Legal

Privacy Policy

Last updated: March 6, 2026

TL;DR

·The extension runs 100% locally. Your prompts, API keys, and clipboard data never leave your browser — not to us, not to anyone.
·The portal stores your email address and a hashed auth token. That's it.
·We do not sell, share, or monetise your data. Ever.

1. Who we are

ZeroExpose ("we", "us", "our") operates the website at zeroexpose.app and the ZeroExpose browser extension. This policy explains what data we collect, why, and how you can control it.

For privacy enquiries contact us at zeroexposeapp@gmail.com.

2. The extension — zero data collection

The ZeroExpose browser extension performs all detection entirely on your device. The extension:

·Does not transmit your prompts, keystrokes, or clipboard contents to any server
·Does not record what you type or paste into AI tools
·Does not track which websites you visit beyond the AI platforms it is configured to protect
·Does not use any cloud model or remote API for detection
·Stores only your auth token and synced settings in chrome.storage.local on your device

Detection rules (regex patterns) are bundled inside the extension and run entirely within your browser sandbox. We are architecturally unable to access what you type.

3. The portal — what we collect and why

When you create an account on zeroexpose.app we collect:

Email address

Used for passwordless authentication (OTP). We send you a one-time code to sign in. No password is ever stored.

Extension session token (hashed)

A random 64-character token is created when you connect the extension. We store only its SHA-256 hash — the raw token never touches our database.

Detection settings

Your sensitivity preferences and enabled detection categories, so they sync across devices.

Subscription status

Plan type and billing period, so the extension knows whether your subscription is active. Payment details are handled entirely by Stripe — we never see your card number.

4. Audit logs (teams only, opt-in)

Audit logs are disabled by default. Team administrators can enable them for compliance purposes. When enabled, the extension sends a record of detection events (pattern type and timestamp — never the raw secret value) to our servers. Members are notified when audit logging is active.

5. Cookies and local storage

The portal uses a secure, HTTP-only session cookie set by Supabase Auth to keep you signed in. No advertising or tracking cookies are used.

The extension stores your auth token, email address, and settings inchrome.storage.local on your device. This data is not synced to Chrome's cloud storage.

6. Third-party services

SupabaseDatabase and authentication. Hosted on AWS (EU region). Privacy policy: supabase.com/privacy

StripePayment processing. We pass your email to Stripe to create a billing record. Stripe handles all card data. Privacy policy: stripe.com/privacy

VercelHosting for zeroexpose.app. Vercel may log request metadata (IP, user-agent) for security and performance. Privacy policy: vercel.com/legal/privacy-policy

7. Data retention

Your account data is retained for as long as your account exists. You can request deletion at any time by emailing zeroexposeapp@gmail.com. We will delete your email, settings, session tokens, and any audit logs within 30 days.

8. Your rights (EEA / UK)

If you are in the European Economic Area or United Kingdom, you have the right to access, correct, port, or erase your personal data. You also have the right to object to processing and to lodge a complaint with your local data protection authority. To exercise any of these rights contact zeroexposeapp@gmail.com.

9. Children

ZeroExpose is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via email or a notice on the portal. The "Last updated" date at the top always reflects the current version.