# Privacy policy — Tag QA

**Last updated:** 2026-05-29

## What Tag QA does

Tag QA is a Chrome extension that helps developers inspect analytics beacons
(GA4, GTM, Adobe, Meta Pixel, Segment, and ~40 other providers) firing from
the web pages they visit. It runs entirely **locally on your machine** —
there is **no backend, no account, no telemetry**.

## What data Tag QA collects

The extension intercepts analytics requests fired by the pages you have open
in your browser (`fetch`, `XMLHttpRequest`, `sendBeacon`, and `dataLayer.push`)
and decodes their parameters so you can see what your site is sending.

Captured data includes:

- The destination URL and HTTP method of each analytics request.
- The request body (for POST / sendBeacon).
- The decoded parameter map.
- A viewport screenshot taken before each scripted click (Auto-walk / Site
  Audit modes only). Used for the XLSX export and the per-row preview.
- The current page URL and tab origin.

**All of this stays on your machine.** It is stored in
`chrome.storage.local` (session feed, diag log, click thumbnails) or held in
the side panel's memory. Nothing is sent to a server. Nothing is shared with
us or any third party.

## PII scrubbing

Before any capture is processed, the extension applies a redaction pass to
remove common PII patterns from every string field — email addresses, phone
numbers, credit-card-shaped sequences, and US SSNs. Matched values are
replaced with `[redacted-email]`, `[redacted-phone]`, etc. This is
best-effort; do not rely on it for compliance-critical workflows.

## Permissions explained

| Permission | Why |
|---|---|
| `storage` | Session feed, diag log, thumbnails, theme, active SDR, settings. |
| `tabs` | Read the active tab's URL so we can attribute captures. |
| `scripting` | Inject the page-side interceptor that wraps fetch/XHR/beacon. |
| `sidePanel` | Render the inspector in Chrome's side panel. |
| `downloads` | Save XLSX / CSV / diag-log files locally. |
| `debugger` | Used **only** for `Page.captureScreenshot` when you opt in to "Capture iframes via chrome.debugger" in Settings. No CDP commands besides screenshot are issued. Detaches automatically after each capture. |
| `host_permissions: <all_urls>` | Required to intercept analytics on every site you choose to inspect. |

## What we do NOT do

- We do not transmit captures or any other data over the network.
- We do not run analytics on you (no GA, no Mixpanel, no error reporting).
- We do not sell anything.
- We do not require an account or login.

## Open source

Tag QA's source is available for audit. The capture-and-decode pipeline lives
in `packages/extension/src/content/main-world.ts` (interceptors),
`packages/extension/src/shared/scrub.ts` (PII redaction), and
`packages/extension/src/decoder/` (provider parsers).

## Contact

For questions about this policy or the extension's behavior, open an issue at
the project's repository.