This article answers the most common questions districts ask when evaluating the SchoolAI Chrome extension: what it can access, what data it collects, and how to disable or restrict it if needed.
What access does the extension request?
The SchoolAI extension is built on Chrome's Manifest V3 (MV3) framework and requests only the permissions needed to support specific features — primarily the AI Notetaker, the ability to modify and edit Google Doc files. It does not request access to browsing history, cookies, the debugger, native messaging, downloads, bookmarks, proxy settings, or privacy settings.
Here is the full list of permissions the extension requests, why each is needed, and which feature uses it:
Permission | Why it's needed | Feature(s) that use it |
storage | Persist auth state, setup tokens, route/UI state, preferences, feature flags, and recording state across service worker restarts | Auth/session management, onboarding, route storage, feature flags, AI Notetaker state, privacy/analytics preferences |
tabs | Read/query tab metadata and coordinate actions across open tabs | Supported-site detection, toggling the extension across tabs, focusing/opening SchoolAI tabs, tab title extraction, screenshot/upload flows, AI Notetaker tab/session coordination |
activeTab | Temporarily access the current tab after a user gesture, without needing persistent host access to every site | User-triggered actions, current-page content capture, one-off scripting on the active page |
offscreen | Run audio processing in an offscreen document, since MV3 service workers can't use DOM/audio APIs directly | AI Notetaker recording and audio processing |
scripting | Programmatically inject scripts only into pages where the extension already has host permission or temporary activeTab access | Google Docs token extraction, content script reinjection after updates, OAuth callback token extraction, supported document/page integrations |
alarms | Schedule work from the MV3 service worker, which Chrome can suspend between events | AI Notetaker max-duration timers, service worker task scheduling |
power | Prevent the machine from sleeping/idling during long recordings | AI Notetaker recording sessions |
webNavigation | Observe supported LMS page navigations — including single-page-app history/hash URL changes — from the MV3 background service worker, without needing to poll via content scripts | Batch feedback LMS navigation detection, active LMS adapter updates, Canvas/Google Classroom route handling, content setup refresh after LMS URL changes |
Host access: Static host access is narrowed to Google, Microsoft, and SchoolAI origins. Broader ("all URLs") access is optional and only granted at runtime, per origin, when a user explicitly enables it — it is not requested by default.
What data does the extension collect?
Data collection is scoped to the features above:
Auth and session data needed to keep a user signed in across browser restarts.
AI Notetaker data — audio captured during a user-initiated recording session, plus session/recording state.
Tab and page context relevant to supported sites (e.g., Google Docs), used to enable specific integrations.
Preferences and feature flags used to control what functionality is shown to a given user.
The extension does not collect browsing history, cookies, or activity outside of the supported sites and user-initiated actions described above.
How page content (HTML) is handled when it is accessed
When a user does use a feature that reads page content — for example, pulling in data from a page on their LMS — here's what happens to that data:
Only that user can access it. The scraped HTML is stored in a way that's scoped to the individual user who triggered the action; it is not shared with or visible to other users.
It's retained for 3 days, then permanently deleted. After that window, the data is removed from the database and cannot be recovered.
The database is FERPA-compliant, consistent with the data-privacy standards expected for K-12 student data.
This scraping is a data-handling practice tied to specific features rather than a browser permission in its own right — it's governed by the same user-gesture requirement described above, not something that happens automatically in the background.
Can the extension be disabled?
Yes — a district has several options, depending on how much control is needed:
Simplest option: don't push/install it. If the extension isn't force-installed via Chrome Enterprise (CE) policy, individual users or admins can simply choose not to install it, and it has no footprint in the browser.
Block or restrict via Chrome Enterprise/Education policy. For organizations managing Chrome centrally, the ExtensionSettings policy allows IT to:
Allowlist or blocklist the extension by ID
Force-install or block installation entirely
Block specific permissions or runtime host access
Set a minimum/maximum allowed version
Apply these rules per organizational unit (e.g., only enable for staff, not students)
Uninstall per-device if it was installed individually rather than through managed policy.
In short: organizations retain full control. The extension can be blocked outright, restricted to certain permissions or sites, or simply never deployed — all without losing the option to enable it selectively later (e.g., only for staff who use the AI Notetaker).
Security practices behind the extension
Built on Manifest V3, Chrome's more restrictive and security-focused extension architecture.
Updates are signed and distributed through the Chrome Web Store, not side-loaded.
Daily automated security audits (OWASP-based) run against the extension, so any newly introduced vulnerability is typically identified within 24 hours.
Permissions are kept to the minimum needed per feature, with sensitive host access granted at runtime rather than by default.
Bottom line
Browser extensions, in general, are powerful software and deserve scrutiny — that's a fair starting point for any institution. For SchoolAI specifically: the extension requests a narrow, documented set of permissions tied to specific features, does not request higher-risk permissions like browsing history or cookies, and can be fully governed or blocked through standard Chrome Enterprise/Education controls. If your district manages Chrome centrally, you have the same level of control over this extension as you do over any other.
If you'd like a walkthrough of setting the ExtensionSettings policy for your environment, or want us to review a specific third-party report you've received, reach out and we're happy to help.
