Browser Extension Data Security and Privacy

Overview

BombBomb's Browser Extension lets you record and send videos directly from Chrome or Edge. This article explains exactly what data the extension collects, how that data is protected, and what security measures BombBomb maintains.

Who this applies to: All users of the BombBomb Browser Extension 

Plan requirement: Core, Core + Copilot, Enterprise

Supported Browsers

The BombBomb Browser Extension works in Google Chrome and Microsoft Edge.

• The Chrome extension is available on the Chrome Web Store and has passed Google's security review process.
• The Edge extension is available on the Microsoft Edge Add-ons store and has passed Microsoft's security review process.

What Data Does the Extension Collect?

The extension collects two categories of data in order to deliver the service.

Sender Data

• BombBomb account ID
• Sender name
• Sender email address

Recipient Data Recipient data is only collected when the extension's tracking feature is turned on.

• Recipient email address and name
• Recipient interactions with video email (opens, clicks, plays)
• Video email ID
• Subject line of the email being sent
• URL of the video email landing page

What the extension does NOT collect:

• Your browsing history
• Passwords, payment information, or other sensitive form data
• Any content on pages outside of supported recording and insertion workflows

When Does the Extension Access Your Camera, Microphone, or Screen?

• Camera and microphone are accessed only when you actively initiate a video recording.
• Screen sharing is activated only when you choose to record your screen.
• Website URLs are read only to detect supported email and CRM platforms so the extension can offer inline recording and insertion features.

The extension does not run in the background or monitor your activity when you are not actively using it.

How Is Your Data Protected?

Encryption

• Data in transit is encrypted using TLS 1.2 over public networks.
• Data at rest is encrypted using AES-256 minimum.

Authentication & Authorization

• OAuth 2.0 integration with Gmail ensures secure login without storing your credentials.
• Role- and permission-based access controls prevent unauthorized access to your data.
• AWS IAM roles and custom ACLs are used for infrastructure-level authorization.

Infrastructure

• All endpoints sit behind a private subnet to protect against attack.
• A Bastion Host governs all access to customer production data.
• MFA is required for access to production data.
• VPN IP restrictions limit access to authorized team members only.

Monitoring

• A 24/7 SIEM (Security Information and Event Management) monitors all web application activity.
• 24/7 application performance monitoring is in place.
• Monthly penetration testing is performed by IT staff.
• Routine third-party security reviews and pen tests are conducted.
• Log aggregation and retention is maintained for compliance purposes.

Change Management All builds and deployments go through a gating process that includes peer code review for secure coding practices and QA and automated testing before release.

Compliance

BombBomb's data handling practices align with:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)

Your Responsibility

To help keep your account secure:

• Install the extension only from the official Chrome Web Store or Microsoft Edge Add-ons store.
• Keep your browser and extensions up to date.
• Log out from shared or public devices when you're done.

Frequently Asked Questions

Does the extension track my web browsing? No. The extension reads URLs only to detect supported platforms for recording and insertion. It does not track or log your general browsing activity.

Is recipient tracking always on? No. Recipient data is only collected when you have the tracking feature enabled in your BombBomb account.

Where are my videos stored? Videos are stored securely in your BombBomb account. You control whether to share or delete them.

Does this apply to the Edge extension as well? Yes. The Chrome and Edge extensions have the same functionality, data practices, and security standards. The Edge extension has passed Microsoft's security review, just as the Chrome extension has passed Google's.