Privacy Policy

Last updated: March 7, 2026

Overview

Clearmark is a Chrome extension that provides trust scores for websites based on publicly available data. We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and how we safeguard your information.

The short version: We don't track your browsing history. We don't collect personal information. We don't sell data. We use a privacy-preserving lookup system so our servers don't know which specific domains you visit during normal browsing.

What data is collected

During normal browsing (passive mode):

When you visit a website, the extension checks if a trust score is available using a hash-prefix lookup. This means:

• The extension computes a SHA-256 hash of the domain name locally on your device.
• Only the first 2 characters of this hash (the "prefix") are sent to our server to retrieve a batch of scores (a "shard").
• Each shard contains scores for many domains that share the same hash prefix. The server cannot determine which specific domain you are looking up.
• This is the same k-anonymity technique used by Google Safe Browsing and Have I Been Pwned to protect user privacy.

When you explicitly request a score:

If you click "Request a Score" for an unscored domain, the full domain name is sent to our scoring API. This only happens when you explicitly initiate it. The domain is scored and the result is cached for future lookups.

Auto-score opt-in:

Users can optionally enable "Auto-score unknown domains" in settings. When enabled, if you navigate to a domain that has no existing score, the full domain name is sent to our API for scoring. This feature is off by default and must be explicitly enabled. We recommend users understand this privacy trade-off before enabling it.

What data is NOT collected

• Browsing history or page URLs (only domain names, and only via hash-prefix by default)
• Passwords, form data, or cookie contents
• Personal information (name, email, address)
• Device identifiers or fingerprints
• IP-based location tracking (we don't log your IP address)
• Keystrokes or page content

Where data is processed

Our scoring API runs on Cloudflare Workers, which process requests at edge locations worldwide. Scored results are stored in Cloudflare D1 (a serverless SQL database) and served via Cloudflare R2 (object storage). All data stays within the Cloudflare network.

Third-party APIs

When scoring a domain, our server queries the following publicly available data sources. Only the domain name is sent to these services:

• RDAP (Registration Data Access Protocol) — domain registration and ownership information via the IANA RDAP bootstrap
• trade.gov Consolidated Screening List — US government trade restriction and sanctions data
• OpenSanctions — international sanctions and enforcement data
• ToS;DR (Terms of Service; Didn't Read) — terms of service quality ratings
• Wikidata — structured entity data (company headquarters, ownership, founding date)
• PrivacySpy — privacy policy quality ratings
• Google Web Risk — malware, phishing, and social engineering threat data
• crt.sh — certificate transparency log data

No personal data about you is sent to any of these services. Only the domain name being scored is transmitted.

Data retention

• Scored results are cached in our database indefinitely to serve future lookups. Scores may be periodically refreshed.
• Shard lookups are not logged. We do not record which hash prefixes are requested.
• Local extension data (cached scores, settings) is stored in your browser's local storage and can be cleared by removing the extension.

Premium licenses

If you purchase a premium license, we store your license key and associated email address for license validation purposes. Payment processing is handled by our payment provider; we do not store credit card information.

Permissions

The extension requests the following Chrome permissions:

• activeTab — to read the domain of the currently active tab when you interact with the extension
• storage — to cache scores and settings locally in your browser
• alarms — to periodically refresh cached shard data
• sidePanel — to display detailed trust reports in the browser side panel

Changes to this policy

We may update this policy as the product evolves. Significant changes will be noted with an updated "Last updated" date. Continued use of the extension after changes constitutes acceptance of the updated policy.

Contact

For privacy inquiries, contact us at privacy@clearmark.dev.