Privacy policy

1. Who we are

ExtGuard ("we", "us", "our") operates the website at https://extguard.online and provides a Chrome extension pre-submission validation tool. For privacy questions, contact us at [email protected].

2. The data we collect

2.1 Account data

When you sign up, our authentication provider (Clerk) collects and stores your email address and authentication credentials. We receive a user identifier from Clerk and store the email address associated with your account.

2.2 Scan data

When you upload a Chrome extension .zip file to ExtGuard, the file is unpacked and analyzed entirely in your browser. The contents of the zip — your extension source code, manifest, icons, and assets — are never transmitted to or stored on our servers.

If you choose to save a scan (which requires a signed-in account), we store only the resulting report metadata: filename, file size, risk score, approval probability, and the structured check results (issue titles, severities, file paths, and suggestions). We do not store the source code that produced these results.

2.3 API keys

If you create API keys for CI/CD integration, we store a SHA-256 hash of each key alongside the first 12 characters (the prefix) and a name you provide. We never store the full secret. Once shown to you at creation, it cannot be retrieved.

2.4 Payment data

When payments are enabled, billing will be handled by Dodo Payments, who acts as the Merchant of Record. We do not see, store, or process your payment card information. We receive only your subscription status and the email used at checkout.

2.5 Technical data

Like most websites, our hosting provider (Vercel) automatically logs IP addresses, user agents, and request paths for security, abuse prevention, and basic operational monitoring. These logs are retained for a limited time and are not linked to your account profile.

3. How we use your data

• To provide the scanning service and save your scan history.
• To authenticate you, manage your account, and prevent abuse.
• To process subscription payments (via Dodo Payments) and manage your plan.
• To send transactional emails such as scan reports, API key notifications, and account alerts.
• To investigate security incidents and enforce our Terms.
• To improve the product through aggregated, non-identifying usage patterns.

We do not use your data to train machine learning models, and we do not sell your personal data to third parties.

4. Third-party services

ExtGuard uses the following processors to operate:

5. Cookies and tracking

We use only the cookies and local storage necessary for the service to function — primarily for authentication sessions managed by Clerk. We do not use third-party advertising or analytics trackers. We do not embed advertising scripts.

6. Data retention

• Scan reports: retained until you delete them or close your account.
• API keys: retained until you revoke them or close your account.
• Account data: retained for the lifetime of your account. Deleted within 30 days of account closure.
• Server logs: retained by our hosting providers per their respective policies.

7. Your rights

You have the right to access, correct, export, or delete the personal data we hold about you. You can:

• View and delete your scan history from your dashboard.
• Revoke API keys at any time from the API keys page.
• Email us at [email protected] to request export or full account deletion.

If you are in the EU, UK, or California, you have additional rights under GDPR, UK-GDPR, and CCPA respectively. We honor those rights regardless of where you live.

8. Security

We use industry-standard practices to protect your data: TLS encryption in transit, hashed credentials and API keys at rest, and least-privilege access to production systems. No system is perfectly secure, however, and we cannot guarantee absolute security. If a breach occurs, we will notify affected users without undue delay.

9. Children

ExtGuard is not intended for and does not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.

10. International transfers

Our infrastructure runs in regions provided by Vercel and Neon. By using ExtGuard, you understand that your data may be transferred to, stored in, and processed in countries outside your own.

11. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date above and, where appropriate, notify you by email or via the dashboard. Continued use of ExtGuard after changes means you accept the updated policy.

12. Contact

Questions, requests, or concerns: [email protected]