Honey's Browser Extension Does More Than Just Apply Coupons

You probably have been online shopping before.

You buy something online, then you find out there was a coupon you could have applied, or the item could have been bought cheaper from another website. Also, on top of that, now your ad-feed on your devices are filled with ads for that item you already ordered.
There are tools that are designed to help you avoid buying the item at a more expensive price than available elsewhere. Say hello to Honey.

Honey makes one promise. You should never pay more for something, if you could have bought it cheaper somewhere else. Install the extension, browse as you normally would, and when you get to checkout it automatically tries coupon codes against your order and applies whatever works best. Takes a few seconds. Costs nothing. Hard to argue with that.

George Ruan and Ryan Hudson started Honey in Los Angeles in November 2012. The launch was not planned, a bug tester posted a link to the prototype on Reddit and people started using it. For years after that, growth was quiet and mostly accidental. Investors had no interest, desktop browser extensions were considered a dead category. By March 2014 the company had around 900,000 users, which was solid but not explosive. The real acceleration came in 2019 when Honey discovered YouTube. Over 5,000 sponsored videos across more than 1,000 channels, 7.8 billion combined views. If a creator had a large enough audience, there was probably a Honey integration somewhere in their back catalogue. PayPal bought the company on January 6, 2020 for roughly $4 billion and was the largest acquisition in PayPal's history.

The record coming into that deal had some marks on it. Amazon told its users in December 2019 that the extension was a security risk. Then in December 2024, a YouTuber named MegaLag released a 23-minute video accusing Honey of quietly rerouting affiliate commissions to itself at checkout, even in transactions where it had found no coupon at all, and of letting partner merchants decide which discount codes users actually got to see, hiding better ones to protect their margins. Honey had around 20 million users when the video dropped. By the end of 2025 that number was closer to 12 million. Lawsuits followed, as they tend to.

None of that is what this article is about. It is just background.

Honey's privacy documentation says the company does not sell your personal data. That sentence is true. It has also been written very carefully to be true.

The extension's content script runs on every page you open, no exceptions. There is a hardcoded list of domains such as banks, webmail, social media platforms, where certain behaviors get suppressed. That list is worth paying attention to, because its existence confirms something: Honey knows its script is active on your Chase login page, your Gmail inbox, your Facebook feed. Switching something off is not the same as not being there. The script loads. Then it decides what to do.

On every product page you visit, before you have clicked anything related to coupons, Honey is already sending data back to its servers. Store ID, product title, the specific variant you are looking at, size, color, configuration, and session data that includes what page you came from before landing on the store. This is not triggered by anything you do. It fires at page load. Your shopping intent gets logged as a built-in condition of using the extension, not as some incidental side effect.

There is also a periodic request that goes out to "history.paypal.com/targeting/set-plugin?src=honey". That is not a Honey domain. It belongs to PayPal's advertising infrastructure. A coupon extension is, on a regular schedule, checking in with a commercial ad targeting system.

None of this counts as selling data. The word "sell" has a legal definition, and the advertising industry spent a long time making sure that definition only covers a narrow slice of what the advertising industry actually does. A straight cash transaction for a raw dataset would qualify as selling the data. A partnership where data access gets bundled into a larger commercial arrangement, a revenue share, an integration fee, a co-marketing deal, does not.

Think of it this way. You could tell someone truthfully that you did not spend any money on beer last night. What you spent money on was a burger. The beers just happened to come with it.

The data does not stop moving once it reaches Honey.

On November 27, 2024, PayPal updated its privacy statement to include sharing user data with a category it calls Partners and Merchants. The default setting is on. You are opted in unless you go looking for the setting to turn it off. Buried in the fine print is a clause that matters: once data has been shared with a Partner, that Partner's own privacy policy takes over. Meaning what happens to the data shared with a specific Partner, is up to that Partner to decide.

One of those partners is a company called Rokt. It is an independent advertising platform, and it is embedded directly inside Honey's extension code, not receiving a data export after the fact, but running its own session tracking in parallel with Honey's. Both systems generate a session ID when you start browsing.
A session ID is just a string of characters that lets a system recognize you across multiple actions in the same sitting, it connects the person who opened a product page at two in the afternoon to the same person who reached checkout twenty minutes later. Honey has one. Rokt generates its own, separately, at the same time. Two trackers, one session, one user. Rokt is not a downstream recipient of Honey's data. It is doing its own tracking, through the same extension.

Rokt was publicly announced as a PayPal partner in October 2025. Its platform, which now includes data infrastructure company mParticle following an acquisition, feeds signals into analytics systems, AI pipelines, monetization layers, and data warehouses run by third parties that Rokt does not identify by name in public disclosures.

