Last updated: 1 July 2026. Applies to the SecretScout browser extension, version 0.1 (phase 1).
SecretScout inspects the pages you visit entirely on your own device to warn you when a page exposes something that looks like an API key or secret. It does not send the page content, the detected keys, your browsing history, or any personal information to us or to any third party. There is no account, no server, no tracking, and no analytics.
To do its job, the extension reads, in each page you open:
fetch and
XMLHttpRequest), so a key leaking over the network can be caught.All of this is processed in memory, locally, in your browser, and only to run pattern matching for known key formats. The extension does not transmit any of it. It is never written to a server, and there is no server to write it to.
When a match is found, the extension keeps a small, masked summary — the service name and
a partially hidden key (first 6 and last 4 characters, e.g. sk-pro…7dc) — in your browser's
temporary session storage (chrome.storage.session) so the toolbar badge and popup can show it.
This is per tab, stays on your device, and is cleared automatically when you navigate away
or close the browser. The full, unmasked key is never stored.
<all_urls>) — the extension's content scripts run on the
pages you visit so it can scan them for exposed secrets. This is the core function; scanning cannot happen
without page access. It does not request the tabs permission and does not read your tab list
or history.storage — to hold the current page's masked findings in temporary session storage for the
badge and popup, as described above.A future version may add a wider ruleset, a local per-domain history of findings, and CSV/JSON export. Those features do not exist in this version. Any such history would remain local to your device; if that ever changes, this policy will be updated to describe it before the feature is enabled.
Because all data is local and temporary, you can clear it at any time by closing the tab or the browser, or by removing the extension, which deletes all of its stored data from your device.
Questions about this policy: info@getcompliant.online.