Otto Runner Privacy Policy
Last updated: June 1, 2026
The Otto Runner Chrome extension ("Otto Runner") drives a real browser on behalf of an authenticated Otto tenant to execute scheduled browser automation tasks, such as daily MLS reviews or vendor portal status checks. This policy describes what data the extension handles and what it does not handle.
What Otto Runner stores locally
The extension stores the following on your device via chrome.storage.local:
- Pairing identity: a runner ID, runner token, Otto server URL, and tenant ID. This authenticates the extension to your paired Otto server.
- Install ID: a UUID generated on first install. This is used as a stable device identifier during pairing.
Otto Runner does not store browsing history, cookies, passwords, form data, or page content locally.
What Otto Runner sends to Otto
- Long-poll requests to receive scheduled jobs. Requests include the runner token and a basic runner fingerprint such as platform and user agent.
- Job results posted back to Otto. Results may include per-step screenshots, extracted text requested by the task, timing metadata, and error metadata.
- Computer-use bridge requests when a task needs vision-driven fallback. Otto Runner sends the active page screenshot and step instruction to the paired Otto server. The server forwards those requests to the configured model provider; the extension never sees server-side API keys.
What Otto Runner does not do
- No third-party telemetry, analytics, tracking pixels, or ad tracking.
- No background tracking of normal browsing. Otto Runner acts inside job windows it opens for scheduled tasks.
- No cross-tenant data sharing. Each install is bound to one paired Otto tenant.
- No data collection on first install. The extension is inert until you pair it with an Otto tenant.
Permissions explained
| Permission | Why Otto Runner needs it |
|---|---|
storage | Persist the pairing identity and install ID across browser restarts. |
alarms | Wake the extension service worker periodically so scheduled jobs can be received while Chrome suspends background work. |
sidePanel | Provide the pair, unpair, and status UI. |
tabs | Open the dedicated job window and detect when an operator closes it. |
scripting | Inject a read-only DOM probe into the dedicated job tab to resolve selectors and extract task-requested text. |
debugger | Drive trusted input events through the Chrome DevTools Protocol. Chrome shows its debugging banner while Otto is active. |
webNavigation | Enforce the tenant URL allowlist on every navigation in the dedicated job tab, including redirects. |
nativeMessaging | Communicate with the Otto macOS helper for local Codex runner setup and health checks. |
<all_urls> | Chrome debugger-based automation requires broad host access. Otto limits actual use at runtime with a per-tenant browser allowlist and only acts inside dedicated job windows. |
Data retention
- Local storage: retained until you unpair, uninstall the extension, or clear Chrome data.
- Server-side job data: retained by the paired Otto service according to your tenant retention policy.
Contact
Questions: mikecerrone@gmail.com
This policy applies to the Otto Runner Chrome extension only.