Privacy Policy
StackRadar Chrome Extension
Last updated: March 21, 2026
The short version:
All technology detection happens locally in your browser. No page content, URLs, scan results, or browsing data is sent to any server for analysis. The only external calls are license key validation (paid users) and user-configured webhooks (Business tier).
What Data We Process Locally
When you trigger a scan, StackRadar reads the following data from the current page, entirely on your device:
- Page URL and domain name for identifying the scanned site
- Page title for display in scan history
- HTML meta tags (name and content attributes) for technology fingerprinting
- Script source URLs (src attributes of script elements) for CDN and library detection
- Inline script content (first 500 characters of up to 50 scripts) for framework detection. Sensitive values like API keys and passwords are automatically redacted before processing.
- CSS class names (from the first 200 elements) for CSS framework detection
- HTML attributes (data-*, framework-specific attributes) for technology detection
- Cookie names only (from a curated whitelist of technology indicators like _ga, _fbp, PHPSESSID). Cookie values are never read.
- Global JavaScript variable names (checked against a known list like React, Vue, jQuery) for framework detection
- DOM patterns (presence of known selectors like #__next, [data-reactroot]) for framework detection
StackRadar does not read form data, passwords, cookie values, or any user input fields. The content script only activates when you explicitly trigger a scan.
How Data Is Stored
All data is stored locally using two mechanisms:
- IndexedDB: Scan history (URLs, page titles, detected technologies, privacy scores). URLs and page titles are encrypted at rest using AES-256-GCM with a device-local encryption key.
- chrome.storage.local: Extension settings, usage counters, a hashed license key (SHA-256, never the raw key), and the encryption key.
No data is synced across devices. Each browser installation maintains its own independent data store. Data retention is user-configurable (7 days, 30 days, 90 days, or indefinitely). Old scans are automatically deleted based on your preference.
Data Sent Externally
StackRadar communicates with external services in two specific, limited cases:
1. License Validation (paid users only)
If you activate a paid license, the extension communicates with Lemon Squeezy's API to:
- Validate your license key on activation
- Periodically re-validate to confirm the license is still active (every 7 days)
- Deactivate the license when you choose to do so
The only data sent is your license key and a device instance identifier. No scan results, page content, URLs, or browsing data is included in these requests.
2. Webhooks (Business tier, opt-in only)
Business tier users may configure webhook endpoints to receive notifications when a scan completes or technology changes are detected. When enabled:
- The domain name and detected technology names/categories are sent to the user-specified URL
- Webhook payloads are signed with HMAC-SHA256 for verification
- This feature is entirely user-initiated and user-controlled
- No webhooks are configured by default
What Is Never Sent
To be explicit, the following data is never transmitted externally:
- Full page URLs or paths of scanned pages
- Page content, script contents, or DOM data
- Privacy scores or confidence metrics
- Cookie names or values
- Browsing history or tab information
- Any form data, passwords, or personal information
No Analytics, No Telemetry
StackRadar does not include any analytics SDK, telemetry system, or usage tracking. There are no tracking cookies, no fingerprinting, no anonymous usage counts. The extension makes zero network requests during normal scanning operations.
Your Rights
You have full control over your data at all times:
- View: All scan history and stored data is accessible within the extension's side panel
- Delete: Clear all stored data from Settings at any time
- Configure retention: Set automatic deletion after 7, 30, or 90 days
- Export: Download scan results as CSV, JSON, or PDF reports
- Uninstall: Removing the extension deletes all associated data automatically
Permissions
The extension requests the following Chrome permissions:
- activeTab: to access the current page and inject the technology detection script when you trigger a scan
- storage: to persist settings, scan history, license information, and encryption keys locally
- sidePanel: to display scan results in Chrome's built-in side panel
- scripting: to inject the content script on demand when you initiate a scan (not persistent)
- alarms: for hourly background tasks (daily usage counter reset, data retention cleanup)
StackRadar does not request broad host permissions. It only accesses the active tab when you explicitly initiate a scan.
Children's Privacy
StackRadar is not directed at children under 13 and does not knowingly process data from children.
Changes to This Policy
We may update this policy as features evolve. The "Last updated" date at the top will reflect any changes.
Contact
Questions about this privacy policy? Email us at [email protected].