Skip to main content

SchoolAI Browser Extension: Access, Data, and District Controls

This article answers the most common questions districts ask when evaluating the SchoolAI Chrome extension: what it can access, what data it collects, and how to disable or restrict it if needed.

What access does the extension request?

The SchoolAI extension is built on Chrome's Manifest V3 (MV3) framework and requests only the permissions needed to support specific features — primarily the AI Notetaker, the ability to modify and edit Google Doc files. It does not request access to browsing history, cookies, the debugger, native messaging, downloads, bookmarks, proxy settings, or privacy settings.

Here is the full list of permissions the extension requests, why each is needed, and which feature uses it:

Permission

Why it's needed

Feature(s) that use it

storage

Persist auth state, setup tokens, route/UI state, preferences, feature flags, and recording state across service worker restarts

Auth/session management, onboarding, route storage, feature flags, AI Notetaker state, privacy/analytics preferences

tabs

Read/query tab metadata and coordinate actions across open tabs

Supported-site detection, toggling the extension across tabs, focusing/opening SchoolAI tabs, tab title extraction, screenshot/upload flows, AI Notetaker tab/session coordination

activeTab

Temporarily access the current tab after a user gesture, without needing persistent host access to every site

User-triggered actions, current-page content capture, one-off scripting on the active page

offscreen

Run audio processing in an offscreen document, since MV3 service workers can't use DOM/audio APIs directly

AI Notetaker recording and audio processing

scripting

Programmatically inject scripts only into pages where the extension already has host permission or temporary activeTab access

Google Docs token extraction, content script reinjection after updates, OAuth callback token extraction, supported document/page integrations

alarms

Schedule work from the MV3 service worker, which Chrome can suspend between events

AI Notetaker max-duration timers, service worker task scheduling

power

Prevent the machine from sleeping/idling during long recordings

AI Notetaker recording sessions

webNavigation

Observe supported LMS page navigations — including single-page-app history/hash URL changes — from the MV3 background service worker, without needing to poll via content scripts

Batch feedback LMS navigation detection, active LMS adapter updates, Canvas/Google Classroom route handling, content setup refresh after LMS URL changes

Host access: Static host access is narrowed to Google, Microsoft, and SchoolAI origins. Broader ("all URLs") access is optional and only granted at runtime, per origin, when a user explicitly enables it — it is not requested by default.

What data does the extension collect?

Data collection is scoped to the features above:

  • Auth and session data needed to keep a user signed in across browser restarts.

  • AI Notetaker data — audio captured during a user-initiated recording session, plus session/recording state.

  • Tab and page context relevant to supported sites (e.g., Google Docs), used to enable specific integrations.

  • Preferences and feature flags used to control what functionality is shown to a given user.

The extension does not collect browsing history, cookies, or activity outside of the supported sites and user-initiated actions described above.

How page content (HTML) is handled when it is accessed

When a user does use a feature that reads page content — for example, pulling in data from a page on their LMS — here's what happens to that data:

  • Only that user can access it. The scraped HTML is stored in a way that's scoped to the individual user who triggered the action; it is not shared with or visible to other users.

  • It's retained for 3 days, then permanently deleted. After that window, the data is removed from the database and cannot be recovered.

  • The database is FERPA-compliant, consistent with the data-privacy standards expected for K-12 student data.

This scraping is a data-handling practice tied to specific features rather than a browser permission in its own right — it's governed by the same user-gesture requirement described above, not something that happens automatically in the background.

Can the extension be disabled?

Yes — a district has several options, depending on how much control is needed:

  • Simplest option: don't push/install it. If the extension isn't force-installed via Chrome Enterprise (CE) policy, individual users or admins can simply choose not to install it, and it has no footprint in the browser.

  • Block or restrict via Chrome Enterprise/Education policy. For organizations managing Chrome centrally, the ExtensionSettings policy allows IT to:

    • Allowlist or blocklist the extension by ID

    • Force-install or block installation entirely

    • Block specific permissions or runtime host access

    • Set a minimum/maximum allowed version

    • Apply these rules per organizational unit (e.g., only enable for staff, not students)

  • Uninstall per-device if it was installed individually rather than through managed policy.

In short: organizations retain full control. The extension can be blocked outright, restricted to certain permissions or sites, or simply never deployed — all without losing the option to enable it selectively later (e.g., only for staff who use the AI Notetaker).

Security practices behind the extension

  • Built on Manifest V3, Chrome's more restrictive and security-focused extension architecture.

  • Updates are signed and distributed through the Chrome Web Store, not side-loaded.

  • Daily automated security audits (OWASP-based) run against the extension, so any newly introduced vulnerability is typically identified within 24 hours.

  • Permissions are kept to the minimum needed per feature, with sensitive host access granted at runtime rather than by default.

Bottom line

Browser extensions, in general, are powerful software and deserve scrutiny — that's a fair starting point for any institution. For SchoolAI specifically: the extension requests a narrow, documented set of permissions tied to specific features, does not request higher-risk permissions like browsing history or cookies, and can be fully governed or blocked through standard Chrome Enterprise/Education controls. If your district manages Chrome centrally, you have the same level of control over this extension as you do over any other.

If you'd like a walkthrough of setting the ExtensionSettings policy for your environment, or want us to review a specific third-party report you've received, reach out and we're happy to help.

Did this answer your question?