OmniATP ("the Extension") is a Chrome browser extension that lets you post to Bluesky from Chrome's Omnibox. This policy describes what data the Extension handles, where it is sent, and the rights you have over that data.
In short: the Extension does not run any developer-controlled server, does not use analytics, advertising SDKs, or telemetry. The only network destination the Extension contacts is Bluesky (https://bsky.social) — and only when you (a) sign in, (b) the stored session is refreshed by the Bluesky client library, or (c) you submit a post. Everything else is stored locally in your browser's chrome.storage.local.
The data controller is:
We respond to verifiable data subject requests within 30 days as required by GDPR Art. 12(3). To verify your identity we may ask you to confirm the Bluesky handle or DID associated with your request.
All data described below is stored in your browser's chrome.storage.local. None of it is transmitted to the developer. The Extension communicates only with the Bluesky service described in §3.
When you sign in from the Extension's options page, the Extension sends the identifier (Bluesky handle, DID, or email) and the password you entered to Bluesky over HTTPS using the official AT Protocol client library (@atproto/api). On success, Bluesky returns a session containing your handle, DID, an access token (accessJwt), and a refresh token (refreshJwt).
chrome.storage.local. Anyone with access to your local Chrome profile may be able to read it. Sign out (or remove the Extension) before lending or returning your device.The session described above contains your Bluesky handle and DID. These are stored locally and used only to authenticate post requests to Bluesky. Note that your handle and DID are public information on the AT Protocol network.
When you invoke the share sub-command (e.g. at :share in the Omnibox), the Extension calls chrome.tabs.query({ active: true, currentWindow: true }), which returns the active tab object. The Extension reads only the URL and title of that tab; other fields returned by the API (favicon URL, etc.) are not used. The data is consumed at the moment of invocation to compose a post and is not stored, logged, or sent anywhere except as part of the post you choose to publish to Bluesky. The Extension does not record your browsing history.
The following user-configured preferences are stored locally:
postPrefix — a text prefix prepended to shared posts (default: NowBrowsing: ).copyToClipboardOnPost — a boolean toggle for copying the post text to your clipboard at the time of posting.amazonAssociateDomain and amazonAssociateId — optional Amazon affiliate program configuration. When set, the Extension rewrites Amazon URLs in shared posts to include this affiliate tag locally, before sending the post to Bluesky. This is a monetization feature; the developer of the Extension does not receive a commission from these links — the commission goes to whoever sets the affiliate ID (i.e. you, the user).After a successful post, the Extension shows a Chrome notification whose body contains the full text of the post you just sent. After a failed post, the body contains the Bluesky API status code and error message. These notifications are displayed by the operating system's notification surface (which may be visible to others looking at your screen) and disappear after 3 seconds.
For debugging, the Extension writes diagnostic events (including session lifecycle events such as sign-in, sign-out, and post submission) to the browser's local developer console via console.*. These logs do not leave your device, are not transmitted to any server, and disappear when the service worker shuts down or the browser is closed. You can view them via Chrome's chrome://extensions → "Inspect views" if you wish to audit them.
The Extension communicates with exactly one external service:
https://bsky.social — currently hard-coded in this version of the Extension. Future versions may allow configuring an alternative AT Protocol PDS; this policy will be updated accordingly.bsky.network) to other AT Protocol participants. Bluesky may independently log request metadata such as IP address, User-Agent, and timestamps. See Bluesky's own privacy policy (linked from https://bsky.app) for details on how they handle that data.The Extension uses no analytics SDK, no advertising SDK, no crash reporter, and no other third-party service.
| Permission | Purpose |
|---|---|
storage | Stores the Bluesky session and user preferences locally via chrome.storage.local. |
tabs | Reads the URL and title of the active tab when you invoke the share sub-command. |
notifications | Displays local Chrome notifications about post success or failure (see §2.5). |
offscreen | Creates a short-lived offscreen document, opened only when needed and immediately closed after a single copy action. |
clipboardWrite | Allows the offscreen document to write the post text to your clipboard, when the clipboard option is enabled. |
The Extension declares no host permissions and does not inject content scripts into web pages. Outbound HTTPS traffic to https://bsky.social originates from the service worker via fetch (mediated by @atproto/api) and does not require host permissions.
For users in the EEA, the United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Art. 6:
We do not engage in automated decision-making or profiling under Art. 22.
When you submit a post or sign in, your data is transmitted to Bluesky Social PBC in the United States, which is outside the EEA/UK. This transfer takes place because you have requested the posting feature; we do not facilitate any other international transfer. You may stop these transfers at any time by signing out and uninstalling the Extension.
You have the right to:
In practice, because the Extension does not retain data on developer-controlled servers, most of these rights are exercised directly by signing out or uninstalling. For any other request, contact yshrsmz.ys+pp@gmail.com.
You also have the right to lodge a complaint with your local Data Protection Authority (Art. 77 GDPR). A directory of EU/EEA authorities is published by the European Data Protection Board.
If you are a California resident:
The Extension is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). The developer does not knowingly collect personal information from children under 13. If you believe a child has provided personal information through the Extension, please contact yshrsmz.ys+pp@gmail.com so the matter can be addressed.
The Extension's use of information received from Google APIs and the Chrome Web Store complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:
User data obtained through the Extension is used solely for the user-facing features described in this document.
The Extension relies on the security boundary provided by Chrome's extension architecture (chrome.storage.local, service worker isolation, and the offscreen document API). It does not transmit credentials to any party other than Bluesky over HTTPS. As described in §2.1 and §2.6, session tokens are stored without additional encryption and may be visible to anyone with access to your Chrome profile or to the developer console; this is consistent with how Chrome stores other extensions' session data.
The Extension does not declare host permissions and does not run content scripts, which limits the attack surface. Source code is available at https://github.com/yshrsmz/omniatp for independent review.
If this policy changes in a way that affects what data is handled or where it is sent, we will publish the updated version at this URL with a new "Last updated" date and a note in the changelog below. Material changes will also be reflected in the GitHub repository.
This policy is published in English. A Japanese translation is available on request via the privacy contact above; in case of conflict, the English version controls.
last updated: May 8, 2026