Privacy Policy

Effective date: September 14, 2025

Summary

  • We collect your IP address, DNS queries, active page URL, and page text (runtime-only) to assess website risk.
  • Page text and other runtime signals are deleted within 24 hours and are not used for any purpose other than automated risk checks.
  • The only data we persist are domain-level risk scores (e.g., example.com → score) and self-reported domains you submit—neither is tied to you.
  • We do not sell, rent, or license personal information to anyone. We also do not retain, sell, rent, or license personal information beyond what is necessary for the runtime checks described here.
  • No customer data is sent to third parties.

Information We Collect

1) Runtime signals (short-lived; deleted within 24 hours)

  • IP address (of the requesting device or network egress)
  • DNS queries needed to evaluate a site
  • Active page URL (the address of the site you are visiting)
  • Page text (runtime-only): the visible text of the page may be read by the extension to compute features that help detect malicious behavior. We do not store raw page content beyond 24 hours, and we do not use it for any purpose other than automated risk assessment.

Purpose: to detect, score, and help prevent potentially malicious activity in real time.

Retention: these runtime signals are ephemeral and are deleted within 24 hours of collection.

Human access: page text is evaluated automatically to compute a risk score; we do not manually review or otherwise “read” your page content, unless you voluntarily submit a domain report (see below).

2) Persisted records (non-personal)

  • Domain risk scores: domain-level entries like domain → risk score. No user identifiers, IP addresses, or page text are stored with these scores.
  • Self-reported domains: domains you manually report to us (e.g., false positives/negatives). Stored as domain strings and minimal metadata needed to review reports; not tied to your identity.

Purpose: to improve detection quality, reduce false positives, and maintain historical risk assessments at the domain level.

Retention: retained as needed for accuracy and product improvement. You can request removal of specific self-reported domains (see “Your Rights & Choices”).

What We Don't Collect

  • Form contents, passwords, or cookies.
  • Full browsing history beyond the single active tab URL needed at evaluation time.
  • Advertising identifiers for ad targeting.

How We Use Information

  • To compute and display website risk scores in the extension (automated processing only).
  • To maintain and improve our domain-level maliciousness database.
  • To respond to your requests (e.g., review a self-reported domain).
  • To secure our services, prevent abuse, and debug issues.

Legal Bases (EEA/UK users)

Where GDPR/UK GDPR applies, we process:

  • Ephemeral runtime signals based on legitimate interests (security, fraud prevention, product functionality).
  • Persisted domain scores/self-reports based on legitimate interests (maintaining an accurate risk registry).

If we ever rely on consent (e.g., for optional features), we'll ask you clearly.

Sharing and Disclosure

No customer data is sent to third parties. We do not sell, rent, or license personal information to any third party.

We may disclose information only if required by law or to protect the rights, safety, or security of our users or others.

Retention

  • IP/DNS/URL and page text (runtime data): deleted within 24 hours.
  • Domain scores & self-reported domains: retained as needed for accuracy and auditability. If you ask us to remove a self-reported domain submission you made, we will do so unless we must retain it for legal or security reasons.

Security

We use reasonable technical and organizational safeguards (e.g., transport encryption, access controls, least-privilege practices). No method of transmission or storage is 100% secure, but we aim to minimize retained personal data by design.

International Transfers

If data are processed outside your region, we implement appropriate safeguards (e.g., standard contractual clauses) where required by law.

Your Rights & Choices

Depending on your location, you may have rights to:

  • Access, correct, or delete your personal information.
  • Object to or restrict certain processing.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with your data protection authority.

To exercise rights or request deletion of a self-reported domain submission, contact us at contact@ztasecurity.com. We may need information to verify your request.

Children's Privacy

Our extension is not intended for children under 18. We do not knowingly collect personal information from children.

Do Not Track

We do not respond to browser "Do Not Track" signals because there is no consistent industry standard. We also do not use data for cross-site ad tracking.

Chrome Web Store Disclosure

The extension requests only the permissions necessary to function (e.g., access to the active tab URL, limited page text read for runtime checks, and network context for security scoring). Data is used solely to provide the features described above and in accordance with the Chrome Web Store User Data Policy.

Changes to This Policy

We may update this Policy from time to time. If changes are material, we will take reasonable steps to notify you (e.g., update the "Effective date" and, where appropriate, provide an in-product notice).

Contact Us

Controller: ZTASecurity

Email: contact@ztasecurity.com