Crosses OAuth Bridge – Privacy Policy

Last updated: 2025-11-06

Overview

Crosses OAuth Bridge (“the extension”) enables OAuth authentication for WebGL/Unity games embedded in iframes on hosting platforms (e.g., itch.io) by relaying OAuth tokens from the parent page to the game iframe via postMessage. The extension is developed and published by Occybyte.

Data Collection

We do not collect, store, or transmit any personal data. The extension does not collect analytics, telemetry, browsing history, or any personally identifiable information.

What the Extension Does

• Detects OAuth tokens present in the parent window URL hash after a successful login redirect (e.g., #access_token=…).
• Sends the hash to the game iframe using window.postMessage so the game can complete authentication.
• Optionally stores minimal configuration (message type, token parameter name, enabled/disabled) using chrome.storage.sync/browser.storage.sync.

What the Extension Does Not Do

• No collection, storage, or transmission of OAuth tokens beyond relaying the hash to the game iframe in-memory.
• No remote code execution. All scripts ship with the extension.
• No reading or storing of user credentials, passwords, or personal communications.
• No background tracking of web history or keystrokes.
• No third‑party analytics or advertising.

Permissions and Rationale

• Host Permissions (itch.io / itch.zone): Required so the content script can run on hosting pages to detect the OAuth hash immediately after redirects and forward it to the game iframe.
• Tabs / ActiveTab: Used by the popup to check the current tab’s URL to show status and enable/disable actions. Not used to track browsing history.
• Scripting: Needed by Manifest V3 to register content scripts.
• Storage: Stores only extension configuration (message type, token parameter, enabled flag). No personal data.

Data Retention

We retain no user data. Extension configuration is stored locally/synced by the browser and can be cleared by uninstalling the extension or clearing extension data.

Children’s Privacy

The extension does not target children and does not collect personal information from any users.

Security

The extension relays tokens only within the user’s browser process via postMessage. Tokens are not logged, stored, or sent to Occybyte or any third parties.

Third Parties

No third‑party services are integrated. The extension does not communicate with external servers other than the hosting pages where it runs (per the host permissions).

Changes to This Policy

We may update this policy to reflect functionality or regulatory changes. Updates will be posted at this URL with a new “Last updated” date.

Contact

Questions or concerns? Contact legal@occybyte.com.