Privacy Policy

HackerHare is built with a privacy-first model: security checks run in your browser. We do not receive the content of your browsing or what you type into forms.

• Webpage form scanning, insecure-protocol checks, deceptive UI analysis, and hostname-based phishing checks run locally on your device inside the extension.
• We analyze page structure (for example, forms, checkbox labels, and the current page hostname) only to provide these protections. We do not read, collect, or transmit your passwords, form field values, personal identification numbers (such as SSNs), or other information you enter into fields.
• We do not collect, store, or transmit a history of sites you visit. The current page is used in memory for checks on that page only.
• Protection features work without sending page URLs, field values, or alert details to our servers.
• Phishing hostname checks use heuristics that may produce false positives (for example, on legitimate sites with lookalike subdomains). The extension bundles a curated brand-domain registry to reduce those false positives on known official sites.

Users may save domain names they trust so phishing hostname alerts are not shown for those sites.

• Trusted domains are stored onlyin extension storage on the user's device.
• They are not transmitted, sold, shared, or synced to our servers or third parties.
• You can add a site from a phishing alert ("Trust this site") or manage your list anytime in extension Settings.
• You can remove trusted sites at any time in extension Settings.
• Trusting a site affects phishing hostname checks only. Other protections (Form Shielding, HTTP password alerts, dark-pattern alerts) can still run on that site.

To reduce phishing false positives, the extension ships with a curated list of known brand domains bundled at install time.

• This registry is not user-specific—it is the same for every install of a given extension version.
• Official brand sites in the registry skip cross-brand typosquat checks that might otherwise flag legitimate pages.
• The list updates when you install a new extension version from the Chrome Web Store; it is not fetched from our servers at runtime.
• You can review read-only system defaults in extension Settings; you cannot edit the bundled list from the extension UI.

The extension uses Chrome extension storage on your device to save:

• Your protection settings (such as Form Shielding and alert toggles),
• Your local Threats Intercepted count shown in the popup,
• Whether you have enabled Anonymous global counter (see Section 5),
• Your trusted-site list (registrable domain names only—no page content).

This information stays on your device and is not uploaded to our servers as part of normal protection features.

To show collective community impact, HackerHare can send an optional, anonymous signal to our server.

• Off by default. You must turn on Anonymous global counter in the extension popup to enable this. You can turn it off at any time.
• When a local security check flags a potential risk on your device (including alerts that may later prove to be false positives), the extension may send a blank, stateless POST request to our metrics endpoint at https://hackerhare.vercel.app/api/metrics/increment with a handshake header only—no request body—to increment a public global counter of heuristic flags, not a count of confirmed attacks.
• This request contains no page URLs, alert context, form content, trusted-site or whitelist data, user identifiers, or account information. It is used only to add +1 to an aggregate total, not to track you individually.
• We do not use this ping to build user profiles or to store your browsing history. Our counter is a single community statistic of heuristic alerts, not a per-user log and not proof that each flag was a real threat.

• We do not sell personal information.
• We do not share browsing or form content with advertisers, data brokers, or analytics firms.
• We do not use remote code: all extension logic is packaged in the extension at install time.

Anonymous global counter requests are processed by servers we operate (hosted infrastructure). Those requests are limited to the blind counter ping described in Section 5. We do not share aggregate counter data with advertisers or data brokers.

We do not collect personal browsing or form content on our servers, and we do not sell or trade that information. Trusted-site lists and other extension storage data remain on your device. The only server communication from the extension is the optional anonymous counter ping in Section 5, used solely for the public community total.

• Protection settings: Control Form Shielding and related alerts in the extension popup.
• Trusted sites: Add or remove trusted domains in extension Settings, or trust a site from a phishing alert. Review read-only system defaults in Settings.
• Anonymous global counter: Enable or disable at any time in the popup. When disabled, no counter pings are sent; your local Threats Intercepted count still works on your device.
• Privacy and terms: Extension Settings includes links to this policy and our Terms of Service.

We may update this policy from time to time. We will post the revised version on this page and update the "Last updated" date above.

For questions about this policy, contact us through our official project repository.