← Back to main privacy policy

BeamFlow Supply Path - Extension Privacy

Specific to the BeamFlow Supply Path Chrome extension. For the BeamFlow website privacy policy, see beamflow.co/privacy. Last updated: May 2026.

Summary in one paragraph

The BeamFlow Supply Path Chrome extension analyses the OpenRTB bid stream of any web page you visit and shows you the live supply path (which SSPs are bidding, whether they carry the schain object, whether the publisher authorises them in ads.txt, whether they list the publisher in sellers.json). It runs entirely in your browser by default and sends no data anywhere unless you optionally provide a BeamFlow API key in Settings. With a key set, the extension sends only the schain (asi, sid) pair and the publisher domain to beamflow.co/api/v1/authorization to look up authorisation status against BeamFlow’s sellers.json crawl. No cookies, no IP addresses, no user IDs, no advertiser domains, no creatives, no full URLs ever leave your browser.

What the extension reads from your browser

  • Bid request endpoint hostnames - e.g. rtb.openx.net, htlb.casalemedia.com. Used to identify which SSP each bid request was sent to.
  • OpenRTB bid request bodies - the JSON payload sent to the SSP, parsed only to extract the source.ext.schain object (and its five alternate locations), the impression tagid, the site.domain / app.bundle, and the publisher domain. Nothing else from the request body is read or stored.
  • URL query strings containing schain - for GET-style bid endpoints (e.g. Magnite Fastlane) that pass the schain in the URL.
  • Page hostname - the second-level domain of the page you are on (e.g. cnn.com), used to scope the per-page analysis. Full URLs with query strings are never stored or transmitted.
  • Prebid bid response events - if the page uses Prebid.js, the extension hooks pbjs.onEvent('bidResponse', ...) in the page’s main world to read the bidder, cpm, currency, and adUnitCode of each bid response (for CPM correlation analysis). Nothing else from the bid response is read.

What the extension never reads

  • Cookies, session IDs, IFA / IDFA, or any browser identifier
  • User identity graphs (eids, user.buyeruid, ID5, LiveRamp, IntentIQ, etc.)
  • IP addresses
  • Creative content, ad markup, VAST URLs, or any rendered ad payload
  • Advertiser domains (adomain) from bid responses
  • Full URLs with query strings - only the hostname is recorded
  • The content of the web page you are viewing (articles, search history, anything outside of bid traffic)
  • Form fields, keystrokes, passwords, or any user input
  • Browsing history or tabs other than the current one
  • Request headers beyond content-type (no cookies, no Authorization, no anything else)

Where data goes

By default: nowhere

All analysis runs in the extension’s background service worker on your machine. State is held in memory per browser tab and discarded when the tab is closed or you click “Reset session” in the sidebar. Without an API key configured, the extension makes zero outbound network requests of its own.

With an API key: only schain pairs and the publisher domain

When you paste a BeamFlow API key into the extension’s Settings page, the extension uses it to verify supply-path authorisation. Each verification request sends only:

  • The publisher domain (e.g. cnn.com)
  • The SSP domain (e.g. indexexchange.com)
  • Optionally, a single seller_id from the schain (e.g. 183753) for direct sellers.json lookup
  • Your API key in the Authorization: Bearer header for authentication

Requests are sent only to https://beamflow.co/api/v1/authorization. No third parties receive any data from the extension. BeamFlow logs the API key’s daily usage count (for rate limiting) but does not log the individual queries or join them to your account beyond that.

Local storage

  • chrome.storage.local: stores your BeamFlow API key (if you provide one). Local to your device. Never synced. Removed when you uninstall the extension.
  • chrome.storage.sync: stores non-sensitive preferences (sidebar visibility, expand/collapse state). Synced across your Chrome instances by Google if you have sync enabled.

Permissions and why each is needed

  • webRequest with requestBody: to read OpenRTB bid request bodies as they leave the page. This is what makes live schain analysis possible.
  • host permissions for <all_urls>: the extension works on any publisher site (not a fixed allowlist), because the value is being able to audit supply paths everywhere on the open web.
  • scripting: to inject a small read-only listener into the page’s main world (where window.pbjs lives) so we can hear bid response events. The injected code reads only the four fields listed above and posts them to the content script via window.postMessage.
  • storage: to persist your API key and preferences across sessions.
  • tabs: to detect when you navigate to a new hostname so we can reset the analysis state per page.

No telemetry, no analytics, no tracking

The extension does not include Google Analytics, Segment, Mixpanel, Sentry, or any other telemetry / error-reporting / usage-tracking SDK. There is no “phone home” on install, on update, or on uninstall.

How to remove the extension and your data

  1. Right-click the BeamFlow icon in the Chrome toolbar → “Remove from Chrome”
  2. This deletes all local extension data (including your stored API key) immediately
  3. If you provided an API key, you can also revoke it at beamflow.co/dashboard. Revoking the key invalidates it for any future use.

Source code and verification

The full source code for the extension is part of BeamFlow’s codebase. The exact behaviour described above can be verified by inspecting:

  • extension/src/service-worker/index.ts - the bid request capture logic
  • extension/src/service-worker/pbjsInjector.ts - the injected page-world script (visible in your DevTools after load)
  • extension/src/service-worker/verificationClient.ts - the only place that makes outbound HTTPS requests
  • extension/src/lib/apiClient.ts - the only HTTPS client (hardcoded to beamflow.co)

Changes to this policy

If we ever change what the extension reads or where data goes, we will update this page with a new “Last updated” date and surface the change as an in-extension notice on the next update. Any change that broadens data collection will be opt-in.

Contact

Privacy questions: guy@beamflow.co