Privacy Policy

Effective date: May 8, 2026  ·  Last updated: May 12, 2026

1. Information We Collect

Verifeye collects the following categories of information, locally on your device only, for the purpose of detecting phishing emails:

1.1 Personal communications

When you open an email in Gmail, the extension reads the email's sender address, sender display name, subject line, body text, and any hyperlinks or attachment names visible in the email. This is required to analyze the email for phishing indicators. The content is read into memory in your browser, analyzed, and discarded when analysis completes. A short fingerprint of the body (used to detect repeated templates from the same sender) and a record of the verdict are stored locally in chrome.storage.local.

1.2 Authentication information

If you click Connect Gmail in the extension popup, Verifeye obtains a Google OAuth 2.0 token with the gmail.readonly scope, managed by Chrome's chrome.identity API. The token is held by Chrome, not by us. Verifeye uses the token to make Gmail API calls directly from your browser. This step is entirely optional; the extension functions in a reduced mode without it.

1.3 Website content

The Verifeye content script runs only on pages matching *://mail.google.com/*. On those pages it reads the DOM of the email currently displayed (sender, subject, body, links). It does not interact with any other website.

1.4 API keys you provide

If you paste a Google Safe Browsing API key, an OpenAI API key, or an Anthropic API key into the extension's Settings page, those keys are stored locally in chrome.storage.local and used to authenticate calls from your browser to the corresponding service. We never see these keys.

1.5 Information we do NOT collect

Verifeye does not collect: personally identifiable information such as your name, address, phone number, or government IDs; health information; financial information; location or GPS data; web browsing history; mouse, keystroke, or click telemetry; or any analytics or usage metrics.

2. How We Use Information

All collected information is used solely to provide the extension's single declared purpose: detecting phishing emails in Gmail and showing you an explainable verdict. Specifically:

• Email content is analyzed by detection rules running locally in the browser.
• The sender ledger remembers which senders you've corresponded with so the extension can warn you about first-contact senders and recognize sender-impersonation.
• Recent verdicts are recorded so the extension's dashboard can show charts and a threat list.
• API keys, when provided, are used only as authentication headers on calls to the corresponding third-party service.

Verifeye does not use any collected data for advertising, profiling, behavioral targeting, training machine learning models, or any purpose unrelated to phishing detection.

3. How We Share Information

Verifeye does not share, sell, rent, trade, or otherwise transfer any user data to any third party for any purpose. We are not part of any data broker network. We operate no servers, so we have no data to share even if we wanted to.

The three optional cloud features below send data directly from your browser to the named provider, using HTTPS. None of these calls route through any Verifeye-owned infrastructure:

3.1 Gmail API (optional, off by default)

If you have clicked Connect Gmail, Verifeye makes read-only Gmail API calls from your browser to gmail.googleapis.com to fetch full email headers and body content for analysis. The Google Privacy Policy applies to that data once it reaches Google.

3.2 Google Safe Browsing API (optional, off by default)

If you have provided a Google Safe Browsing API key in Settings, Verifeye sends the URLs found in an analyzed email to safebrowsing.googleapis.com to check whether Google considers them malicious. Only URLs are transmitted — never email content, sender addresses, subjects, or any other personal information.

3.3 AI Reasoner API (optional, off by default)

If you have selected OpenAI or Anthropic as the AI Reasoner provider and pasted an API key, Verifeye may send the sender address, subject line, the first 2,000 characters of body text, and the list of links from an analyzed email to either api.openai.com or api.anthropic.com for a final classification. Each provider's privacy policy governs that data once it reaches them: OpenAI Privacy Policy | Anthropic Privacy Policy.

4. Data Retention

All Verifeye data is retained only on your device, in chrome.storage.local, for as long as you keep the extension installed. There is no remote retention because we operate no servers and never receive your data.

Specific local retention policies:

• Sender ledger entries: kept indefinitely while the extension is installed, or until you clear them in Settings → Storage → Clear all sender history.
• Body fingerprints: only the three most recent fingerprints per sender are stored; older ones are automatically discarded.
• Detection log: the 500 most recent verdicts are stored; older ones are automatically rotated out.
• OAuth token: managed by Chrome's chrome.identity manager; revoked instantly when you click Disconnect in the popup or remove the extension.
• API keys: retained until you explicitly clear them in Settings or uninstall the extension.

