1 Overview
SecureLint – Sensitive Data Protector is a Chrome browser extension that detects and masks sensitive data — API keys, passwords, tokens, credentials, and personal information — as you type or paste content into any web-based editor. This Privacy Policy explains exactly what data is collected, how it is used, and how it is protected, in compliance with the Chrome Web Store Developer Program Policies.
Publisher: VAPTLabs
Contact: contact@vaptlabs.com
Website: https://securelint.in
2 Data We Collect
2a. Data Processed Locally — Never Leaves Your Browser
The following data is processed entirely within your browser using JavaScript. It is never transmitted to any external server.
| Data Type | Purpose |
|---|---|
| Text content in web pages | Scanned locally using regex pattern matching to detect sensitive data. Never stored or transmitted. |
| Detected secrets / masked values | Displayed in the overlay UI. Stored only in browser memory for the duration of your session. |
| Editor type (textarea, CodeMirror, etc.) | Used to apply the correct overlay positioning logic for each editor framework. |
| Active page URL | Used to determine development vs. content-writing mode for context-aware masking. Not logged or transmitted. |
2b. Settings Stored Locally in Your Browser
The following preferences are saved to chrome.storage.sync and chrome.storage.local on your device:
- Detection toggle (on/off per site or globally)
- Auto-masking preferences (textareas, inputs, rich editors)
- Severity filter levels (Critical, High, Medium, Low)
- List of domains excluded from scanning
- Masking style preference (smart, full, compliance-safe)
- Overlay and notification display preferences
This data stays on your device. If Chrome Sync is enabled, Chrome itself may sync this data to your Google account — this is controlled by Chrome, not by SecureLint.
2c. Account & Authentication Data (Optional — Registered Users Only)
If you choose to create a SecureLint account, the following data is sent to and stored on our servers:
| Data Type | Purpose | Retention |
|---|---|---|
| Email address | Account identification and login | Until account deletion |
| Hashed password / OAuth token | Secure authentication | Refresh token expires in 7 days |
| Extension settings / preferences | Sync your settings across devices | Until account deletion |
| Site exclusion list | Sync disabled domains across devices | Until account deletion |
3 Data We Do NOT Collect
- We do not log, store, or transmit any text you type or paste in web forms.
- We do not collect your browser history or visited URLs beyond reading the current page URL for mode detection.
- We do not sell, rent, or share any user data with third parties.
- We do not use advertising networks, analytics SDKs, or tracking pixels.
- We do not perform cross-site tracking or build user profiles.
4 Permissions & Why We Need Them
SecureLint requests only the permissions required for its core features. Here is a plain-English explanation of each:
| Permission | Why It Is Needed |
|---|---|
| storage | Save your detection settings and preferences locally so they persist between browser sessions. |
| activeTab | Access the content of the currently active tab to scan for sensitive data patterns. |
| tabs | Broadcast settings updates to all open tabs instantly when you change a preference, ensuring consistent behavior everywhere. |
| notifications | Show a one-time browser notification when a Critical-severity secret is detected (e.g., an AWS key pasted into a form). Can be disabled in settings. |
| downloads | Allow you to export a detection report (JSON/CSV) to your Downloads folder via the popup. Your data never leaves your machine. |
| contextMenus | Add a right-click menu option ("Toggle SecureLint on this element") for quick per-field control. |
| alarms | Schedule periodic re-scans (every ~30 seconds) for dynamically loaded content in Single Page Apps like GitHub, Jira, and Notion where content is injected by JavaScript after initial load. |
| <all_urls> |
Why this is necessary: SecureLint's purpose is to detect secrets on any site you visit — GitHub Issues, Jira tickets, Confluence pages, Gmail, Google Docs, ChatGPT, Notion, internal tools, and thousands more. The extension cannot know in advance which sites you will type sensitive data on. Restricting to a predefined list would break the core security promise. Important: All page content is processed locally. Nothing is transmitted externally. This permission is access for local scanning only. |
5 How We Protect Your Data
Detection Risk Levels
Secrets detected locally are classified into four severity levels for display only:
These classifications exist only in your browser's memory and are never transmitted anywhere.
6 Third-Party Services
When you are logged in to a SecureLint account, the extension communicates with the following services for authentication and settings sync only:
| Service | URL | Purpose | Data Shared |
|---|---|---|---|
| SecureLint API | securelint-api.vercel.app |
Authentication, settings sync | Email, auth tokens, extension settings only. Never page content. |
| Netlify | securelint.in |
Hosts the web dashboard | Standard web server logs (IP, timestamp). No extension data. |
No user content, detected secrets, or browsing activity is shared with any third-party service.
