Privacy Policy

ShieldVault Browser Extension

In plain English

ShieldVault watches what you type or paste on certain websites and warns you when it spots something sensitive — like an API key or a heated message — before you send it. The text being checked never leaves your device.

Settings and a log of detection events (just the website and the time, never the actual text) are saved on your computer so the extension remembers them between sessions.

The only time ShieldVault talks to the internet is when you activate a paid Pro subscription — and even then, only your license key is sent for verification. That's it.

If that's all you needed to know, you're done. Everything below is the long version with technical details.

What ShieldVault analyzes locally

ShieldVault is built on a "detection without possession" principle. The extension analyzes text you type or paste in real time to detect sensitive content — API keys, credentials, confidential markers, and emotionally charged language — and warns you before that content is sent. The text being analyzed never leaves your device.

ShieldVault inspects text you type or paste into input fields on these websites:

AI chat platforms: ChatGPT, Claude, Gemini, Perplexity, Microsoft Copilot
Email: Gmail, Outlook
Social and professional: LinkedIn, Reddit, Twitter / X

The analysis runs entirely on your device using pattern matching. The text being analyzed is never transmitted, stored, or shared. After analysis completes, the text is discarded from extension memory.

What is stored locally on your device

ShieldVault uses Chrome's local extension storage (chrome.storage.local) to remember the following information across browser sessions. This information stays on your device and is never sent to any server:

Your preferences (which detection categories you have enabled or disabled)
Lifetime statistics: total secrets blocked, total behavioral warnings, and the date you first installed the extension
A local activity log of recent detection events containing only metadata: the website domain, the time, the detection category (for example, "OpenAI API Key" or "Aggressive Punctuation"), and whether the action was a paste, type, or submit. The actual content of any detected text is never stored.
Your weekly behavioral catch count and the current week identifier (used to enforce the free tier's 10-catch weekly limit)
A daily repeat-offender counter to provide additional warnings if the same type of secret is blocked multiple times in one day
If you activate a Pro subscription, your license key string and Pro status flag

All of this data can be cleared at any time by uninstalling the extension or by clicking "Clear" inside the extension's activity panel.

What is transmitted off your device

ShieldVault makes network requests in only one circumstance: license verification.

When you activate a Pro subscription using a license key, the extension sends the license key string to ShieldVault's verification endpoint (https://shieldvault.site/api/license/verify or its backup https://extension-paywall.replit.app/api/license/verify). The server confirms whether the key is valid and returns a yes-or-no response. The same verification call may run when the extension loads, to confirm that an existing Pro activation is still valid.

These license verification requests transmit only the license key. No browsing data, no detected text, no detection events, no usage statistics, and no personally identifying information are transmitted with the request.

If you do not activate Pro, ShieldVault makes no network requests at any time.

Payment processing

If you choose to upgrade to Pro, you are redirected from the extension to a checkout page hosted by ShieldVault (https://shieldvault.site/api/checkout/quick), which uses Stripe to process payment. The extension itself never sees, handles, or stores your payment card information. Stripe collects payment information directly under their own privacy policy. After successful payment, you receive a license key, which you then enter into the extension to activate Pro.

What ShieldVault does NOT do

ShieldVault does not collect personal information
ShieldVault does not record browsing history
ShieldVault does not transmit the text you type or paste
ShieldVault does not store detected secrets or message content
ShieldVault does not use analytics or telemetry
ShieldVault does not use cookies
ShieldVault does not share data with advertising partners or data brokers
ShieldVault does not track you across websites
ShieldVault does not have an account system or user identifiers

Permissions explained

ShieldVault requests the minimum permissions necessary:

storage permission: Used to save your settings, lifetime statistics, activity log metadata, and (if applicable) Pro license status to local extension storage on your device.
host_permissions for https://shieldvault.site/* and https://*.replit.app/*: Used solely to verify Pro license keys when you activate a subscription.
Content script access to the websites listed above (ChatGPT, Claude, Gemini, Perplexity, Copilot, Gmail, Outlook, LinkedIn, Reddit, Twitter / X): Used solely to read text from input fields on those sites for local detection. No content is transmitted off your device.

Children's privacy

ShieldVault is not directed at children under 13 and does not knowingly collect personal information from children under 13.

Changes to this policy

If this policy changes, the updated version will be posted at this URL. Material changes — anything that affects what data is handled or how — will be reflected in the version date below.

Contact

Questions about this privacy policy? Email privacy@shieldvault.site