PayPal Ads, the advertising business sitting on top of the behavioral data Honey spent years collecting, is projected to grow from $100 million in revenue in 2024 to $2 billion by 2029. Analysts have been straightforward about why: first-party data is the most valuable thing in digital advertising right now, and PayPal has a lot of it, specifically because Honey was installed in browsers at the exact moment hundreds of millions of purchase decisions were being made.

Every company in this chain has a privacy statement. Every privacy statement says some version of "we do not sell your personal data." Every one of them is technically accurate under the same definition.

There is one thing Honey's extension does that has nothing to do with coupons.

Open ChatGPT in your browser and a separate script file: "h1-gpTips.js", gets injected into the page. This is not a generic behavior that happens on every website. It is specific. Inside Honey's source code there is a single hardcoded store ID, mapped exclusively to "chatgpt.com". No other AI platform appears in that list. ChatGPT is singled out and named in the code on purpose.

Once the script is running, it attaches a MutationObserver to the conversation thread. A MutationObserver is a browser API that watches a part of a webpage and fires automatically when the content changes, when a new element appears, when text gets added. Honey points one at your ChatGPT thread. Every time a new message shows up, yours or the AI's, the observer fires and Honey reads it. You do not click anything to make this happen. The conversation itself is the trigger.

When you send a message, Honey reads the text out of the page using a DOM selector, ".whitespace-pre-wrap" targeting the same element ChatGPT uses to display your input. The DOM is the browser's internal map of everything currently on a webpage. Every piece of text, every button, every chat bubble is an element in that map. JavaScript can read any of it.

Before Honey has made any decision about whether your message is relevant to shopping, the full text of your message is transmitted to "d.joinhoney.com/v3" in a call named "ext_gpTips_checkIsProduct".
Honey's servers make the call on whether your message counts as product-related. If they decide it does, then a second transmission goes out "ext_gpTips_getProductData" carrying the full text of ChatGPT's response back to Honey.

Honey can tie multiple exchanges together into a thread, not just read isolated messages. There is no notification that any of this is happening. Nothing in Honey's privacy documentation mentions it. OpenAI has no part in it and no way to see it — Honey reads the page directly using "chrome.scripting.executeScript" with the universal host permissions the extension requested on install. This is not a ChatGPT integration and it is not done in cooperation with OpenAI. It is a browser extension with access to your entire browser, pointed at a conversation you had no reason to think anyone else was reading.

What counts as "product-related" is not determined by any logic inside the extension. That decision lives on Honey's servers and can be changed remotely, at any time, without pushing an update to your browser. The scope of what gets sent can expand without you knowing.

You installed a coupon finder, and it can read your conversations with an AI.

But wait, there's one more thing we need to look at.

ChatGPT has a feature called Temporary Chat. The name implies what most people assume it means: a conversation that does not get saved and does not show up in your history.

The Honey script checks for it. In the source code, the line "se = e.includes("temporary-chat=true")" reads the URL and detects when you have switched into temporary mode.

The script does not stop. It does not skip the conversation. It keeps the MutationObserver running and keeps reading your messages. The only thing that changes is that instead of using your real conversation ID as the reference ID in the transmission, it generates a random one instead. The content of your messages still goes to Honey's servers. Temporary Chat just means Honey cannot tie that specific conversation to your permanent chat history, but it still keeps reading your chat.

There is also something worth noting about what happens when ChatGPT responds. Before the response text is transmitted to Honey's servers, the code runs a cleaning pass on it, stripping out code blocks and flattening line breaks. This is sometimes described in privacy contexts as anonymization or filtering. What it is, is formatting. The content of the response still goes through.

The behaviors described in this article are not compatible with the General Data Protection Regulation. The universal browse tracking, the pre-interaction product data collection, the Rokt session tracking, and the ChatGPT message transmission each implicate Articles 5 (data minimisation), 6 (lawful basis for processing), and 13 (transparency and disclosure obligations). The downstream sharing structure, in which PayPal transfers data to Partners who then govern their own use of it, does not dissolve these obligations under EU law. The original controller remains responsible.

The findings in this article are based on static analysis of Honey version 19.0.3, extension ID: bmnlcjabgnpnenekpadlanbbkooimhnj obtained directly from the Chrome Web Store.
The CRX file was extracted by stripping the CRX3 header and unpacking the archive. The primary source files analyzed were "h0.js" (background service worker)"h1-check.js" (content script) and "h1-gpTips.js" (ChatGPT injection script). No dynamic analysis, network interception, or privileged access was used. Every finding in this article is reproducible by anyone willing to download the same extension and repeat the process.