# Privacy Policy for CSP Policy Collector **Last Updated: December 7, 2024** ## Overview CSP Policy Collector is a Chrome extension designed to help developers generate Content Security Policy (CSP) headers by monitoring resource loading on web pages. This privacy policy explains how the extension collects, uses, and protects your data. ## Data Collection ### What Data We Collect The extension collects the following information **only when you explicitly start monitoring**: 1. **Resource URLs**: URLs of scripts, stylesheets, and images loaded by web pages 2. **Resource Types**: Classification of resources (script, style, image) 3. **Resource Sources**: Whether resources are inline or external 4. **Resource Hashes**: SHA-256 hashes of inline scripts and styles (when available) 5. **Tab Information**: Tab IDs to manage monitoring sessions 6. **Timestamps**: When resources were detected ### What Data We DO NOT Collect - Personal information (name, email, address, etc.) - Browsing history outside of active monitoring sessions - Passwords or authentication credentials - Form data or user input - Cookies or session tokens - Page content or HTML - Any data from pages you visit when monitoring is not active ## How We Use Your Data ### Local Storage Only All collected data is stored **locally on your device** using Chrome's storage API. We do not: - Transmit data to external servers - Share data with third parties - Upload data to cloud services - Track your browsing activity - Use analytics or telemetry ### Data Usage The collected data is used exclusively for: 1. **CSP Policy Generation**: Creating Content Security Policy headers based on detected resources 2. **CSV Export**: Allowing you to export collected data for your own analysis 3. **Session Management**: Maintaining monitoring state across browser sessions ## Data Control ### User Control You have complete control over your data: - **Start/Stop Monitoring**: You decide when to collect data by starting and stopping monitoring - **Per-Tab Isolation**: Each tab's data is collected separately - **Manual Export**: You choose when to export data - **Data Deletion**: Stopping monitoring and closing tabs removes associated data - **No Automatic Collection**: The extension never collects data without your explicit action ### Data Retention - **Active Sessions**: Data is retained while monitoring is active - **Stopped Sessions**: Data is automatically cleaned up 30 minutes after stopping monitoring - **Tab Closure**: Data is removed when monitored tabs are closed - **Extension Removal**: All data is deleted when you uninstall the extension ## Permissions Explanation The extension requires the following permissions: ### activeTab - **Purpose**: Inject monitoring scripts into the current tab - **Usage**: Only when you click "Start" to begin monitoring - **Data Access**: Resource URLs and types on the active tab only ### storage - **Purpose**: Save collected data locally on your device - **Usage**: Store monitoring sessions and resource data - **Data Access**: Local storage only, no cloud sync ### tabs - **Purpose**: Identify which tab is being monitored - **Usage**: Manage per-tab monitoring sessions - **Data Access**: Tab IDs only, no browsing history ### scripting - **Purpose**: Inject content scripts to detect resources - **Usage**: Monitor DOM and network events during active monitoring - **Data Access**: Resource loading events only ### downloads - **Purpose**: Export collected data as CSV files - **Usage**: Save generated reports to your local file system - **Data Access**: No access to existing files, only creates new exports ### notifications - **Purpose**: Inform you of monitoring status and export completion - **Usage**: Display non-intrusive notifications - **Data Access**: No data collection, display only ### webRequest - **Purpose**: Monitor network requests for external resources - **Usage**: Detect resources loaded via fetch/XHR during active monitoring - **Data Access**: Resource URLs during active monitoring only ### host_permissions () - **Purpose**: Allow monitoring on any website you choose - **Usage**: Only when you explicitly start monitoring on a specific site - **Data Access**: Resource information only, no page content ## Data Security ### Security Measures - All data is stored locally using Chrome's secure storage API - No data transmission over networks - No external API calls or server connections - Content scripts run in isolated contexts - No eval() or unsafe code execution ### Third-Party Access - **No third-party services**: The extension does not use any third-party analytics, tracking, or data collection services - **No external dependencies**: All code runs locally in your browser - **No remote code**: The extension does not load code from external sources ## Children's Privacy This extension is intended for developers and does not knowingly collect information from children under 13. The extension does not collect personal information from any users. ## Changes to This Policy We may update this privacy policy from time to time. Changes will be reflected in the "Last Updated" date at the top of this document. Continued use of the extension after changes constitutes acceptance of the updated policy. ## Open Source This extension is open source. You can review the complete source code to verify our privacy practices at: [GitHub Repository URL] ## Contact If you have questions about this privacy policy or the extension's data practices, please: - Open an issue on our GitHub repository - Review the source code to understand data handling - Contact us at: [Your Contact Email] ## Your Rights You have the right to: - Know what data is collected (documented in this policy) - Access your data (stored locally in Chrome storage) - Delete your data (by stopping monitoring or uninstalling the extension) - Control data collection (by choosing when to start/stop monitoring) ## Compliance This extension complies with: - Chrome Web Store Developer Program Policies - General Data Protection Regulation (GDPR) principles - California Consumer Privacy Act (CCPA) principles ## Summary **In Plain English:** - We only collect resource URLs when you explicitly start monitoring - All data stays on your device - nothing is sent anywhere - You control when data is collected and can delete it anytime - We don't track you, collect personal info, or share data with anyone - The extension is open source - you can verify everything we say --- **By using CSP Policy Collector, you acknowledge that you have read and understood this privacy policy.**