// Legal
Privacy Policy
Last updated: April 19, 2026
Overview
SafeBrowz is a browser extension for Chrome, Firefox, and Edge that detects scams and phishing websites in real time. Your privacy is important to us. This policy explains what data we process, how we handle it, and what we never store.
We never sell your data and never ask for your name or email. SafeBrowz processes URLs and page text in real time to detect scams. For performance and detection improvement, our server retains a small set of non-identifying scan metadata (domain name, verdict, detection signals) and Premium license data (license key, wallet address for crypto payments, device count). No full URLs, page content, or personal identifiers are stored, and nothing is linked to your identity. Details in each section below.
Data We Process (Real-Time Only)
To detect scams and phishing, SafeBrowz must process the following data in real time. None of this data is linked to your personal identity:
- URLs of pages you visit โ Sent to security APIs (PhishTank, URLhaus) and our proxy server (which in turn may call Google Safe Browsing) to check if they are malicious. Discarded immediately after the check. Only heuristic metadata (domain + signals) is retained in the Detection Improvement Log.
- Page text content (Premium only) โ For websites not on our verified safe list, the visible text content is sent through our proxy to AI for scam analysis. Not stored after the response is returned.
- Password hash prefix (Premium only) โ When you type a password, only the first 5 characters of the SHA-1 hash are sent to HaveIBeenPwned via k-anonymity. Your actual password never leaves your device.
- License key and device instance ID (Premium only) โ Sent to our server during activation and periodic validation to enforce the 3-device limit per license. Stored only to validate your Premium access.
- Wallet address, signed message, and transaction hash (Crypto payment only) โ If you buy Premium with USDC on Base, these are sent to verify the payment on-chain. Stored to issue and validate your license key.
Data We Do NOT Collect or Store
- Your name, email, or any personally identifiable information
- A persistent log of websites you visit (URLs are processed in real time and discarded)
- Your actual passwords or login credentials
- Financial or payment information (card payments handled by LemonSqueezy, crypto payments verified on-chain โ we never see your card details or private keys)
- Location data, IP-based tracking, or device fingerprints
- Cookies, advertising IDs, or analytics tracking
How The Extension Works
When you visit a website, SafeBrowz performs a multi-layer scan:
- Layer 1 โ Local Checks: URL patterns, typosquat detection, safe domain list, HTTPS verification. Runs entirely in your browser, no data leaves your device.
- Layer 2 โ API Checks: Queries public security databases (Google Safe Browsing, PhishTank, URLhaus) with only the URL being checked. Domain age checked via RDAP or WHOIS with domain name only.
- Layer 3 โ AI Analysis (Premium): For websites not on our verified safe domain list, page text content is sent through our secure proxy server (safebrowz.com/api) to AI for scam and phishing analysis. No personal data is included. Trusted sites (Google, Facebook, banks, etc.) are skipped automatically.
- DNS and SSL Checks (Premium): Domain existence and SSL certificate validity checked through our proxy server with domain name only.
Our Proxy Server
Premium features (AI scan, DNS check, SSL check) are routed through our server at safebrowz.com/api. This server:
- Acts as a proxy to protect API keys from exposure in the extension code
- Caches the domain name and safety verdict (safe, caution, or danger) for performance so repeated visits by any user get instant results. Cache entries expire automatically based on severity: 30 days for confirmed dangerous domains, 14 days for verified safe domains, 7 days for caution-level domains. No full URLs, page content, or user-identifying data is cached
- Forwards requests to third-party APIs and returns the response
- Validates license keys for premium features
- Does not track which user visits which website. Our application database does not link IP addresses, browser fingerprints, or session identifiers to scans, license keys, or any user identity. Standard web-server access logs (nginx) are retained short-term (typically 14 days) for operational debugging and contain only request timestamps and paths. These logs are not cross-referenced with scan data or license records
Third-Party Services
SafeBrowz uses the following services:
| Service | Purpose | Data Sent |
|---|
| Google Safe Browsing (US) | Check if URL is malicious โ called server-side via our proxy | URL only |
| PhishTank (US) | Check if URL is phishing | URL only |
| URLhaus (EU) | Check if URL distributes malware | URL only |
| RDAP.org | Check domain registration age | Domain name only |
| HaveIBeenPwned | Password breach checking | First 5 chars of SHA-1 hash (k-anonymity) |
| AI content analysis | Scam detection on suspicious pages โ routed through our proxy (Premium only). The extension itself does not contact any AI service directly. | URL + page text excerpt |
| LemonSqueezy (US) | Card payment processing and license validation | License key (for validation); billing email and card details go directly to LemonSqueezy, not to us |
| Base blockchain RPC | Crypto payment verification (USDC on Base) | Wallet address and transaction hash (public on-chain data) |
International transfers. Several services above are US-based. If you are in the EU/UK, by using SafeBrowz you understand that URLs or page-text excerpts (Premium only) may be processed outside the EU/UK solely to return a scam/phishing verdict. No personal data is included.
