Your extension list never leaves your browser

Privacy Policy

Last updated: May 24, 2026

The short version

Extension Trust Scanner reads your installed extension list using Chrome's built-in management API and scores each extension's permissions entirely inside your browser. Your extension list, extension names, IDs, and scores are never uploaded to any server, ever. The extension has no content scripts and no access to your browsing. It contacts only our own server at peakproductivity.online: for an anonymous license check, for anonymous aggregate usage events (event name, random device id, version only), and, if you choose to submit it, your feedback text. No extension list data is ever transmitted.

About what Extension Trust Scanner can and cannot tell you

Extension Trust Scanner scores the permissions and install source that each extension declared, not proven behavior. Chrome does not allow one extension to read another extension's code, so we cannot inspect what an extension actually does with its permissions. A high risk score means the extension declared powerful permissions, not that it is doing anything wrong. A low score is not a safety certification. This tool is a permission risk awareness tool, not an antivirus, malware scanner, or security guarantee. Use it as a starting point for your own review, not as a final verdict on any extension's trustworthiness.

1. How your extension list is processed

When you click Scan in Extension Trust Scanner, the extension calls Chrome's chrome.management.getAll() API to retrieve the list of extensions installed in your browser. This API call happens entirely within your browser. The extension list, the names of your extensions, their IDs, their declared permissions, and the resulting risk scores are processed in memory inside the extension and are never transmitted to any server operated by us or anyone else.

The scoring runs entirely offline once the extension is installed. It does not require a network connection to scan.

2. What the extension cannot see

Extension Trust Scanner does not use content scripts and does not hold a broad host permission like <all_urls>. This means it cannot read the web pages you visit, cannot see any text or content on those pages, and cannot inject code or analytics into any website. Its access is limited to your installed extension list via the management API.

3. Permissions and why each one is needed

Permission Why it is needed
managementReads your installed extension list so it can score each extension's permission footprint. This is the core function of the tool. No extension data is transmitted anywhere.
storageSaves your settings, license status, and local scan snapshots (Pro feature) on your device only. Nothing is synced to a remote server.
downloadsSaves exported scan reports to your downloads folder (Pro feature). Used only when you explicitly click the export button.
peakproductivity.onlineThe only external host the extension can reach. Used for anonymous license verification, anonymous aggregate usage events, and optional feedback you choose to submit (see Section 4). Your extension list is never sent to this host.

There are no content scripts and no host permissions for your visited websites or any other domains.

4. Network requests the extension makes

Extension Trust Scanner contacts only our own server at peakproductivity.online. All three request types are described below. No extension list data is ever transmitted in any of them.

  1. Anonymous license check. Sends a randomly generated device ID to verify whether a Pro license is active in this browser. Contains no name, email, extension list, or personal data of any kind.
  2. Anonymous usage events. Sends small analytics events (for example "installed" or "ran a scan") labeled with the same random device ID and the extension version number. These events contain no extension list, no browsing data, and no personal data. They are used in aggregate to understand how the tool is used.
  3. Feedback text (only if you submit it). If you choose to submit feedback through the in-extension rating prompt, the text you write is sent to our server. This is entirely opt-in and only happens when you click submit. No feedback is collected silently.

What we send / what we never send

  • Sent: random device ID, extension version, event name, optional feedback text you submit
  • Never sent: your extension list, extension names or IDs, risk scores, browsing history, cookies, or any personally identifying information

There are no third-party analytics SDKs, no advertising networks, and no third-party data recipients in any of these requests.

5. Scan snapshots stored locally (Pro)

When change detection is enabled (Pro feature), the following data is stored in Chrome's local extension storage on your device only. It is not synced to any cloud or server:

Scan snapshots are stored locally only and are cleared automatically when you uninstall the extension.

6. Data we do not collect or sell

We do not sell, rent, or share your data with third parties. There are no advertising pixels, no third-party analytics SDKs, and no cross-site profiling. No account or sign-up is required to use Extension Trust Scanner.

7. Children's privacy

Extension Trust Scanner is a browser security awareness tool. It is not directed at children under 13 and does not knowingly collect any information from children.

8. Changes to this policy

If we make material changes we will update the date at the top of this page. Significant changes will also be noted in the extension's changelog on the Chrome Web Store.

9. Contact

Questions about this policy? Contact us at support@peakproductivity.online.