Privacy Policy — FlowDevKit

1. What FlowDevKit Does

FlowDevKit is a browser extension for Microsoft Power Automate developers. It reads the flow definition from the Power Automate API using your existing browser session and presents it through a local developer toolbox — copy JSON, inspect expressions, analyze flow quality, view run history and errors, track variables, and more.

Since v1.2.0 the extension also includes an Environment Variables panel that queries the Dataverse OData API to list environment variable definitions for the current Power Platform environment. This call is made using a Dataverse-scoped session token obtained from your browser's existing Microsoft authentication state — no additional login is required.

2. Data We Do Not Collect

FlowDevKit does not:

Collect, store, or transmit your flow data, environment variables, or run history to any server
Collect personal information (name, email, account details, or user IDs)
Track usage, analytics, or telemetry of any kind
Store authentication tokens persistently — all tokens are held in memory for the duration of the browser session only and are discarded when the browser is closed
Communicate with any server other than official Microsoft Power Platform and Dataverse APIs
Modify your flows unless you actively initiate a paste operation using the Paste Actions feature

3. What Stays on Your Device

The only data FlowDevKit stores locally (via chrome.storage.local) is your UI preferences:

Selected API region (e.g. EMEA, US)
Export format preference (Definition only / Full export)
Colour theme (light / dark)
Custom API host (if entered)

These preferences never leave your device and can be cleared at any time by removing the extension.

Additionally, the extension maintains an in-memory cache of Dataverse Bearer tokens captured passively from outgoing browser requests to *.dynamics.com. This cache is stored only in the service worker's memory, is never written to disk or chrome.storage, and is cleared automatically when the service worker terminates (typically after a few minutes of inactivity).

4. Permissions Explained

Permission	Why it's needed
`activeTab`	Reads the URL of your current tab to extract the environment ID and flow ID required to call the Power Automate API.
`tabs`	Scans tab frames to locate the correct Power Automate frame URL (the designer loads inside an iframe) and to scan open Power Apps tabs for a Dataverse authentication token.
`scripting`	Injects a token-extraction script into the active tab to read Microsoft's authentication library (MSAL) token cache. This is how the extension obtains the Bearer token needed to call the Power Automate and Dataverse APIs on your behalf — the same token the page itself uses.
`clipboardWrite`	Copies flow JSON, individual actions, expressions, or environment variable references to your clipboard when you click a Copy button.
`webRequest`	Observes outgoing request headers on `*.dynamics.com` to passively capture a Dataverse Bearer token. This token is required for the Environment Variables panel. The listener only reads the `Authorization` header value; it does not modify, block, or redirect any requests. The captured token is held in memory only.
`webNavigation`	Detects tab navigation events so the extension can refresh its flow context and warn you if the context may be stale after navigating to a different flow.
`sidePanel`	Enables the extension to open as a docked side panel alongside the Power Automate designer.
`storage`	Saves your UI preferences (region, format, theme) locally so they persist across browser sessions.

5. Host Permissions Explained

Host	Why it's needed
`make.powerautomate.com`	Primary target site — the extension is activated when the Power Automate flow designer is open.
`make.powerapps.com` `make.preview.powerapps.com`	The extension can be opened from a Power Apps solution page. These tabs are also scanned for a Dataverse authentication token needed by the Environment Variables panel.
`copilotstudio.microsoft.com`	Flow context can be resolved when the extension is opened from a Copilot Studio tab.
`*.api.flow.microsoft.com`	Power Automate REST API — used to fetch flow definitions and run history.
`*.environment.api.powerplatform.com`	Power Platform per-environment API — used to fetch environment metadata and flow lists.
`api.powerplatform.com`	Power Platform global API — fallback for flow and connection lookups.
`api.powerapps.com`	Power Apps API — used to look up connection details for the Paste Actions feature.
`api.bap.microsoft.com`	Business Application Platform API — used to resolve the Dataverse instance URL for the current environment (required by the Environment Variables panel).
`login.microsoftonline.com`	Microsoft identity platform — required for authenticated API calls made from the background service worker.
`*.dynamics.com`	Dataverse OData API — used by the Environment Variables panel to query `environmentvariabledefinition` records. The `webRequest` listener is also registered for this host to passively capture the Dataverse Bearer token.

6. Third-Party Services

FlowDevKit communicates exclusively with official Microsoft Power Platform endpoints listed in section 5. No data is sent to the extension author, analytics providers, advertising networks, or any other third party.

7. Changes to This Policy

If this policy is updated, the "Last updated" date and version number at the top of this page will change. Significant changes will also be noted in the extension's release notes on GitHub.

8. Contact

Questions about this privacy policy? Reach out via the feedback form in the extension or open an issue on GitHub.

Submit feedback · GitHub Issues