ApplyCoveApplyCove

Extension Privacy

What the ApplyCove Session Sync browser extension collects and how it's handled.

Last updated: May 2026

No portal passwords

The extension never asks for or stores your Naukri or LinkedIn password. It only mirrors a session you already created.

Encrypted at rest

Captured cookies and localStorage are AES-256 encrypted before they leave your device and stay encrypted in S3.

Delete any time

Disconnect a platform in the ApplyCove dashboard and the session is wiped from S3 immediately.

1. What the extension does

The ApplyCove Session Sync Chrome extension lets a signed-in ApplyCove user mirror their job-portal browser session (cookies and localStorage for Naukri or LinkedIn) to their ApplyCove account. The platform then uses that session to automate job applications on the user's behalf. The user's portal password is never collected.

2. Data we collect

  • Portal session cookies. When the user clicks "Sync", the extension reads cookies on naukri.com or linkedin.com via the chrome.cookies API. This may include authentication cookies (for example nauk_at on Naukri or li_at on LinkedIn).
  • Portal localStorage. If a portal tab is open, the extension reads localStorage from that tab via chrome.scripting.executeScript.
  • ApplyCove auth token. The extension reads the existing refreshToken cookie set by api.applycove.com to authenticate uploads. It is never copied or stored outside the cookie store.

3. What we do not collect

  • Your Naukri or LinkedIn password.
  • Your browsing history outside the explicitly synced portals.
  • Cookies from any site other than naukri.com, linkedin.com, and api.applycove.com.
  • Form contents or keystrokes.

4. How it is stored

On upload, the cookies and localStorage are encrypted with AES-256-GCM before being written to ApplyCove's S3 bucket. The decryption key is held only on ApplyCove's job worker, which uses the session to log in to the portal for automated applications. The blob is keyed by your user ID and the platform name (browser-sessions/<userId>/<platform>/session.json).

5. Retention

We retain a synced session until you remove it. From the Connected Accounts page in the ApplyCove dashboard, click Disconnect platform to wipe the encrypted session blob from S3 and clear the related session metadata on your account. Disconnect is immediate and permanent. There is no second "keep credentials, drop session" state because ApplyCove does not store portal credentials in the first place.

The extension itself stores nothing beyond what Chrome holds on your device. There is no extension-side chrome.storage use for user data.

6. Sharing

We do not sell, rent, or share the captured session data with third parties. The data is accessible only to ApplyCove's automation worker, scoped to your account.

7. Permissions explained

  • cookies — read auth cookies on the supported portals and read ApplyCove's refresh-token cookie to authenticate uploads.
  • scripting — read localStorage from an open portal tab. No code is injected; we only read existing values.
  • tabs — find an open portal tab or open one when the user clicks "Log in".
  • notifications — show a toast when a sync completes.
  • host_permissions on naukri.com / linkedin.com — required to read cookies and localStorage on the portals you choose to sync.
  • host_permissions on api.applycove.com — required to upload the session to your ApplyCove account.

8. Your rights

You can delete a synced session at any time from the Connected Accounts page in the dashboard. To request full deletion of your ApplyCove account (which includes any synced sessions), email support@applycove.com.

9. Contact

Questions about this policy or the extension's data handling can be sent to support@applycove.com.

This page applies specifically to the ApplyCove Session Sync browser extension. For the ApplyCove platform's broader policy, see the main privacy policy.