Is LexiFlow safe?

Full page URL transmitted in Google Analytics events for every feature interaction

The content-script F() function (content-script.js:22292) sends window.location.href as the 'website' parameter in every analytics event via the pushAnalyticsEvent service-worker method. The service-worker ot() function (service-worker.js:5058) creates an Et event object with website=window.location.href (service-worker.js:4447) and posts it to https://www.google-analytics.com/mp/collect?measurement_id=G-R66JKPP9E8&api_secret=eDgrbPMASgiNcg3B4m4uPg (service-worker.js:4693). The payload includes full page URLs alongside feature event names (e.g. SpeechStarted, SnippingToolSelected, DictionaryOpened).

Screen region images transmitted to first-party OCR endpoint when snipping tool is used

When the user draws a selection rectangle with the snipping tool, content-script.js calls A.callMethod('captureAndOcrRegion', ...) (content-script.js:24220), which invokes Nr() in service-worker.js (service-worker.js:6484). Nr() calls chrome.tabs.captureVisibleTab() to capture a screenshot of the current tab, crops it to the selected region using OffscreenCanvas, then posts the image blob to https://lexiflow.texthelp.com/ocr/{locale} (service-worker.js:4408). The image data includes whatever content was visible in the selected region.

OAuth2 access token transmitted in WebSocket URL query string for dictation service

When the user activates speech-to-text dictation, service-worker.js createDictationWebSocket() (service-worker.js:4413) fetches the current access token via this._getAccessToken() and appends it to the WebSocket URL as a query parameter: wss://lexiflow.texthelp.com/dictation?language=...&access_token={token} (service-worker.js:4416). Tokens in URL query strings are typically logged in server access logs and may appear in browser history or network proxies.