No personal data is included in any request. Only the URL, domain name, or page text content of the website being checked is sent to these services.
Password Breach Check
When you type a password on any website (Premium feature), SafeBrowz checks if it has appeared in known data breaches using the HaveIBeenPwned API. This uses k-anonymity: only the first 5 characters of the password's SHA-1 hash are sent. Your full password is never transmitted to any server. This check happens locally and the result is shown only to you.
Premium License
SafeBrowz Premium can be purchased via card or cryptocurrency. Here is how each method handles your data:
Card Payment (LemonSqueezy)
- Your license key is stored locally in your browser using the browser storage API
- The key is validated against our server (safebrowz.com/api) and LemonSqueezy
- Re-verification happens periodically to confirm the license is still active
- We do not store your card details. All card payments are processed by LemonSqueezy
- Removing the extension deletes your license key from the browser
Cryptocurrency Payment (USDC on Base)
- You pay by sending USDC on Base chain to our wallet address
- You sign a message with your wallet to prove ownership (EIP-191 personal_sign). This signature cannot be used to access your funds or make transactions
- We store only your wallet address (public on-chain data), the transaction hash, and the generated license key on our server
- We never have access to your private keys, seed phrase, or wallet funds
- Your license key is generated on our server and works the same as a card-purchased key
- Payment verification is done by checking USDC transfer events on the Base blockchain (public data)
Browser Permissions
SafeBrowz requests the following browser permissions:
| Permission | Why |
|---|
| storage | Cache scan results, store settings and license key locally |
| tabs | Read the current tab URL to scan the website you are visiting |
| activeTab | Access the active tab for scanning |
| webNavigation | Detect when you navigate to a new page to trigger auto-scan |
| notifications | Show desktop alerts when a dangerous site is detected (Premium) |
| alarms | Schedule periodic community database refresh (every 6 hours) |
Host Permissions
The extension connects to the following domains:
- safebrowz.com โ Our API proxy server (AI scan, DNS, SSL, license verification, Safe Browsing)
- checkurl.phishtank.com โ PhishTank phishing database
- urlhaus-api.abuse.ch โ URLhaus malware database
- rdap.org โ Domain WHOIS / registration lookup
- api.pwnedpasswords.com โ Password breach check (k-anonymity)
- raw.githubusercontent.com/meraja34/SafeBrowz-DB โ Community blacklist and whitelist database (read-only)
Data Storage
Data stored locally in your browser using the browser storage API:
- Scan result cache (expiry depends on verdict: 30 days for danger, 14 days for safe, 7 days for caution)
- User whitelist (trusted domains you manually approve)
- Scan history (Premium only, stored locally)
- License key and verification timestamp (Premium only)
- All data is stored only on your device
- All data is deleted when you remove the extension
Community Database
SafeBrowz fetches a community-maintained blacklist and whitelist from a public GitHub repository every 6 hours. This is a one-way download. No data about your browsing is uploaded.
Detection Improvement Log
To improve detection accuracy and identify missed scams or false positives, our server keeps a minimal scan log. Each row stores only heuristic metadata derived from the scan, not raw user data:
- Domain name and its TLD
- Verdict (safe, caution, or danger) and which detection layer triggered it
- Domain registration age (in days)
- Boolean heuristic flags from the scan (has login form, has connect-wallet button, countdown timer present, free-hosting provider, drainer script signature matched, obfuscated JavaScript, seed-phrase prompt, anti-debug tricks, etc.)
- Extracted scam keyword count, a short brand name if the page mentioned one, and the AI-identified brand if brand impersonation was detected
- Path pattern of the URL (e.g. "/claim", "/verify") โ never the full URL with query parameters or fragments
- Unix timestamp of the scan
The log does not contain: your name, email, IP address, device ID, license key, full URLs, query parameters, page content, form inputs, or any value that can identify you personally. Entries are automatically pruned after 90 days.
Remote Code
SafeBrowz does not execute any remotely hosted code. All extension code is bundled within the extension package. The only remote data fetched is the community database (JSON files) and API responses (JSON data), neither of which contain executable code.
Data Sharing
We do not sell, trade, or transfer any user data to third parties. The only data transmitted is website URLs and page content to security APIs for the sole purpose of scam detection, as described above.
Marketing Site Analytics
The browser extension uses no analytics and no tracking. The safebrowz.com marketing website separately uses Google Ads conversion tracking to measure advertising effectiveness. This only applies when you visit the website itself and has no connection to the extension.
Your Rights
You can request at any time to access, correct, or delete any data we hold about you by emailing safebrowz3@gmail.com. For Premium users, deletion requests will remove your license record, activated device IDs, and (for crypto payments) your wallet address and transaction hash from our database. The extension itself stores everything locally in your browser; removing the extension deletes all local data.
Children's Privacy
SafeBrowz does not knowingly collect any data from children under 13. Since we do not collect personal data from any user, this is inherently satisfied.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.
Contact
If you have questions about this privacy policy, please contact us at safebrowz3@gmail.com