What is New Order Global?

New Order Global is the lightest autonomous browser agent at around 1 MB. It is an AI-powered Chrome extension that lets you create any custom browser tool and automate any task using plain English. It includes a built-in free YouTube customization tool, an AI tool builder, and the Global Executive — an autonomous browser agent with 40+ supported actions including web search, PDF handling, email reading, file capture, and more. The source code is available on GitHub for self-hosting.

Is New Order Global the fastest browser agent?

Yes. New Order Global is the fastest browser agent available. At around 1 MB, it is the lightest autonomous browser agent — built with vanilla JavaScript and Chrome Manifest V3 with zero build step. It loads instantly, injects into pages in milliseconds, and executes 40+ actions with minimal overhead. Unlike heavy frameworks, it runs directly in your browser with no external dependencies.

Is New Order Global open source?

New Order Global is source-available — the complete source code for both the Chrome extension and the server is available on GitHub (github.com/bckflpboys/new-order-global and github.com/bckflpboys/global-order-server-opensource). You can download, inspect, self-host, and run your own instance. While the license is not a traditional open-source license, the full source code is publicly accessible.

How much does New Order Global cost? Is it the cheapest browser agent?

New Order Global is the cheapest browser agent available. Every new account gets 10 free credits. One-time credit packages start at just $4 for 40 credits. Subscriptions start at $6.99/month for 150 credits. Credits are based on actual AI token usage, so lightweight models like Gemini Flash cost as little as 0.08 credits per tool — meaning 40 credits can create 500+ tools. The free tier includes the full YouTube New Order tool, 15 agent steps per task, and 10 daily tasks.

How is New Order Global different from other browser agents?

New Order Global is the only browser agent that runs as a native Chrome extension (~1 MB). Other browser agents like browser-use or Playwright-based agents require Python environments, heavy dependencies, and run outside the browser. New Order Global runs inside your browser with 40+ actions, multi-model AI support (Gemini, Claude, GPT-4o), Telegram/WhatsApp integrations, scheduled tasks, long-term memory, PDF handling, multi-agent council mode, and sub-agent spawning. It is source-available and self-hostable.

What tasks can New Order Global automate?

New Order Global can create any tool and automate any task. Examples include: web scraping and data extraction, form filling and submission, research across multiple websites with source verification, price monitoring, lead generation, document creation, message automation via WhatsApp and Telegram, PDF reading and editing, file downloading, email reading for OTPs, scheduled recurring tasks, and any multi-step browser workflow you can describe in plain English.

What AI models does New Order Global support?

New Order Global supports multiple AI models through OpenRouter: Google Gemini 2.5 Flash, Anthropic Claude, OpenAI GPT-4o, and more. You can switch models per task or per conversation. The Super Agent tier even allows assigning different models to different council roles (Strategist, Executor, Critic, Optimizer) for enhanced task planning.

Can I self-host New Order Global?

Yes. Both the Chrome extension source code and the backend server are available on GitHub. The server runs on Node.js with Express and MongoDB. You can self-host with your own OpenRouter API key, eliminating any dependency on the hosted service. This gives you complete data sovereignty and no rate limits.

Does New Order Global work with Telegram and WhatsApp?

Yes. New Order Global integrates with both Telegram and WhatsApp. You can send tasks to your browser agent via Telegram DM or a dedicated WhatsApp group, receive real-time progress updates, and control the agent with slash commands (/help, /cancel, /tasks, /copilot, /autopilot). The agent can also run tasks in the background without the browser panel being open.

Was New Order Global built with VoxCode?

Yes. Parts of New Order Global were built using VoxCode.app — the first mobile IDE and voice IDE. VoxCode allows developers to write and edit code using voice commands on mobile devices, making it possible to code from anywhere. Visit voxcode.app to learn more.

Your Privacy Matters

Privacy Policy

Last Updated: May 11, 2026

1. Introduction

New Order Global ("we", "our", "us") is operated by 32dOneLABS. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use:

The New Order Global Chrome extension (the "Extension")
Our website at global-order.32d.one (the "Website")
Our API server at api.global-order.32d.one (the "Server")
Any self-hosted server based on our source-available code (the "Source-Available Server")

By using any of these services, you consent to the data practices described in this policy. If you do not agree, please do not use our services.