5. Data Security

Because Verifeye operates entirely on-device, the security of your data depends primarily on the security of your local computer and your Chrome browser profile. We follow these practices to minimize risk:

• All third-party API calls use HTTPS / TLS.
• API keys and tokens are stored in chrome.storage.local, scoped to the Verifeye extension only. Other extensions cannot read them.
• The OAuth token is managed by Chrome's identity API, not by Verifeye code directly.
• Verifeye does not execute any remote code. Every script that runs in the extension is bundled into the extension package and reviewed by the Chrome Web Store.
• Verifeye does not modify, delete, or send any email. The Gmail API scope used is strictly read-only.

6. Your Choices and Rights

6.1 Disabling cloud features

Each optional cloud feature can be disabled at any time in the extension's Settings page. After disabling, no further data will be sent to that provider:

• Gmail API: click Disconnect in the extension popup. This immediately revokes Verifeye's cached OAuth token.
• Safe Browsing: click Clear next to the Safe Browsing key field in Settings.
• AI Reasoner: set provider to None in Settings, or click Clear next to the API key field.

6.2 Deleting all local data

To delete every piece of data Verifeye has stored on your device:

1. Open chrome://extensions in Chrome.
2. Find the Verifeye card and click Remove.
3. Chrome will wipe Verifeye's chrome.storage.local entries automatically.

To revoke the Gmail OAuth grant separately, visit myaccount.google.com/permissions, find Verifeye in the list, and click Remove Access.

6.3 Exporting your data

Settings → Storage → Export ledger as JSON downloads the complete sender ledger as a JSON file you can keep, inspect, or import elsewhere.

7. International Data Transfers

Verifeye itself does not transfer your data internationally because Verifeye does not receive your data at all. If you enable optional cloud features, the data flow is governed by the international transfer policies of the named providers: Google (Gmail API, Safe Browsing), OpenAI, and Anthropic. Review each provider's privacy policy for details on where their infrastructure is located.

8. Children's Privacy

Verifeye is not directed at children under the age of 13. We do not knowingly collect data from anyone under 13 (in fact, we do not knowingly collect data from anyone, since we operate no servers). The extension is intended for adult Gmail users.

9. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will also be noted in the Chrome Web Store listing's changelog. Continued use of Verifeye after a policy change constitutes acceptance of the revised policy.

10. Compliance with the Chrome Web Store Developer Program Policies

Verifeye's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Verifeye uses the requested OAuth scope (gmail.readonly) only to provide the user-facing phishing-detection feature.
• Verifeye does not transfer the data to any third party except as necessary to provide that feature (which in our case is "no third party at all", since detection runs locally).
• Verifeye does not use the data for serving advertisements.
• Verifeye does not allow humans to read the data, except (a) with the user's explicit consent for specific messages, (b) for security purposes, (c) to comply with law, or (d) as needed for operations in aggregated, anonymized form for internal operations — none of which apply, since we operate no servers and the data never leaves the user's device.

11. Contact Information

For privacy questions, data deletion requests, or any other inquiries about this policy:

• Email: nemmikantivignesh17@gmail.com
• Website: verifeye-website.vercel.app
• Chrome Web Store listing: Verifeye (item ID: ejeomenkippkpaepkobknjkadfimbpnn)

12. Permissions Used by the Extension

Each permission Verifeye requests, and the reason:

• storage — to keep your sender ledger, settings, recent verdicts, and any API keys you've provided in local browser storage on your device.
• identity — used only if you click Connect Gmail in the popup, to obtain a Gmail OAuth 2.0 token via Chrome's standard consent flow.
• Host permission *://mail.google.com/* — to allow the content script to read the email currently open in Gmail for analysis.
• Host permission https://gmail.googleapis.com/* — used only in opt-in Gmail API mode, to call the Gmail API directly from your browser.
• Host permission https://safebrowsing.googleapis.com/* — used only when you have provided a Safe Browsing API key, to check link reputation directly from your browser.

Verifeye does not request any other permissions. The extension is incapable of accessing, modifying, sending, or deleting your email beyond reading the currently-open message for analysis.