Privacy Policy — TILT.ai Chrome Extension

Effective date: April 8, 2026

Overview

The TILT.ai Chrome Extension ("Extension") is developed and operated by Tilt Group ("we", "us", "our"). This policy explains what data the Extension accesses, why, where it goes, and how long it is kept.

Summary: The Extension reads email content only when you explicitly trigger an import. That content is sent solely to the Tilt Nexus platform you are already logged into. Nothing is sold, shared with advertisers, or used for any purpose other than the import you requested.

What data the Extension accesses

Data	Why it is accessed	Where it goes	Retention
Email subject, sender, date, recipients, body text	Extracted from the open email to build the shipment document when you trigger an import	Tilt Nexus API on import only	Cleared from local storage immediately after upload
Email attachments (if selected)	Uploaded as the shipment document when you choose an attachment instead of the email body	Tilt Nexus API on import only	Never written to local storage; streamed directly
Sender email addresses (visible in open thread)	Checked against the Nexus carrier database to show a Verified / Unknown badge next to the sender name	Tilt Nexus API (read-only query)	Cached in memory for 5 minutes, cleared on page unload
OAuth access & refresh tokens	Authenticate API calls to Nexus without requiring a password each time	Device only — sent to Nexus API as Bearer header	Stored in `chrome.storage.local`; cleared on sign-out
User name & email (decoded from JWT)	Display the signed-in user in the extension popup	Device only — never transmitted	Stored in `chrome.storage.local`; cleared on sign-out
Nexus SSO session cookie	Detect an existing Nexus browser session so you can authenticate without re-entering credentials	Device only — read, never modified or transmitted	Not stored; read once during session sync
Environment preference (production / staging)	Remember which Nexus environment you are connected to	Device only	Stored in `chrome.storage.local` indefinitely until changed

What data is NOT collected

The Extension does not read emails you have not opened or are not actively viewing
The Extension does not scan your inbox, contacts, calendar, or any other Google / Microsoft data
The Extension does not collect browsing history or track pages you visit
The Extension does not use analytics, crash reporting, or any third-party telemetry
The Extension does not inject advertisements or modify web pages for commercial purposes

Where data is sent

All network requests made by the Extension go exclusively to Tilt Group infrastructure:

nexus.tiltgroup.com — production Nexus API (document upload, carrier validation)
nexus.dev.tltgrp.com — staging Nexus API (used only when staging environment is selected)
sso.tiltgroup.com / sso.dev.tltgrp.com — Tilt SSO (OAuth 2.0 token exchange only)

No data is sent to Google, Microsoft, or any other third party.

Legal basis for processing

Processing is based on contract performance — the Extension fulfills its core purpose (importing email content into Nexus) only when you explicitly request it via the right-click context menu. No data is processed in the background without user action.

Data security

All API communication uses HTTPS (TLS 1.2+)
OAuth tokens are stored in chrome.storage.local, which is sandboxed to the Extension and not accessible by web pages
Email content is held in local storage only for the duration of the import flow (seconds) and deleted immediately after upload
PKCE (Proof Key for Code Exchange) is used for OAuth to prevent authorisation code interception

Data retention

Email content (subject, body, attachments) is stored temporarily in chrome.storage.local during the import flow and removed immediately after a successful or failed upload, and no later than 5 minutes after capture. Auth tokens are retained until you sign out or switch environments. All locally stored data is cleared when you uninstall the Extension.

Your rights

Because all data processed by the Extension is sent to and stored within the Tilt Nexus platform under your organisation's account, your rights to access, correct, or delete that data are governed by Tilt Group's platform privacy policy and your organisation's data processing agreement with Tilt Group. To exercise those rights, contact privacy@tiltgroup.com.

Children's privacy

The Extension is intended solely for use by freight industry professionals with an active Tilt Nexus account. It is not directed at or designed for use by anyone under the age of 18.

Changes to this policy

We may update this policy when the Extension's data practices change. Material changes will be communicated via the Chrome Web Store update notes and by updating the effective date above. Continued use of the Extension after an update constitutes acceptance of the revised policy.

Contact

Questions about this privacy policy or the Extension's data practices:
privacy@tiltgroup.com
Tilt Group · tilt.ai