2. Data Controller

Responsible Entity

32dOneLABS

Email: support@32d.one

Website: https://global-order.32d.one

X/Twitter: @32dOneLABS

For EU/EEA users: 32dOneLABS is the data controller for data processed through our official Server and Website. If you self-host the Source-Available Server, you are the data controller for your own instance and responsible for your own privacy compliance.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data (provided by you)

Email address — required to create an account and log in
Password — stored as a bcrypt hash; we cannot read your plaintext password
Display name — optional, visible only to you

3.2 AI Tool Builder Data (generated through use)

AI prompts — the text descriptions you provide when requesting the AI to build a tool
Conversation history — iterative chat messages between you and the AI during tool refinement
Generated tool code — JavaScript, CSS, and configuration produced by the AI based on your prompts
Tool metadata — name, description, target websites, status (draft/active/archived)

3.2.1 Global Executive Agent Data (generated through use)

When you start a Global Executive task, the following data is created and stored under your account:

Task prompt — the instruction you gave the agent
Agent plan — the AI-generated step list for the task
Step logs — per-step records of actions taken (click / type / navigate / read / screenshot), the target element selectors, and the step result
Page content snippets — textual excerpts of the DOM the agent extracted to make its next decision. Only content from pages you authorised is captured
Screenshots — images of pages the agent visited, used by multimodal models for planning. Screenshots may include whatever is visible on the page at the time (including any personal data visible to you)
Status & credit cost — task status (running / paused / done / failed), model used, total credits consumed, step count
User-provided answers — any text you type when the agent asks a follow-up question during a task

Important: Agent data can include anything visible on the pages you direct the agent to. If you run the agent on a page showing personal information (emails, messages, account details, financial data), that information will be transmitted to our Server and to our AI provider (OpenRouter) for planning. Use the agent only on pages whose contents you are comfortable sending to those processors. You can delete any task from your dashboard at any time.

3.3 Usage & Billing Data

Credit balance & transactions — credits purchased, used, and remaining
AI request count — number of AI generation requests made
Daily request count — used for rate limiting (50 requests/day)
Lemon Squeezy customer ID — linked when you purchase credit packages
Payment records — processed by Lemon Squeezy; we only store the transaction reference, not your full payment details

3.4 Technical & Log Data (collected automatically)

IP address — logged in audit records for security and abuse prevention
User-Agent string — logged in security audit events
Request ID — unique UUID per request for log correlation
Timestamps — account creation, last login, tool creation/update times

Audit logs are automatically deleted after 90 days.

3.5 Local Browser Data (stored on your device only)

JWT authentication token — stored in chrome.storage.local; only accessible by the Extension
Installed tools & tool code — cached locally for instant injection without network calls
Extension settings & preferences — layout preferences, YouTube tool settings, etc.
Tool-specific data — data collected by AI-generated tools, stored via isolated per-tool storage

This data never leaves your browser unless you explicitly export it. We do not have access to your local browser storage.

4. How We Use Your Data

We process your personal data for the following lawful purposes:

4.1 Service Delivery (Contractual Necessity — GDPR Art. 6(1)(b))

Authenticating your account and managing sessions
Generating AI tools based on your prompts via OpenRouter
Planning and executing Global Executive agent tasks you initiate (multimodal reasoning over the page content and screenshots you authorised)
Saving, syncing, and retrieving your tools, conversations, and agent task history across devices
Processing credit purchases and managing your credit balance
Injecting your accepted tools into matching websites

4.2 Security & Abuse Prevention (Legitimate Interest — GDPR Art. 6(1)(f))

Rate limiting to prevent API abuse (50 AI requests/day per user)
Audit logging of credit transactions and security events (90-day retention)
Detecting and blocking suspicious activity (failed logins, rate limit hits, invalid webhooks)
Account suspension for Terms of Service violations

4.3 Communication (Consent — GDPR Art. 6(1)(a))

Service-related notifications (billing confirmations, security alerts)

We do not send marketing emails. We do not sell, rent, or share your email with third parties for marketing purposes.

