Extension Privacy Policy

Last updated: 2026-05-18

This Privacy Policy describes how the Myles — Load Capture browser extension (the "Extension") collects, uses, stores, and discloses information when installed and used in connection with a Myles account.

By installing or using the Extension, you acknowledge the practices described below. If you do not agree with these practices, do not install or use the Extension.

1. Single Purpose

The Extension exists to do one thing: capture freight-load information into the user's Myles Copilot account so the user can score, accept, and track those loads — including, for users running a load as a driver, reporting the driver's location to the same Myles Copilot account so the load can be tracked while it is in transit.

Every permission the Extension requests, every byte of data it reads, and every network request it makes is in service of that single purpose. The Extension performs no other function.

2. Limited Use Disclosure (Chrome Web Store User Data Policy)

The Extension's use and transfer of information received through the Extension to any other application adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

• We use the data we collect only to provide and improve the user-facing features described in Section 4 below.
• We do not sell the data, transfer the data for advertising purposes, transfer the data for re-selling, or use the data for any purpose unrelated to the user-facing features.
• We do not use the data for credit-worthiness, lending, employment, insurance, or housing decisions.
• We do not use the data to train, fine-tune, or improve any general-purpose AI or machine-learning model. Captured load data is used to score that specific load for the user who captured it.
• Human review of the data occurs only (a) when the user explicitly requests support, (b) where required for security investigations or to comply with applicable law, or (c) for aggregated and anonymized operational purposes (e.g., counting captures per day across the service).

3. Scope

This policy applies solely to the Extension. The Myles web application (app.mylescopilot.com) is governed by its own privacy policy, which is the controlling document for any data that is transmitted from the Extension to Myles and stored in your organization's account.

4. Information We Collect

The Extension processes information in four categories: data automatically collected from supported load-board pages, data submitted at your request, location data collected while you are on duty, and authentication metadata. Each category is described below.

4.1 Automatic data collection on supported load boards

When you are signed in to the Extension and have selected Dispatch mode, and you visit a supported load-board origin (*.dat.com, *.truckstop.com, or *.123loadboard.com), the Extension will, without any further user action:

• Inject a content script into the page at the moment the page reaches an idle state, in accordance with the permissions you granted at install.
• Render an overlay user interface (a "load leaderboard") inside a Shadow DOM root attached to the page, and modify the page's history-API behavior solely for the purpose of detecting client-side navigation.
• Observe DOM mutations on the page using MutationObserver in order to detect freight-load listings as they render or change.
• Extract structured fields from each detected listing, including (where available): origin city and state, destination city and state, pickup date, delivery date, total rate, total miles, weight, equipment type, and broker name.
• Transmit the extracted structured fields, together with a "lens" snapshot of your selected truck, driver, trailer, customer, diesel price, reimbursements, accessorials, other costs, and driver location, to the Myles backend endpoint POST /api/extension/score-preview for the purpose of computing a profitability estimate.
• Periodically re-attempt the foregoing operations on a low-frequency interval to recover from transient failures.

The Extension does NOT transmit the full HTML, the full visible text, or the full URL of any load-board page during this automatic flow. Only the structured fields described above and the lens snapshot leave your browser during automatic scoring.

You may disable automatic data collection at any time on a per-site basis from the Extension popup, or by signing out, by switching to Driver mode, or by uninstalling the Extension.

4.2 Data submitted at your request (manual capture)

When you affirmatively act to capture a page — by clicking "Pick a load on this page" in the popup and selecting a row, or by clicking a row in the in-page overlay to accept it — the Extension transmits the following to the Myles backend endpoint POST /api/captures:

• The page's URL;
• The structured fields described in Section 4.1 for the selected row;
• The lens snapshot described in Section 4.1.

For a separate, popup-initiated "capture this page" flow on unrecognized pages, the Extension may additionally transmit:

• The page's title;
• The visible (rendered) text content of the page;
• The page's raw HTML, truncated to the first 100 kilobytes as measured in UTF-8 bytes;
• The text of any selection you have highlighted on the page;
• An ISO-8601 timestamp of the capture.

4.3 Location data (on-duty drivers only)

If your Myles account has the "drives" capability enabled, the Extension exposes a Driver mode that includes a "Tap in" control. When you tap in:

• The Extension opens a hidden offscreen document in your browser whose sole purpose is to call the standard navigator.geolocation watch-position API. The offscreen document is opened by the Extension pursuant to the offscreen and geolocation permissions declared in the manifest.
• The Extension transmits a location fix (latitude, longitude, accuracy in meters, capture timestamp, and the selected truck identifier) to the Myles backend endpoint POST /api/locations no more frequently than once every ten (10) minutes. Intermediate fixes produced by the operating system between transmissions are discarded; we do not retain them.
• The Extension uses lower-accuracy, WiFi-assisted positioning (enableHighAccuracy: false); it does not request high-precision GPS.
• Collection continues until you tap out, sign out, uninstall the Extension, or revoke browser-level location permission for the Extension origin.