7 Children's Privacy
SecureLint is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us immediately at contact@vaptlabs.com and we will delete it promptly.
8 Changes to This Policy
We may update this Privacy Policy to reflect changes to the extension's features or applicable legal requirements. When we do, we will update the Effective Date at the top of this page. We may also notify you of material changes via the extension popup or a browser notification.
Continued use of the SecureLint extension after a revised policy is published constitutes your acceptance of the changes.
9 Your Rights
-
🗑️
Delete Your Account & Data
Contact us at contact@vaptlabs.com to permanently delete your account and all associated server-side data.
-
🧹
Clear Local Settings
Open
chrome://extensions→ SecureLint → Storage to clear all locally stored settings at any time. -
🔌
Revoke Permissions
Remove or disable the extension at any time from
chrome://extensions. All local data is erased on uninstall. -
📋
Access Your Data
Request a copy of any personal data we hold about you by emailing contact@vaptlabs.com.
-
🔕
Opt Out of Account Sync
Use SecureLint without an account. All core detection features work fully offline and locally — account creation is optional.
10 Enterprise Incident Reporting
What is Enterprise Incident Reporting?
When SecureLint is deployed by an IT or security team across an organisation, it can be configured to send incident reports to a central admin dashboard. This allows the IT team to monitor secret-detection events across the organisation's devices — for example, to identify recurring patterns, enforce security training, or respond to a potential data-leak event before it escalates.
This capability is equivalent to standard enterprise DLP (Data Loss Prevention) tooling and is fully disclosed to employees at the point of device enrolment under the organisation's acceptable-use policy.
What is included in an incident report?
| Field | Value sent | Purpose |
|---|---|---|
| User email | e.g. dev@company.com | Identifies which employee account triggered the event |
| Browser ID | Anonymous UUID derived from browser fingerprint | Identifies the specific device without exposing PII |
| Tab URL | Full URL of the page where the secret was detected | Identifies which tool or platform was in use |
| Tab title | Page title (e.g. "Fix bug · GitHub") | Human-readable context for the IT admin |
| Secret type | e.g. AWS_ACCESS_KEY, STRIPE_KEY | Classifies the kind of credential at risk |
| Severity | Critical / High / Medium / Low | Prioritises admin response |
| Masked preview | e.g. AKIA████████████████ | Confirms the type without revealing the value |
| Timestamp | UTC ISO-8601 | Audit trail and timeline reconstruction |
| Extension version | e.g. 1.0.0 | Debugging and version-compliance tracking |
What is never included
- The actual (unmasked) secret value — only the masked preview is ever transmitted.
- IP address — the extension does not collect IP addresses. The server captures the IP from the HTTP request for its own security logging, separate from the incident payload.
- Keystrokes, clipboard contents, or full page text.
- Browsing history beyond the single tab URL where the detection occurred.
- Any data from sites on the organisation's exclusion list.
Authentication & security of the report
Every incident report is sent over HTTPS and authenticated with the user's Supabase JWT access token in the Authorization: Bearer header. The backend verifies the token before accepting any report. If the token has expired, the extension automatically refreshes it before sending. Reports from unauthenticated (logged-out) users are never sent.
Transparency to users
When a user is logged into an enterprise-enabled SecureLint account, the extension popup displays a read-only "Enterprise Reporting — Active" banner in the Settings tab. This banner shows the user's email address and a clear notice that masked detection events are being reported to their IT admin team. The notice links directly to this Privacy Policy section.
Users cannot disable enterprise reporting from within the extension. This is consistent with standard enterprise DLP tools (antivirus, endpoint agents, etc.) where IT policy supersedes individual preference. Employees are informed of this arrangement through their organisation's acceptable-use policy at the time of device enrolment.
11 Phishing Mail Detection
How it works
When a user opens an email in a supported webmail client, SecureLint analyses the email content locally in the browser for common phishing indicators — including suspicious sender domains, urgency language patterns, credential-harvesting links, and spoofed display names. All analysis runs entirely within the browser; no email content is transmitted externally.
What happens when a phishing email is detected
- The Reply and Forward buttons are temporarily blocked to prevent accidental engagement with the malicious sender.
- A prominent alert banner is displayed within the email view, warning the user that the message appears to be a phishing attempt.
- The user is advised to contact their IT administrator before taking any action.
- In enterprise deployments, the IT admin receives an automatic notification with details of the detected phishing attempt (sender address, subject line, and detection confidence score).
Data handling
Email content is processed entirely in-browser and is never sent to SecureLint servers. In enterprise mode, only the metadata (sender, subject, detection score) is reported to the admin dashboard — the email body is never transmitted.
12 Enterprise Email DLP
What is Enterprise Email DLP?
