# Privacy Policy — CVE Lookup

**No data ever leaves your browser** except outbound API queries made directly to:
- CISA (cisa.gov) to download the Known Exploited Vulnerabilities catalogue
- NVD (nvd.nist.gov) to fetch CVE records matching the vendor of the site you are visiting

**Visited hostnames** are cached locally in `chrome.storage.local` only. They are never transmitted to any server or third party.

**The optional NVD API key** is stored locally in `chrome.storage.local`. It is never transmitted anywhere except as a request header in HTTPS calls made directly to nvd.nist.gov.

**No analytics, no telemetry, no third-party services.** The extension makes no requests other than the two listed above and collects no usage data of any kind.

**All locally stored data** (cached CVE results and your API key) can be cleared at any time using the Clear Cache button in the extension popup, or by removing the extension entirely.