What leaves your browser. What doesn't.

Sitelight is built for people who are tired of being asked to trust a security tool with their browsing history. This page explains, in plain English, exactly what we see and exactly what we don't. If anything here surprises you, email [email protected] and we'll fix the language.

The one-sentence version

Sitelight never sees the full address of the pages you visit. We never log your IP. We never link any check to an account. Everything else on this page is a longer way of saying that.

What we actually send to our servers

When you load a website, the Sitelight extension figures out the registered domain of that site on your own computer — for example, shop.example.com becomes example.com. The extension then sends three small pieces of information to our servers over an encrypted connection:

• The registered domain name (the example.com part). Without this, we literally cannot look up whether the site is on any known-scam list or check how old it is. This is the one tradeoff we make, and it's deliberate.
• A cryptographic fingerprint of that same domain name (a SHA-256 hash). We use this as an anonymous identifier in our own records so we can count how many checks we've run without tying anything to an actual domain in storage.
• Whether the connection is private (a single yes/no flag for HTTPS). We use this to warn you when you're about to type a password or card number into a page that isn't encrypted.

That's it. The full web address, the path (/cart/checkout), the query string (?q=something), any URL fragments, and any subdomain are all stripped off in your own browser before the request goes out. Our server never sees them and cannot reconstruct them.

What we do not log

We are explicit about what we throw away:

• We do not log your IP address in our own records. Our servers run on Cloudflare's edge network, which keeps short-lived operational logs that include IP addresses — the same way any website's server does. Those logs are Cloudflare's, not ours, and we never query them, export them, or join them to our records. Cloudflare rotates them automatically as part of their standard operations.
• We do not set any tracking cookies or use any third-party analytics on the extension.
• We do not record a user agent string in our own records for safety checks.
• We do not log the plain-text domain name past the moment the request is answered. Only the anonymous fingerprint is persisted.
• We do not send a device ID or an account token with a safety check. The scoring request is fully anonymous.

What gets stored in our records for each check is: the anonymous fingerprint, the verdict (green, yellow, or red), the reason code, and a timestamp. Even if our database were fully compromised tomorrow, an attacker would get a pile of hashes with no way to link them to you.

Premium and your purchase

Premium works a little differently because we have to know who to charge. When you upgrade, your browser generates a random device identifier — not linked to your name, email, or Google account — and shows it to you on the upgrade page. We pass that identifier to Stripe as the reference for your subscription. We hold a record linking the device identifier to your Stripe subscription so Premium features unlock in the extension, and we hold the minimum billing information Stripe sends back: subscription status, plan (monthly or annual), and expiration date.

We never join purchase records to safety-check records. They live in separate tables, queried through separate endpoints, and we've deliberately made it impossible from our side to ask "what sites did this paying user check?" — because the answer isn't in our systems to find. Premium safety checks use a separate endpoint that verifies your license before running, but we do not log the license token, device identifier, or any other identifier alongside the check — the license is used only to unlock the Premium signal set, not to attribute the check.

You can cancel Premium any time from inside the extension's options page. Cancellation happens through Stripe's own customer portal — there is no retention dialog, no "are you sure?" loop. Your Premium features stay active through the end of the period you've already paid for.

Data stored on your device

Your browser keeps a short-lived cache of recent verdicts so repeat visits to the same site show instantly instead of making a fresh network request. This cache lives only on your own computer, expires within an hour, and never leaves your browser. We keep no browsing history on our servers at all.

When Premium launches, expanded site reports will also cache locally in your browser's own storage so they load instantly, with a button to clear them from the Premium options page. That data will never leave your computer either.

Where your data lives

Our servers run on Cloudflare's edge network, which means the server answering your browser's request is usually one in the same city or country you're browsing from. We do not transfer data to third-party marketing or advertising platforms.

Two other third parties see a limited slice of Sitelight data in the normal course of the product working:

• Public domain-registration databases (the RDAP system, which we query through rdap.org and the registrar servers it redirects to). This is how we check how old a site is. Each lookup includes the domain name you're visiting, but never your IP address and never any identifying information about you — the request comes from our server, not yours.
• Stripe, and only for Premium billing. Stripe never sees any safety-check data. (This will apply once Premium launches; there is no Stripe data flow in the free tier.)

Your rights and how to reach us

Because we keep so little data, most privacy requests are either already satisfied or are easy to handle. You can email [email protected] to ask us to delete your Premium record, cancel your subscription, or answer any question about what we hold.

Changes to this policy

If we change anything material about what we collect, we'll update the date at the top of this page and explain the change clearly. We'll never quietly loosen the privacy promise in the "one-sentence version" — if that ever changes, we'll tell you about it directly through the extension.