Browser extension privacy notice

Applies to: Chrome / Edge browser extension Live2D Web Canvas (including BETA test versions) Effective date: 2025-01-01 ｜ Last updated: 2026-05-05 Publisher: Beijing Tianxiansheng Software Technology Center

This policy only describes how the Chrome / Edge browser extension Live2D Web Canvas (the "Extension") handles data while the user is using it. It does not apply to other services on this website, the WordPress plugin, or any other client products.

1. What data we collect

In line with the Chrome Web Store "Data Use" categories, the Extension only handles the following two categories, and only after the user actively logs in:

Data type	Specific contents	When it is collected
Authentication info	An access token (JWT containing `key` and `sign`) issued by this website, used to unlock paid features.	When the user clicks "Sign in" in the Extension and submits credentials on `www.live2dweb.com`'s login page; the Extension receives it.
Personal identifier	An internal identifier one-to-one mapped to the user account (linked to the account at sign-in). The Extension does not collect name, email, phone number, age, ID number, postal address, or any other personally identifying information.	Same as above: only obtained alongside the access token after sign-in.

What we do not collect (explicit declaration)

We do not read, store, or upload the URLs, titles, or browsing history of pages you visit.
We do not read or upload any text, image, form, input, cookie, or DOM node from any page you visit.
We do not collect mouse clicks, scrolls, or keystrokes (the mascot only animates orientation locally based on the current cursor position; that data never leaves your browser).
We do not collect geolocation, IP address, or device fingerprint.
We do not collect health, medical, financial, credit, or payment-card information.
We do not collect emails, instant messages, or personal communications of any form.

2. Where data is stored

Storage location	Contents
`chrome.storage.sync` (local, synced with your Chrome account)	Extension preferences: whether the mascot is enabled, the chosen model, the chosen texture, tip-bubble frequency, toolbar toggles, etc.
`chrome.storage.local` (local only)	The access token (JWT) obtained after sign-in. The token is not synced across devices.
Browser IndexedDB (local)	Live2D model files (`.moc`, PNG textures, motion JSON, etc.) the user actively downloads from the model library, used for offline loading and faster display.
Backend server `https://api.live2dweb.com`	The user's account info itself (already exists when the user signs in to this website; nothing to do with the Extension); plus standard access logs of API calls made by the Extension carrying the access token (timestamp, request path, response code), without page contents.

3. Data use (single purpose)

The single purpose of the Extension is: to overlay a Live2D virtual character at the bottom-right corner of webpages. The collected data is used only to:

Identify paid users so they can use features like "Custom model URL" in the Extension.
Download the user-selected model files from this website's own domain https://download.live2dweb.com.
Save the user's display preferences so the experience is consistent across tabs and devices.

We do not sell user data.
We do not transfer user data to third parties unrelated to the Extension's single purpose.
We do not use user data for credit assessment, lending, or anything credit-related.
Other than this website's own domains (www.live2dweb.com, api.live2dweb.com, download.live2dweb.com), the Extension does not initiate requests to any third-party server.

5. User control over personal data

Sign out: in the Extension's options page (click the icon → Options → Login tab) click "Sign out" to clear the locally stored access token.
Clear model cache: in the options page → V1 model library tab, you can delete downloaded models one by one to free IndexedDB storage.
Clear all preferences: uninstall the Extension at chrome://extensions; the browser also clears all data this Extension stored in chrome.storage and IndexedDB.
Account deletion / removing personal data on the server: send a deletion request to the email below; we will process it within a reasonable time.

6. Data security

Access tokens are transferred over HTTPS and validated with HMAC signatures to prevent tampering.
Tokens are kept only in the user's local browser chrome.storage.local; they never appear in URLs or logs.
The Extension does not use any Remote Hosted Code: all JavaScript ships inside the extension package. The contents fetched from download.live2dweb.com are model data resources only (binary / images / JSON) and are never executed as code.

7. Children's privacy

The Extension is not designed for children under 13, and it does not knowingly collect personal information from children.

8. Policy changes

If this policy changes materially, we will update the "Last updated" date at the top of this page and notify users through the extension update notes. Continued use of the Extension constitutes acceptance of the updated policy.

9. Contact us

Email: jwf@live.cn
Entity: Beijing Tianxiansheng Software Technology Center

1. What data we collect​

What we do not collect (explicit declaration)​

2. Where data is stored​

3. Data use (single purpose)​

4. Data sharing and transfer​

5. User control over personal data​

6. Data security​

7. Children's privacy​

8. Policy changes​

9. Contact us​