5. Third-Party Services & Data Sharing

We share limited data with the following third parties to operate the service:

5.1 OpenRouter (AI Provider)

What is shared: Your AI prompts and conversation context are sent to OpenRouter to generate tool code. We do not send your email, password, or personal identifying information to OpenRouter.

OpenRouter's policy: https://openrouter.ai/privacy

Key protection: The OpenRouter API key is stored only on our server and is never exposed to the Extension or client-side code.

5.2 Lemon Squeezy (Payment Processor)

What is shared: When you purchase credits, you are redirected to Lemon Squeezy's checkout. Lemon Squeezy collects your payment details directly — we never see or store your credit card number.

What we receive: A webhook with your Lemon Squeezy customer ID and purchase details (no card data). We use this to credit your account.

Lemon Squeezy's policy: https://www.lemonsqueezy.com/privacy

5.3 MongoDB Atlas (Database Hosting)

What is stored: All server-side data (account info, tools, conversations, audit logs) is stored in MongoDB Atlas. MongoDB acts as a data processor under our instructions.

MongoDB's policy: https://www.mongodb.com/legal/privacy

5.4 Self-Hosted Source-Available Server Instances

If you use a self-hosted version of our Source-Available Server, your data is processed by that server's operator, not by us. We have no access to, control over, or responsibility for data processed by self-hosted instances. The operator of a self-hosted instance is their own data controller.

We do not sell your data. We do not share your data with advertisers. We do not use tracking pixels or analytics services that profile you across websites.

6. Data Retention

Retention Periods

Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
AI tools & conversations: Retained until you delete them or your account. Draft tools not accepted within 30 days may be automatically cleaned up.
Audit logs: Automatically deleted after 90 days (TTL index).
Payment records: Retained as required by applicable financial regulations (typically 5–7 years for tax/accounting purposes). Only transaction references are retained, not full payment details.
Local browser data: Persists until you uninstall the Extension or clear browser data. We cannot remotely delete local storage.

7. International Data Transfers

Our server is hosted in the United States via MongoDB Atlas. OpenRouter and Lemon Squeezy are also US-based services. If you are in the EU/EEA, UK, or any jurisdiction with data protection laws different from the US, please be aware that your data may be transferred to and processed in the United States.

We rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs) — MongoDB Atlas, OpenRouter, and Lemon Squeezy provide SCCs for EU–US data transfers
EU–US Data Privacy Framework — where applicable, sub-processors certified under the framework
Adequacy decisions — where recognized by the European Commission

8. Your Rights (GDPR & EU Law)

Under the General Data Protection Regulation (GDPR) and other applicable EU data protection laws, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you. You can also view most of your data directly through your Dashboard at any time.

8.2 Right to Rectification (Art. 16 GDPR)

You can update your display name and email through your account settings. Contact us if any data is inaccurate.

8.3 Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You can delete your account and all associated data from your Dashboard settings page. Upon deletion, your account, tools, conversations, and personal data are permanently removed within 30 days. Audit logs (which do not contain your personal content) are retained for 90 days for security purposes.

8.4 Right to Data Portability (Art. 20 GDPR)

You can export your tools and conversation data in JSON format via the API. Contact us for a full data export.

8.5 Right to Restrict Processing (Art. 18 GDPR)

You can request that we restrict processing of your data in certain circumstances (e.g., accuracy disputes, unlawful processing claims).

8.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests (e.g., audit logging). We will cease processing unless we have compelling legitimate grounds.

8.7 Rights Related to Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making or profiling that produces legal or similarly significant effects. AI tool generation is a user-initiated, user-controlled process.

8.8 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact us at support@32d.one. We will respond within 30 days as required by GDPR.

9. Children's Privacy

New Order Global is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

10. Browser Permissions

The Extension requests the following Chrome permissions to function:

Storage

Used to save your authentication token, installed tools, and preferences locally on your device via chrome.storage.local.

Tabs

Used to detect when you navigate to a website so the Extension can inject matching tools, and so Global Executive can read the tab URLs and titles you authorise for a task.

