SecretScout — Privacy Policy

Last updated: 1 July 2026. Applies to the SecretScout browser extension, version 0.1 (phase 1).

The short version

SecretScout inspects the pages you visit entirely on your own device to warn you when a page exposes something that looks like an API key or secret. It does not send the page content, the detected keys, your browsing history, or any personal information to us or to any third party. There is no account, no server, no tracking, and no analytics.

How it works, and what it reads

To do its job, the extension reads, in each page you open:

All of this is processed in memory, locally, in your browser, and only to run pattern matching for known key formats. The extension does not transmit any of it. It is never written to a server, and there is no server to write it to.

What is stored, and where

When a match is found, the extension keeps a small, masked summary — the service name and a partially hidden key (first 6 and last 4 characters, e.g. sk-pro…7dc) — in your browser's temporary session storage (chrome.storage.session) so the toolbar badge and popup can show it. This is per tab, stays on your device, and is cleared automatically when you navigate away or close the browser. The full, unmasked key is never stored.

What SecretScout does not do

Permissions, and why they are needed

Future paid features

A future version may add a wider ruleset, a local per-domain history of findings, and CSV/JSON export. Those features do not exist in this version. Any such history would remain local to your device; if that ever changes, this policy will be updated to describe it before the feature is enabled.

Data deletion

Because all data is local and temporary, you can clear it at any time by closing the tab or the browser, or by removing the extension, which deletes all of its stored data from your device.

Contact

Questions about this policy: info@getcompliant.online.