Privacy Policy

Last Updated: June 12, 2026

TL;DR: Secret detection happens on your device. Pasted text, detected secret values, and page content are not uploaded. ClipGuard Pro sends only license and installation metadata to verify paid access.

Local Detection

ClipGuard does not transmit the sensitive content it protects:

No pasted text is uploaded
No API keys, passwords, tokens, or detected secret values are uploaded
No page content or full browsing history is collected
No data is sold or used for targeted advertising

How Detection Works

All secret pattern matching is performed locally in your browser using regular expressions. When you paste text into a webpage, ClipGuard scans it against known secret patterns (API key formats, token prefixes, etc.) entirely within your browser's JavaScript runtime. The text you paste is never sent anywhere — it stays in your browser's memory.

Data Storage

ClipGuard uses Chrome's local storage to save:

Your extension settings (enable/disable toggles, notification preferences)
Statistics counters (number of secrets blocked, number of warnings shown)
User-created patterns and ignored site hostnames
Audit metadata: time, site hostname, detected pattern names, risk level, and selected action
ClipGuard Pro license state

The audit log does not contain pasted text or secret values. You can clear local data by uninstalling the extension or clearing extension storage.

ClipGuard Pro License Verification

When you activate or periodically verify ClipGuard Pro, the extension sends the license key, a randomly generated installation identifier, the extension identifier, and extension version to the ClipGuard license API. This is used only to validate subscriptions, enforce device limits, prevent abuse, and provide support.

Permissions

ClipGuard requests the following permissions, and here's why:

Permission	Purpose
`storage`	Save settings, stats, patterns, audit metadata, and license state locally
`alarms`	Schedule daily stat resets
`notifications`	Show desktop notifications when secrets are blocked
`host_permissions: <all_urls>`	Scan paste events on all websites to protect you everywhere

The host_permissions: <all_urls> permission is required because ClipGuard needs to inject its content script into every page you visit to intercept paste events. This is a technical requirement of Chrome's extension API — the extension does not read or transmit your page content.

Third-Party Services

Creem acts as Merchant of Record and processes checkout, payments, taxes, invoices, refunds, subscription status, and license delivery. Cloudflare hosts the ClipGuard website and license proxy. These providers process only the information needed for those services under their own privacy policies.

Retention and Control

Local extension data can be removed by clearing extension storage or uninstalling ClipGuard. Subscription and transaction records are retained as needed to provide paid access, prevent fraud, handle disputes, and satisfy legal or accounting obligations.

Individual Pro audit logs remain local. Future Team cloud reporting is not enabled in version 0.3 and will require updated disclosures before release.

Children's Privacy

ClipGuard is a developer tool and is not directed at children under 13. We do not knowingly collect any information from anyone.

Changes to This Policy

We will update this policy before enabling any materially different data practice and will provide notice through the website, store listing, or extension as appropriate.

Contact

For questions or privacy requests, contact:

Email: ray861031@gmail.com

This privacy policy is effective as of June 12, 2026.