Browser Extension Privacy Policy

How the Alertoscan Shield browser extension handles your data — privacy-first, no accounts, no tracking, and only a matched hostname ever leaves your device.

Last updated: July 2026

This policy covers the Alertoscan Shield browser extension for Chrome and Edge. It is separate from the Alertoscan.io website Privacy Policy and describes exactly what the extension does — and does not do — with your data. It matches the extension's actual behavior.

Summary

  • No accounts. You never sign in. We do not know who you are.
  • Zero telemetry. We do not track you, run analytics, or collect usage statistics.
  • Local checks. The site you are visiting is checked on your device against a list the extension downloads once a day.
  • Minimal transmission. A hostname leaves your device only when it matches the local list, and only the hostname (the registrable domain, e.g. example.com), sent to alertoscan.io to retrieve a safety score. Nothing else is sent.

What data is processed, and where

DataWhere it is processedSent off your device?
The hostname of the tab you are checkingOn your device (local bloom-filter test)No — for the ~99% of sites not on the list, nothing is ever transmitted.
A hostname that matches the local listSent to alertoscan.io to fetch its scoreYes — only the matched hostname (registrable domain).
The downloaded blocklist + your settings (active-protection toggle, your "ignored sites" list)Stored locally in the browser (chrome.storage.local)No — never leaves your device.

We do not collect or transmit: your browsing history, full URLs (path and query are discarded — only the hostname is ever used), IP-linked identifiers, page content, form data, cookies, location, or any personal information.

When a hostname is sent to alertoscan.io

The core feature — warning you about known scam and phishing sites — requires, on a local match only, asking alertoscan.io for that site's score and verdict. This is the only time any hostname is transmitted. This use of web-browsing information is:

  • limited to providing the user-facing warning feature described on the store listing and shown in the extension's popup;
  • never sold or transferred to third parties;
  • never used for advertising, analytics, profiling, or any purpose unrelated to returning the site's safety score.

The popup makes this transparent at the moment it happens (it shows the score it fetched), and a persistent note states that only a matched hostname is sent to alertoscan.io.

Active protection (optional, off by default)

By default the extension only checks a site when you click its icon (using the activeTab permission, which does not grant background access to your browsing).

You may optionally enable Active protection, which automatically shows a warning banner and a toolbar badge on flagged sites as you browse. Enabling it asks for the browser's optional permission to run on the sites you visit, so the extension can read tab URLs to run the same local check and display the in-page banner. Even with active protection on, the rules above are unchanged: clean sites are checked locally and never transmitted; only a local match results in a hostname being sent. The in-page banner is purely cosmetic — it reads no page content and sends nothing. Active protection is fully revocable from the popup.

Your "ignored sites" list

If you choose "Ignore on this site", that domain is stored locally and suppressed from future warnings. This list lives only in your browser and is never transmitted.

Data retention and sharing

  • Locally stored data (blocklist, settings, ignored sites) remains on your device until you remove the extension or clear it.
  • alertoscan.io rate-limits the score endpoint per IP and does not log anything tying a domain lookup to an individual user.
  • We do not share, sell, or rent any data to third parties.

Permissions and why they are needed

PermissionWhy
activeTabRead the hostname of the current tab when you click the icon, to check it. No background browsing access.
storageCache the downloaded blocklist and your local settings / ignored sites.
alarmsSchedule the once-a-day blocklist refresh.
scriptingInject the warning banner into the current page (only when Active protection is on and you visit a flagged site).
Host access to the sites you visit (optional)Only requested if you turn on Active protection, to read tab URLs for automatic badging and to show the in-page banner. Revocable at any time.
Host access to alertoscan.ioDownload the daily blocklist and fetch a score on a local match.

Changes to this policy

If this policy changes, the updated version will be published at this URL with a new "Last updated" date.

Contact

Questions about privacy: contact@alertoscan.io or via the contact page.