Scripting

Used to inject your accepted AI-generated tool code (JavaScript + CSS) into web pages that match the tool's target sites, and to execute Global Executive agent actions inside the authorised tab.

Active Tab

Used to interact with the currently active tab for tool injection and agent execution.

Side Panel

Used to display the Extension's side panel UI (tool list, builder, settings).

Debugger

Used exclusively by Global Executive to drive authorised tabs reliably (typing real keystrokes, clicking precise coordinates, and capturing screenshots via the Chrome DevTools Protocol). When the debugger is attached, Chrome shows a persistent yellow notification bar on the tab. The extension only attaches to the tab the user has assigned to an active task, and detaches when the task ends.

Downloads

Used by Global Executive to save files (e.g., exported tool bundles, agent-captured artefacts, CSV exports) to your local Downloads folder when you explicitly request it.

Alarms

Used to schedule background work such as authentication token refresh, agent task heartbeats, and periodic notification checks.

Clipboard Read

Used only when you explicitly ask Global Executive or a tool to "use what is on my clipboard". The extension does not read your clipboard in the background.

Host Permissions (<all_urls>)

Required because AI-generated tools and Global Executive tasks can target any website. The Extension only injects code into pages that match your configured tool target sites, and only attaches the agent to the tab(s) you explicitly authorise for a task — it does not read or modify every page you visit.

11. User-Generated Content & Source-Available Notice

New Order Global allows users to generate custom tools via AI. These tools are created based on user prompts and are stored in the user's account. Important points:

You own the tools you create. The AI-generated code belongs to you. We do not claim ownership of user-generated tool code.
We are not responsible for what users create. Users are solely responsible for the tools they generate, the data those tools collect, and how they use them. We do not pre-screen, review, or endorse user-generated tools.
Source-available code. The Chrome Extension and the Source-Available Server are released under the Global Executive Source-Available License v1.0 — not MIT. The license is free for personal, educational, internal, and self-hosted use; commercial resale, paid SaaS hosting, or embedding into paid products requires a paid commercial license (see the Terms of Service, Section 6). Anyone may fork, modify, and self-host these components under the license terms. We are not liable for how others use, modify, or deploy the code.
Private server code. Our proprietary server code (the production API server) is not published as source-available. This is to protect security-sensitive infrastructure, API keys, and system architecture from exposure. The Source-Available Server provides a minimal, auditable alternative for self-hosting.
Self-hosted instances. If someone runs their own instance using the Source-Available Server, they are the data controller and operator. We have no access to, oversight of, or liability for self-hosted instances.

12. Data Collected by AI-Generated Tools & Global Executive

12.1 AI-Generated Tools

AI-generated tools may collect data from websites you visit (e.g., scraping text, extracting emails, collecting links). This data is:

Stored locally in your browser via isolated per-tool storage (ToolStorage)
Never sent to our servers unless you explicitly choose to sync or export it
Subject to the target website's own terms of service — you are responsible for ensuring your tool usage complies with applicable website terms and laws

We do not have access to, control over, or visibility into what data your tools collect on your local device.

12.2 Global Executive (Agent) Data Collection

Unlike AI-Generated Tools, Global Executive is a server-assisted agent. To plan and execute your task, the following data leaves your device:

The textual content of the authorised page (or the portion the agent needs to read to make a decision)
Screenshots of the authorised tab, captured by Chrome's debugger API, sent to multimodal AI models for visual reasoning
A structured log of every action the agent performs and the page response
The task prompt and any follow-up answers you give the agent

This data is transmitted to our Server (api.global-order.32d.one) and forwarded to OpenRouter (our AI model gateway) for planning. It is then stored under your account in MongoDB Atlas. You can delete any task from your dashboard. Storage is subject to the retention rules in Section 6.

You control the scope. The agent only reads pages you authorise for a task. It does not silently monitor other tabs. Chrome shows a persistent yellow banner on any tab the agent is attached to via the debugger. You may stop a task at any time from the agent panel.

Do not use the agent on pages containing data you are not comfortable sending to our Server and to OpenRouter. If in doubt, use a self-hosted Source-Available Server with your own API keys to keep agent data entirely within your control.

