SamuAI (“we,” “us,” or “our”) operates the website at samuai.dev and the SamuAI browser extension (collectively, the “Service”). This Privacy Policy explains how we collect, use, and protect your information when you use our Service.

Information We Collect

Account Information

When you create an account, we collect your email address and a hashed password. We do not store passwords in plain text. If you subscribe to a paid plan, payment processing is handled entirely by Stripe — we never see or store your credit card number.

Scan Data

When you scan a tool, we process the tool's publicly available metadata: its manifest, permissions, store listing, developer information, and privacy policy URL. We do not collect any data from your personal use of those tools. Scan results are stored in our database so they can be displayed in the catalog and shared via reports.

Browser Extension

The SamuAI browser extension uses the management permission to read the list of your installed browser extensions for auditing purposes. Here is exactly what the extension does with your data:

• •Installed extension list: When you open the extension popup, the full list of your installed extensions (name, ID, version, permissions, enabled status) is read locally. This list is used to render the audit view inside the popup and is never sent to our servers in bulk.
• •Automatic score lookups: When the audit tab loads, individual extension IDs are sent to our API via read-only GET requests to check if an existing score is available. These lookups do not consume your scan quota and do not trigger new analysis. Your IP address is visible to our server during these requests.
• •On-demand scanning: A full scan (which creates a new analysis and counts toward your quota) only runs when you explicitly click “Scan” on an extension or submit a tool in the Quick Scan tab.
• •Chrome Web Store integration: When you visit an extension's detail page on the Chrome Web Store, the extension automatically sends that extension's ID to our API to look up or display an existing score. If no score exists, a “Scan Now” button is shown — no scan runs without your click.
• •Local storage: The extension stores your authentication token and cached scan results locally using chrome.storage.local. This data never leaves your device unless you sign in or initiate a scan.
• •What we do not collect: The extension does not access your browsing history, page content, cookies, autofill data, or any data from within the extensions you have installed. It only reads extension metadata (names, permissions, IDs) — not the data those extensions process.

Usage Data

We collect basic server logs (IP address, request timestamps, user agent) for rate limiting and abuse prevention. These logs are not linked to your account and are automatically purged after 30 days.

How We Use Your Information

• •To provide, maintain, and improve the Service
• •To process your scans and display results
• •To manage your account and subscription
• •To enforce rate limits and prevent abuse
• •To respond to support requests

We do not sell your personal information. We do not use your data for advertising. We do not share your information with third parties except as described in this policy.

Third-Party Services

We use the following third-party services:

• •Stripe— payment processing for paid subscriptions. Stripe's privacy policy applies to payment data.
• •Vercel— hosting and infrastructure. Our application runs on Vercel's platform.
• •Neon— PostgreSQL database hosting. Your account and scan data is stored in Neon's infrastructure with encryption at rest.
• •Anthropic— AI-generated summaries. When a tool is scanned, its publicly available metadata (permissions, manifest, store listing) may be sent to Anthropic's API to generate a plain-language risk summary. No user personal data is included in these requests.

Data Security

We implement industry-standard security measures to protect your data: all connections use TLS/HTTPS, passwords are hashed with bcrypt, authentication uses httpOnly secure cookies and JWT tokens, and our database connections are encrypted. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Cookies

We use a single httpOnly session cookie to keep you signed in. We do not use tracking cookies, analytics cookies, or advertising cookies. The browser extension uses chrome.storage.local to store your authentication token locally.

Data Retention

Account data is retained for as long as your account is active. Scan results are retained indefinitely as part of the public catalog. Server logs are purged after 30 days. You can request deletion of your account and associated data by emailing support@samuai.dev.

Your Rights

You have the right to:

• •Access the personal data we hold about you
• •Request correction of inaccurate data
• •Request deletion of your account and data
• •Export your scan history

To exercise any of these rights, contact us at support@samuai.dev.

Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top of this page reflects the most recent revision.

Contact

If you have questions about this Privacy Policy, contact us at support@samuai.dev.