Sonny Chrome Extension Privacy Policy

Last updated: 9 May 2026

Extension name: Sonny — AI Recruiter· Publisher: 9Mil Ltd

Summary

The Sonny extension is a tool for professional recruiters who already use the 9Mil Sonny API. It adds three buttons to a LinkedIn profile page that you, the recruiter, choose to click: Sonny (score), Headhunt, and + Pipeline. Nothing happens until you click. We do not run in the background.

We collect the minimum information needed for the action you triggered, and we send it only to your own 9Mil agency account. We do not sell data, share it with advertisers, or use it for any purpose other than executing the action you requested.

What we read

When you click one of the extension's buttons on a LinkedIn profile page, the extension reads only the visible content of that page's DOM. Specifically, it extracts:

  • The candidate's full name
  • Their current title and company (when shown on the page)
  • Their location (when shown on the page)
  • Their public LinkedIn profile URL
  • The headline / tagline visible on the profile

We do not read your messages, your cookies, your contacts, your search history, your posts, your connections, or any private LinkedIn data. We do not screenshot the page. We do not call any LinkedIn private API.

Where the data goes

On click, the extracted fields are sent over HTTPS to https://9mil.io/api/v1/sonny/* using your personal Sonny API key as a Bearer token. The receiving endpoint depends on which button you pressed:

  • Score /api/v1/sonny/screen— runs an LLM screen for fit against your configured role.
  • Find similar /api/v1/sonny/source— returns up to ten similar candidates from our contact-data provider.
  • Headhunt /api/v1/sonny/headhunt— sends a single consent-first SMS to a phone number you typed in. PECR / GDPR “Y to consent” flow.
  • + Pipeline /api/v1/sonny/candidates— inserts the candidate into your agency's private Sonny pipeline table.

The data is stored under your agency's account on Supabase (EU-hosted), is scoped to your API key, and is only ever returned to you.

What stays local

Your Sonny API key, your default role brief, your name (used as recruiter attribution on outreach), and a 10-minute cache of your tier and credits balance are stored in chrome.storage.local. They never leave your browser except as the Bearer token attached to the API call you initiated.

Permissions we request, and why

  • storage— to persist your API key and settings in chrome.storage.local.
  • activeTab— to read the visible LinkedIn profile DOM only when you click an extension button on that tab.
  • scripting— to execute a one-shot DOM read in the active tab when you press “Score this profile” from the toolbar popup.
  • host permissions for https://www.linkedin.com/* (to add the buttons), https://9mil.io/* (to call your Sonny API), and http://localhost:3000/* (development only).

What we do not do

  • We do not sell, rent, or share your data with advertisers.
  • We do not use your data to train models that benefit other agencies.
  • We do not run any background scrape or schedule on LinkedIn.
  • We do not track your browsing on sites other than LinkedIn profile pages.
  • We do not collect financial or payment data through the extension.
  • We do not collect your LinkedIn login credentials.

Retention & deletion

Pipeline candidates persist in your agency's Sonny database until you or another recruiter on your team deletes them. Audit log entries (a record of every action your API key took) follow the retention rules in our main privacy policy. You can request deletion of your agency's Sonny data at any time by emailing support@9mil.io; we will action requests within 30 days.

Data subject rights (GDPR / UK GDPR)

If a candidate you have outreached to via Sonny exercises their right to access, rectify, or erase their data, you (the agency operating Sonny) are the data controller for that record. 9Mil acts as your processor. Contact us at support@9mil.io and we will assist with the request.

Changes to this policy

We will update this page when the extension's data behaviour changes. Material changes (new endpoints, new permissions, new third parties) will be highlighted at the top of this page for at least 30 days.

Contact

9Mil Ltd, United Kingdom · support@9mil.io