Privacy Policy

Last Updated: January 15, 2026

Introduction

ShadowKey ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use the ShadowKey browser extension and associated services.

Data Collection and Usage

We collect and process the minimum amount of data necessary to provide our services.

1. Session Data (Core Functionality)

  • Cookies: When you explicitly choose to "Capture" a session, the extension captures the cookies for the current active tab.
  • Zero-Knowledge Encryption: All session data is encrypted client-side using AES-256-GCM before being transmitted. We never have access to your decryption keys.
  • Usage: Encrypted session data is stored temporarily to enable the "Claim" functionality. Data is automatically deleted after the session duration expires.

2. User Information

  • Email Addresses: We collect your email address for account authentication and session management.
  • IP Addresses: We log IP addresses for security purposes (e.g., "Kill Switch" functionality, Geo-Fencing) and audit logging.

3. Browser Extension Permissions

The extension requires specific permissions to function:

  • cookies: To capture session state for sharing.
  • activeTab: To identify the current site you wish to share.
  • storage: To save your authentication token and preferences.
  • tabs: To manage browser tab navigation during session injection.

Data Sharing

We do NOT sell, trade, or share your personal data with third parties. Session data is only shared with the specific recipient you provide an access link to, and only for the duration you specify.

Data Retention

  • Session Data: Automatically deleted from our servers upon session expiration or when manually revoked.
  • Audit Logs: Retained for 30 days for security troubleshooting, then permanently deleted.
  • Account Data: Retained until you request account deletion.

Security

We implement industry-standard security measures:

  • All data in transit is encrypted via HTTPS (TLS 1.3).
  • Session data is encrypted using AES-256-GCM with client-side key management (Zero-Knowledge).
  • Direct database access is restricted to essential operations only.
  • Regular security audits and monitoring.

Your Rights

You have the right to:

  • Revoke any active session immediately via the dashboard ("Kill Switch").
  • Request deletion of your account and associated data.
  • Export your usage data upon request.
  • Access and review your audit logs.

Contact Us

If you have questions about this policy, please contact us at:
support@shadowkey.org

This privacy policy is effective as of January 15, 2026. We may update this policy from time to time. Any changes will be posted on this page with an updated revision date.