# Privacy Policy — Fast Invite BM
_Last updated: 2026-05-04_
Fast Invite BM ("the extension") is a single-purpose Chrome extension that
sends a Business Manager invitation to one email address at a time.
## What data the extension reads
- **Active tab URL** (only on your click of the extension button): used to
auto-fill the Business Manager ID. Granted via the `activeTab` permission,
scoped to a single user gesture.
- **Active Facebook Business page context** (only on your click): the
extension reads `BusinessUnifiedNavigationContext.businessID` from the page
to determine which BM you are viewing. This value never leaves your device
except as the destination of the invite request you initiate.
- **Your Facebook session token** (EAAI-prefixed access token): read from
Facebook's own bootloader endpoint using your existing browser cookies. The
token is required to call Facebook's invite API on your behalf.
The extension does **not** store the BM ID, the email, the role, or any
other field you type into the form. The form is empty every time you open
the popup (the BM ID auto-fills from your active Facebook tab when
possible).
## What data the extension sends
- **Invite request** to Facebook's API (`graph.facebook.com` and, as a
fallback, `adsmanager-graph.facebook.com`). The request contains the BM ID,
email address, and role you selected, along with your access token.
- Nothing else. The extension contacts no other server.
## How long data is kept
- The Facebook access token is cached in `chrome.storage.session` for at most
**15 minutes** and is automatically cleared when you close or restart your
browser, or when Facebook reports the token has expired (in which case the
extension fetches a fresh one).
- Nothing else is stored — no form values, no history, no logs.
## Third parties
- The extension only contacts Facebook (`*.facebook.com`).
- The "Open inbox" button opens `https://282mail.com` in a new browser tab.
The extension itself never sends or receives any data from `282mail.com` —
the link simply navigates your browser to the temporary-mail web service
for you to read manually.
- No analytics, no telemetry, no advertising SDKs, no third-party servers.
## Permissions and why each is needed
| Permission | Purpose |
|---|---|
| `storage` | Cache your Facebook session token in volatile session storage (cleared on browser restart) |
| `activeTab` | Read the current tab's URL on your click to detect the BM ID |
| `scripting` | Read the active BM ID from the Facebook Business page context |
| `declarativeNetRequestWithHostAccess` | Set the `Origin` header on extension-to-Facebook requests so Facebook attaches your session cookie |
| `host_permissions: https://*.facebook.com/*` | Send the invite to Facebook's API |
## Your rights
- You can uninstall the extension at any time. All locally stored data is
removed when you do so.
- The extension is open source. You can review every line of code at the
source repository linked in the Chrome Web Store listing.
## Contact
If you have any questions about this policy, please open an issue at the
extension's source code repository.