VolPen — Privacy Policy

1. Introduction

VolPen ("the Extension") is a Chrome browser extension that passively scans web application login flows for security vulnerabilities. It detects OWASP Top 10 issues, API security misconfigurations, and Row-Level Security (RLS) problems.

This Privacy Policy explains what information VolPen collects, how that information is used, where it is stored, and what controls you have over your data. We are committed to transparency and to protecting your privacy.

By installing and using VolPen, you agree to the practices described in this policy.

2. Information We Collect

VolPen does not collect data automatically. All data capture occurs only when you explicitly initiate a scan. The extension collects the following categories of information during an active scan session:

2.1 Network Traffic Data

When you start a scan, VolPen passively observes HTTP/HTTPS requests and responses for the domain you are scanning. This includes:

• Request and response headers (e.g., Content-Type, Authorization, Set-Cookie, CORS headers)
• Response body content (used to detect vulnerabilities such as excessive data exposure, error disclosure, and reflected content)

This data is captured in a read-only, non-blocking manner. VolPen does not modify, redirect, or block any network requests.

2.2 Session Identity Information

To detect cross-tenant and Insecure Direct Object Reference (IDOR) vulnerabilities, VolPen extracts identity-related information from:

• JSON Web Tokens (JWTs)
• Cookies
• API response payloads

This may include user IDs, tenant IDs, and role information present in the captured traffic. This data is stored ephemerally in session storage and is automatically cleared when the browser closes.

2.3 User-Provided Settings

• Groq API Key — If you choose to enable AI-powered fix instructions, you provide your own Groq API key. This key is stored locally in your browser.
• Extension preferences — Your scan settings and UI preferences are stored locally.

2.4 Vulnerability Findings

Analysis results, including detected vulnerabilities, severity ratings, affected endpoints, and remediation guidance, are generated locally and stored in your browser.

2.5 Information We Do NOT Collect

• We do not collect personal information such as your name, email address, or account credentials.
• We do not collect browsing history or activity outside of an active scan session.
• We do not use analytics, telemetry, or tracking of any kind.
• We do not collect data from any site other than the domain you explicitly choose to scan.

3. How We Use Your Information

All data collected by VolPen is used exclusively for the following purposes:

VolPen does not use your data for advertising, profiling, marketing, or any purpose unrelated to security analysis.

4. Data Storage & Retention

4.1 Local Storage

All data is stored locally within your browser using Chrome's built-in storage APIs:

• chrome.storage.local — Persistent storage for vulnerability findings, user settings, and your Groq API key (if provided). This data persists until you explicitly clear it or uninstall the extension.
• chrome.storage.session — Ephemeral storage for active scan state and session identity information. This data is automatically cleared when you close your browser.

4.2 No Cloud Storage

VolPen does not sync data to any cloud service, remote server, or external database. Your data never leaves your browser unless you explicitly choose to:

1. Export a report (saved to your local file system), or
2. Enable the optional AI fix instructions feature (which sends sanitized findings to the Groq API).

4.3 Data Retention

• Findings and settings remain in chrome.storage.local until you clear them via the Settings panel or uninstall the extension.
• Session data is automatically purged when the browser session ends.
• Exported reports are saved to your local file system and are managed by you.

5. Third-Party Services

5.1 Groq LLM API (Optional, User-Initiated)

VolPen offers an optional feature that sends sanitized vulnerability findings to the Groq large language model API for AI-powered validation and remediation guidance.

This feature is:

• Disabled by default — You must explicitly enable it.
• Requires your own API key — You must provide a personal Groq API key; VolPen does not include or share any API credentials.
• User-initiated — Data is only sent when you explicitly request AI analysis for specific findings.

When enabled, the following applies:

• Finding data is sanitized before transmission. Request bodies and sensitive tokens are stripped or redacted.
• Only the minimum information necessary for analysis (rule ID, affected URL path, header names, vulnerability description) is transmitted.
• Data sent to Groq is subject to Groq's Privacy Policy.
• VolPen has no control over how Groq processes data once transmitted.

If you do not enable this feature, no data is ever sent to any external service.

5.2 No Other Third-Party Services

VolPen does not integrate with any other third-party services, APIs, analytics platforms, or advertising networks.

6. Data Sharing

VolPen does not sell, rent, trade, or share your data with any third party.

The only circumstance under which data leaves your browser is the optional Groq LLM integration described in Section 5, which requires your explicit action.

We do not share data with:

• Advertisers or marketing platforms
• Data brokers
• Analytics providers
• Any other third parties

7. Your Rights & Controls

You have full control over all data collected and stored by VolPen:

No account or registration is required to use VolPen. You can uninstall the extension at any time to remove all associated data.

8. Security

We take reasonable measures to protect the data handled by VolPen:

• All data is stored locally within Chrome's sandboxed extension storage, which is isolated from web page access.
• The extension operates under Chrome's Manifest V3 security model, which enforces strict content security policies and permission boundaries.
• Network interception is performed in a read-only, non-blocking manner — VolPen cannot modify or intercept your traffic.
• Scanning is domain-locked to the site active when you initiate a scan, preventing unintended cross-site data capture.
• Request bodies are sanitized before any optional transmission to the Groq API.
• Your Groq API key is stored locally and is never transmitted to any server other than Groq's API endpoint during authenticated requests.

While no software can guarantee absolute security, we design VolPen with a security-first approach and minimize data exposure at every stage.

9. Children's Privacy

VolPen is a professional security testing tool intended for use by web developers, security researchers, and IT professionals. It is not directed at children under the age of 13.

We do not knowingly collect any personal information from children. If you believe a child under 13 has used this extension, please contact us at the address below.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the extension's functionality or applicable requirements. When we make changes:

• The "Last Updated" date at the top of this policy will be revised.
• Significant changes will be noted in the extension's changelog or update notes on the Chrome Web Store listing.

We encourage you to review this policy periodically. Continued use of the extension after changes are posted constitutes acceptance of the updated policy.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or VolPen's data practices, please contact us at:

Email: privacy@volpen.dev

This privacy policy was written to comply with the Chrome Web Store Developer Program Policies and the User Data Privacy requirements for browser extensions.