When an employee using a company email address (e.g. @company.com) attempts to compose, reply, or forward an email to an external domain or personal email address (e.g. Gmail, Yahoo, Hotmail), SecureLint analyses the action in real-time to enforce the organisation's data loss prevention policies.
What happens when a policy violation is detected
- The Send / Reply button is blocked when the compose recipients include addresses that violate the organisation policy (for example consumer mail providers such as Gmail or Yahoo).
- A clear alert is displayed to the employee explaining that sending is restricted by company policy.
- The number of blocked attempts is tracked per session.
- When enterprise incident reporting is enabled by IT, the organisation receives an HTTPS incident record so security staff can audit and follow up. See the table below.
What is included in an Email DLP incident (enterprise reporting enabled)?
| Field | Typical content | Purpose |
|---|---|---|
| Employee identity | Email from the logged-in SecureLint session | Maps the event to the correct user account |
recipientDomains (API) | Full recipient email address(es) that violated policy (e.g. colleague@gmail.com) | Lets admins see which external addresses triggered DLP |
maskedSecrets | List of masked previews per recipient (local-part masked; domain retained), never the raw secret payload | Satisfies incident schema and limits unnecessary exposure |
| Compose context | Tab URL (webmail page), tab title, mail provider label | Shows where the attempt occurred |
| Attempt count & timestamp | Numeric counter and UTC time | Audit trail |
Data handling
SecureLint does not read or transmit the email body or draft message text for Email DLP. Policy checks use recipient fields visible in the compose UI only. When reporting is on, recipient addresses are transmitted to your organisation's SecureLint backend over HTTPS (authenticated), as described above — so administrators should treat incident storage under their own data-retention and acceptable-use policies.
Transparency to employees
When Enterprise Email DLP is active, the SecureLint extension popup displays an "Email DLP — Active" indicator in the Settings tab. Employees are informed of this policy through their organisation's acceptable-use agreement at the time of device enrolment.
13 Frequently Asked Questions
-
Does SecureLint send my typed text or secrets to any server?
For standard personal use: secret detection and masking runs inside your browser; typed content is not uploaded for masking itself.
Enterprise exception: If your employer enables SecureLint enterprise incident reporting or Email DLP, masked summaries and metadata (including page URLs for detections and recipient addressing information for compose blocks) may be sent to your organisation's SecureLint workspace over HTTPS — see Section 10 — Enterprise Incident Reporting and Section 12 — Enterprise Email DLP.
-
Why does SecureLint need access to all websites (<all_urls>)?
SecureLint's core mission is to detect secrets wherever you type them — GitHub Issues, Jira tickets, Notion pages, ChatGPT, Gmail, and thousands of other tools. It cannot know in advance which sites you will use.
This permission is used for local scanning on each site you visit. Enterprise deployments only: IT may enable incident reporting that transmits masked summaries and metadata (never raw secret values) as described in Sections 10–12. Personal accounts without enterprise reporting do not upload page text for masking.
Restricting to a fixed list of sites would prevent detecting secrets on the tools teams use daily.
-
Is it safe to use SecureLint on banking or other sensitive sites?
For typical personal accounts, scanning stays in the browser and you can disable the extension entirely on specific sites via the exclusion list.
If your employer enables enterprise incident reporting, masked event metadata may be sent as described in Sections 10–12 — treat banking use under your organisation's policy.
-
Can I use SecureLint without creating an account?
Absolutely. Account creation is entirely optional. All core detection and masking features work fully offline and locally with no account required. An account only adds the ability to sync your settings across multiple devices.
-
What data is stored if I create an account?
Only your email address, a hashed password or OAuth token, and your extension preferences (e.g. severity filters, excluded domains, masking style) are stored on our servers. No page content, browsing history, or detected secrets are ever sent to or stored on our servers.
-
How do I delete my account and all my data?
Email us at contact@vaptlabs.com with a deletion request. We will permanently delete your account and all associated data from our servers within 5 business days. To also clear local settings, go to
chrome://extensions→ SecureLint → Storage and clear the data, or simply uninstall the extension. -
Does SecureLint use any analytics or crash-reporting SDKs?
No. SecureLint contains no third-party analytics SDKs, advertising libraries, or crash-reporting services. There are no tracking pixels and no telemetry calls. The extension communicates only with the SecureLint API (when you are logged in) and nowhere else.
-
Will this policy ever change?
We may update this policy when we add new features or when legal requirements change. We will always update the Effective Date at the top of the page and may notify you via the extension popup for significant changes. The full history of changes is visible from our website.
14 Contact
Get in Touch
For privacy questions, data deletion requests, or any concerns about how SecureLint handles your data:
We aim to respond to all privacy-related requests within 5 business days.