings and Flow tabs
You can clear all stored extension data via Chrome: chrome://extensions → TAMASH → Extension options or through Chrome's site data settings
You can stop all data access by disabling or uninstalling the extension

Security

API keys and Remote MCP credentials are stored in chrome.storage.local only, which is scoped to the extension and not accessible to websites or other extensions. They are transmitted only over HTTPS to the third-party provider you configure.

No software system can guarantee absolute security. You are responsible for safeguarding access to your browser profile, local device, and any third-party services you configure within the extension.

Chrome Web Store Compliance

Tamash uses data only for its stated core functionality: discovering WebMCP tools on the active page, executing tool calls, running an AI agent with a user-configured LLM, replaying saved automation flows, and connecting to user-configured Remote MCP providers.

We do not sell user data
We do not use extension data for advertising, retargeting, or data brokerage
We do not collect or transmit data to VibeTestQ servers
We do not read browsing history, cookies, or DOM content beyond WebMCP tool responses
Data is transmitted to third-party providers only when required by the feature the user explicitly activates
The extension uses the minimum permissions necessary for its stated functionality

The Chrome Web Store privacy disclosure for this extension discloses: Authentication information (API keys, Remote MCP credentials), Website content (WebMCP tool definitions and results from the active page), and User activity (prompts, tool invocations, and agent steps). Purpose: App functionality only.

Children's Privacy

Tamash is intended for developers, QA engineers, and technical users. It is not directed to children under 13 (or the applicable minimum age in your jurisdiction).

Policy Updates

We may update this Privacy Policy to reflect changes to the extension, applicable law, or our practices. The updated version will be posted on this page with a revised effective date. Continued use of the extension after an update constitutes acceptance of the revised policy.

Contact

For questions or concerns about this privacy policy, contact us at support@vibetestq.com.