The Extension also provides a "Get current location" control inside the in-page overlay that uses navigator.geolocation.getCurrentPosition to pre-fill the driver-location field of the lens with a one-time fix. This fix is stored locally as described in Section 7 and is included in the lens snapshot transmitted with subsequent scoring or capture requests as described in Sections 4.1 and 4.2.

4.4 Authentication and account metadata

When you sign in, the Extension obtains a bearer token issued by the Myles backend and the email address associated with your Myles account. On each sign-in and on a periodic basis, the Extension calls the Myles backend endpoint GET /api/captures/ping to validate the token and to retrieve your account's role and capability flags (whether your account has "drives" and "dispatches" capabilities).

The Extension does not collect financial information, payment information, government-issued identifiers, biometric data, or contact data other than the Myles-account email address described above.

5. How We Use Information

Information collected by the Extension is used solely to:

• Compute and display profitability estimates and tier badges for freight-load listings;
• Save selected captures into your organization's capture log inside the Myles account;
• Display your driver's current location on Myles dispatching surfaces;
• Authenticate requests from your browser to your Myles account;
• Recover from transient errors and present diagnostic information in your browser's developer console.

The Extension does not use the information described above for advertising, profile-building, resale, or any purpose unrelated to the operation of your Myles account.

6. What We Do NOT Do

For the avoidance of doubt, the Extension does not, in any flow:

• Collect data from pages outside the supported load-board origins listed in Section 4.1, except in the one-shot manual-capture flow you trigger by clicking the Extension icon.
• Track which pages you visit, scroll past, or hover over.
• Load or execute remotely-hosted code. All JavaScript that runs inside the Extension is bundled into the package reviewed by the Chrome Web Store. The Extension does not eval() JavaScript fetched at runtime, does not load external scripts, and does not fetch any WebAssembly module at runtime.
• Read browser cookies, modify network requests, or use the chrome.cookies, chrome.webRequest, or chrome.declarativeNetRequest APIs.
• Access your browsing history, downloads, bookmarks, the contents of tabs you are not actively viewing, or any other Chrome profile data.
• Sell, rent, lease, or otherwise transfer information collected through the Extension to any third party.
• Use captured data to train, evaluate, or improve any generalized machine-learning model.

7. Local Storage on Your Device

The Extension stores the following records in chrome.storage.local, which is isolated to the Extension's installation on your specific browser profile and is not synced to Google's servers or any other machine:

• myles.auth — bearer token (opaque string) and Myles-account email.
• myles.capabilities — cached "drives" / "dispatches" capability flags and a last-updated timestamp.
• myles.duty — on-duty flag, selected truck identifier and unit label, timestamp of the last successful location fix, and the most recent geolocation error (if any).
• myles.lens — selected truck, driver, trailer, and customer identifiers; diesel price, reimbursements, accessorials, and other-costs values; the driver-location string (which may contain raw latitude/longitude coordinates obtained from navigator.geolocation); and the provenance of that location.
• myles.mode — selected mode (driver or dispatch).
• myles.disabledSites — list of hostnames on which automatic data collection has been disabled.
• myles.autoOpen — whether the overlay auto-opens on supported boards.
• myles.overlayOpen::<hostname> — per-host overlay-open state.

The Extension does NOT use chrome.storage.sync. No information stored by the Extension is replicated across devices by the browser.

You may clear all locally stored Extension data by signing out, by uninstalling the Extension, or by clearing extension storage in your browser settings.

8. Network Transmissions

The only external network destinations contacted by the Extension are the Myles backend (https://app.mylescopilot.com) and, for staging and preview environments, the Myles project's own Vercel deployments (https://myles-copilot-web*.vercel.app). The specific endpoints contacted are:

• GET /api/captures/ping — token validation and capability lookup;
• GET /api/extension/trucks — list of trucks in your organization;
• GET /api/extension/lens — fleet, driver, trailer, customer reference data and weekly target;
• POST /api/extension/score-preview — profitability estimate for one or more extracted listings;
• POST /api/extension/embed-token — short-lived token to render an in-overlay analyzer iframe;
• POST /api/captures — save a capture to your organization;
• POST /api/locations — submit one on-duty location fix.

The Extension does NOT contact, and does NOT integrate any software development kit, library, or pixel from, any third-party analytics service, error-tracking service, advertising network, content delivery network, or other third party. The Extension does not transmit any information to Google or Microsoft (other than such transmissions as may be inherent in Chrome's or Edge's own extension infrastructure, which is governed by their respective privacy policies).

