Lesuto Chameleon Toolkit — Privacy Policy

Last updated: April 17, 2026

Overview

Lesuto Chameleon Toolkit is a Chrome extension published by Lesuto Technologies, Inc. It is a developer tool for merchants, suppliers, and developers building on the Lesuto Chameleon e-commerce platform. The extension blocks analytics and tracking requests during development sessions so that developer activity does not pollute production metrics, and provides a one-click visual editor (the “Studio”) for the Chameleon SDK.

Data Collection

The Lesuto Chameleon Toolkit does not collect, transmit, or store personal information about you for the publisher's purposes.

The extension specifically:

The single exception — covered in detail in “Authentication Information” below — is the user's existing Lesuto admin session token, which the extension reads from the same browser tab the user is already signed in to and which is only ever sent back to the same admin API the user is already authenticated with.

Authentication Information

To enable the Studio companion feature, the extension reads two values from localStorage on admin.lesuto.com when the user has that site open in another tab:

These values are stored locally in chrome.storage.local under the key lesutoAuth. They are used to:

The auth token is never sent to any server other than Lesuto's first-party API gateway (api.lesuto.com), which proxies to the admin backend the token came from (admin.lesuto.com). It is never sent to a publisher analytics endpoint, third-party service, or anywhere outside the user's own tenant. To revoke it, log out of admin.lesuto.com — the extension will detect the cleared localStorage within 60 seconds and disconnect.

Data Stored Locally

The extension uses chrome.storage.local to persist state on the local device. None of this data leaves the browser except as described above for the auth token.

Storage key Purpose Sent externally?
shieldState.enabled Whether the tracking shield is on or off No — local only
shieldState.categories Per-category blocking toggles No — local only
shieldState.blockCounts Per-category counters for the popup display No — local only
lesutoAuth User's own admin session token, mirrored from admin.lesuto.com localStorage Only to api.lesuto.com (the first-party gateway proxying to the admin backend the token came from)
draft_{channelToken}_{host}_{siteId} Pending Studio editor configurations the user has not yet published. The trailing site segment scopes drafts per-deployment so a single channel with multiple stores never overwrites a sibling store’s pending changes. Only to admin.lesuto.com when the user clicks “Publish”

Permissions Explained

Permission Why It's Needed
declarativeNetRequest Block analytics, ad network, and pixel requests at the browser level before they are sent. Uses Chrome's built-in rule engine — the extension never sees request bodies or response content.
declarativeNetRequestFeedback Count how many network-level requests were blocked, displayed in the popup. Available only in unpacked/dev mode; production block counts come from the content-script intercepts.
storage Save user preferences, block counters, the auth token described above, and studio drafts in chrome.storage.local.
activeTab When the user clicks “Open Studio,” grants temporary access to the active tab so the extension can inject the Studio script. Granted only on user interaction with the popup.
scripting Required alongside activeTab to execute the Studio injection script and to bridge studio saves to an open admin tab via chrome.scripting.executeScript.
tabs Used in two queries: locating an open admin.lesuto.com tab to postMessage saved configs to, and identifying the active tab's host so drafts can be keyed correctly. The extension does not enumerate URLs of unrelated tabs.
host_permissions: <all_urls> The tracking shield must run on any website the developer visits. The Studio companion injects on the active tab on user click. We never read page content, form data, or cookies — only intercept outgoing tracking requests and append the studio script tag on demand.

Content Scripts

Three content scripts run as part of the extension:

SDK Studio Injection

When the user clicks “Open Studio,” the extension appends a single <script> tag pointing to https://www.lesuto.com/chameleon-studio.js. This is a publisher-hosted first-party script — the same script used by the bookmarklet at demo.lesuto.com/editor and by the ?studio=1 mode of the demo gallery at demo.lesuto.com. The extension never modifies page content, only adds one script tag on explicit user interaction.

Third-Party Services

The extension does not use any third-party services, SDKs, or libraries. It is built entirely with standard Chrome Extension APIs (Manifest V3) and ships no bundled dependencies.

Children's Privacy

This extension is a developer tool and is not directed at children under 13. We do not knowingly collect any information from children.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the extension after changes constitutes acceptance of the revised policy.

Contact

If you have questions about this privacy policy or the extension, contact us at:
Email: support@lesuto.com
Website: www.lesuto.com