13. Security Measures

We implement the following technical and organizational measures to protect your data:

Password hashing: bcrypt with salt — passwords are never stored in plaintext and cannot be read by anyone, including us
JWT authentication: Tokens signed with HS256; algorithm pinning prevents algorithm-switching attacks
Token isolation: Auth tokens stored in chrome.storage.local — only accessible by the Extension, not by websites or other extensions
API key protection: OpenRouter, Lemon Squeezy, and MongoDB credentials exist only on the server; never exposed to the client
Input sanitization: All request bodies are whitelisted, trimmed, and length-limited; NoSQL injection prevention
Rate limiting: General (200/15min), Auth (5/15min), AI (3/min), Billing (10/hour)
CORS lockdown: Production API only accepts requests from the official Website and Extension ID
Audit trail: All significant events logged with 90-day auto-expiry
HTTPS/TLS: All data in transit is encrypted
Webhook verification: Timing-safe signature comparison for Lemon Squeezy webhooks

While we take reasonable measures to protect your data, no system is completely secure. We cannot guarantee absolute security.

14. EU Regulatory Compliance

In addition to GDPR, we comply with or are mindful of the following EU regulations:

14.1 ePrivacy Directive (2002/58/EC, as amended)

We do not use cookies for tracking or advertising. We do not use tracking pixels. The Extension does not place tracking cookies on websites you visit. Local storage usage is strictly for service functionality (preferences, tool caching, authentication).

14.2 Digital Services Act (DSA — Regulation 2022/2065)

New Order Global is a small-scale service. We are not a Very Large Online Platform (VLOP) under the DSA. However, we provide:

Transparent terms of service and content moderation policies
A mechanism for reporting illegal content or tools
Clear point of contact for authorities and users

14.3 Digital Markets Act (DMA — Regulation 2022/1925)

We are not a gatekeeper under the DMA. This regulation does not apply to our service.

14.4 AI Act (Regulation 2024/1689)

Our AI tool generation feature uses third-party general-purpose AI models (via OpenRouter). We do not develop or deploy high-risk AI systems as defined by the AI Act. AI-generated tools are user-initiated and user-controlled. Users are responsible for ensuring their use of AI-generated tools complies with applicable law.

14.5 Consumer Rights Directive (2011/83/EU)

Credit packages are digital goods. Under EU law, you may have a 14-day right of withdrawal for distance contracts. However, once credits are consumed (used for AI generation), the right of withdrawal may no longer apply as the digital content has been supplied and consumed with your consent.

14.6 Payment Services Directive (PSD2)

Payment processing is handled entirely by Lemon Squeezy, which complies with PSD2 requirements including Strong Customer Authentication (SCA).

15. US Privacy Laws (CCPA/CPRA)

For users in California, under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

Right to Know: You can request disclosure of what personal data we collect, use, and share (see Section 3)
Right to Delete: You can request deletion of your personal data (see Section 8.3)
Right to Opt-Out of Sale: We do not sell your personal data. There is nothing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact support@32d.one.

16. UK Data Protection

For users in the United Kingdom, your data is protected under the UK GDPR and the Data Protection Act 2018. The rights described in Section 8 apply equally to UK users. The UK has deemed the EU GDPR as adequate, and vice versa, so data transfers between the EU and UK are not restricted. International transfers to the US are covered by the mechanisms in Section 7.

17. Cookie Policy

Our Website may use minimal, essential cookies for authentication (session tokens). We do not use advertising cookies, analytics cookies, or third-party tracking cookies. The Extension uses chrome.storage.local (not cookies) for all local data storage.

If we introduce non-essential cookies in the future, we will update this policy and provide a cookie consent mechanism as required by the ePrivacy Directive.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify you via the Extension, Website, or email. Your continued use of the service after changes constitutes acceptance of the updated policy.

19. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern:

Email: support@32d.one

X/Twitter: @32dOneLABS

Website: https://global-order.32d.one

We will acknowledge receipt of your request within 10 days and respond substantively within 30 days (or 60 days for complex requests, as permitted by GDPR).