9. Data Security

• Transmissions between the Extension and the Myles backend use HTTPS (TLS).
• Locally stored data lives in chrome.storage.local, which the browser isolates to the Extension only.
• The bearer token described in Section 4.4 cannot be retrieved from the Myles backend after it is minted; it is shown once at mint time and stored only on your device. You may revoke it at any time from the Myles web application, after which any extension still holding the token will be unable to make requests.
• The runtime sender-origin allowlist for chrome.runtime.onMessageExternal is restricted to the Myles production hosts; messages from any other origin — including arbitrary *.vercel.app deployments — are rejected before any state is mutated.
• If we become aware of a security incident affecting data received through the Extension, we will notify affected users in accordance with applicable law.

10. Data Retention

Data transmitted to the Myles backend is retained in accordance with your organization's contractual retention policy with Myles and the main Myles privacy policy. You may request deletion of specific captures through the Myles web application, and your organization's administrator may request bulk deletion by contacting Myles support.

The bearer token described in Section 4.4 is retained locally until you sign out from the Extension, revoke the token from /extension-auth in the Myles web application, or uninstall the Extension.

Backups retained by our hosting and database providers may persist for up to thirty (30) days after deletion before being overwritten in the ordinary course; we do not access those backups for any purpose other than disaster recovery.

11. Third Parties

The Extension does not share any information with any third party other than the Myles backend. Myles itself may process information through its own sub-processors (hosting, database, authentication, etc.) as described in the main Myles privacy policy; the Extension does not introduce any additional third party.

12. Permissions Requested

The Extension requests the following permissions, each of which is used for the purpose stated:

• activeTab, scripting — to execute the capture flow on the currently-focused tab when you affirmatively initiate a capture;
• storage — for local data storage described in Section 7;
• geolocation, offscreen — to collect on-duty location fixes described in Section 4.3;
• Host permissions for *.dat.com, *.truckstop.com, and *.123loadboard.com — to run the automatic data collection described in Section 4.1.

13. Your Rights and Choices

You have the following choices regardless of jurisdiction:

• Decline automatic collection on a site — open the Extension popup while on the site and toggle it off.
• Decline on-duty location collection — do not tap in; or, if already tapped in, tap out.
• Sign out — click "Sign out" in the popup. The bearer token, the capabilities cache, and the duty record are cleared from local storage.
• Revoke the bearer token — generate a new token from /extension-auth in the Myles web application; older tokens are recorded but token-revocation tooling is in development.
• Uninstall — remove the Extension from chrome://extensions. All data described in Section 7 is cleared by your browser.

Depending on where you live, you may have additional rights under applicable law (for example: access, correction, deletion, portability, or restriction of processing under the EU GDPR or UK GDPR; access, deletion, correction, or opt-out of "sale"/"sharing" under the California Consumer Privacy Act / CPRA; equivalent rights under Canadian, Brazilian, or other applicable law). To exercise any of these rights, email support@mylescopilot.com. We will respond within the time limits set by the applicable law (and, in any event, within thirty (30) days). We will not discriminate against you for exercising any of these rights.

For users in the European Economic Area, the United Kingdom, or Switzerland: the lawful bases on which we process the data described in this policy are (a) performance of a contract (the Myles Copilot service you have signed up for) and (b) legitimate interests in operating, securing, and improving that service. Where required by law, we will obtain consent (for example, geolocation in jurisdictions that require it; Chrome itself prompts you before granting the Extension geolocation access, and you may tap out at any time to stop reporting).

14. Children's Privacy

The Myles Copilot service is a business tool for trucking professionals and is not directed at children. The Extension does not knowingly collect data from anyone under thirteen (13) years of age (or under sixteen (16) in jurisdictions that apply that threshold). If we learn that we have collected data from a child under the applicable age without parental consent, we will delete that data.

15. International Transfers

The Myles Copilot backend is operated from the United States. If you use the Extension from outside the United States, your data will be transferred to and processed in the United States. Where required by law (for example, for transfers of personal data out of the EEA, UK, or Switzerland), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent United Kingdom / Swiss mechanisms.

16. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this document. Material changes will additionally be disclosed in the Myles web application or in the Chrome Web Store listing for the Extension. Continued use of the Extension after a change constitutes acceptance of the revised policy.

17. Contact

Questions, requests, or complaints relating to data collected by the Extension may be directed to:

Myles — Privacy Email: support@mylescopilot.com

We aim to acknowledge every privacy-related email within five (5) business days and to resolve it within thirty (30) days, in line with the applicable legal time limits.