Privacy Policy for Script Sentinel
Last Updated:
This Privacy Policy explains how Script Sentinel processes information across our public website, free CSP scanner, Script Sentinel Premium monitoring product, and Chrome and Firefox browser extensions. The extension-specific policy is preserved below, and the newer premium monitoring and billing flows are covered in additional sections.
1. Scope
Script Sentinel provides a free CSP scanner and generator, a paid premium CSP drift monitoring service, and browser extensions that can initiate scans against the backend.
This policy covers how we process information when you use those products, sign in to a premium account, monitor a site, purchase a plan, receive product emails, or visit pages on our website.
2. Browser Extension Privacy
The Script Sentinel browser extensions are designed to be privacy-first. We do not use them to build advertising profiles, track your browsing history in the background, or sell extension user data.
The extensions process information only when you explicitly trigger a scan by clicking Generate CSP. They do not collect your browsing history in the background.
2.1 Active Tab URL
When you start a scan from an extension, it sends the URL of the active tab, selected scan depth, and selected scan options to our backend at https://script-sentinel.com so our scan service can analyze the page and generate a recommended Content Security Policy.
2.2 Scan Results
The generated policy and related scan output are returned to the extension as scan results so they can be displayed to you. Extension scans use the public scanner path and are not written to the premium monitoring database.
2.3 Local Extension Storage
The extensions can use browser extension-local storage to save your 5 most recent scans on your device. You can disable local history or clear it from the extension UI. That local extension history is not synced by us to another device and is not stored in our premium Postgres database.
3. Website Scanner and Public Service
When you use the public scanner on our website, we process the URL you submit, run a server-side browser scan, and generate scan artifacts such as the discovered origin, scanned pages, resource URLs, warnings, directives, a recommended CSP, and related score output. For some public scans, the artifact may also include a page snapshot used in the UI.
Because Script Sentinel loads pages in a server-side Chrome browser, the website you ask us to scan and the resources that site loads may receive requests from our scanning infrastructure as part of the scan. If you do not want a site to receive such a request from Script Sentinel, do not submit that URL for scanning.
3.1 Anonymous Session Data
Public scan results are stored in temporary in-memory session state so the scanner UI, downloads, and live CSP editor continue to work during your session. That anonymous session state is separate from premium account storage and is not written to the premium monitoring database.
3.2 Technical Logs
Like most web services, we may process technical request data such as IP address, request metadata, and redacted scan or monitor URLs in application logs for security, abuse prevention, debugging, reliability, and operational monitoring. Query strings and fragments are removed from logged scan and monitor targets.
5. Billing and Transactional Email
5.1 Stripe Billing
Paid subscriptions use Stripe for checkout, subscription management, billing portal access, and webhook-driven subscription updates. We store subscription-related records such as plan, status, current period end, cancel state, Stripe customer identifiers, Stripe subscription identifiers, checkout session references, and Stripe webhook payloads needed to reconcile billing state.
Payment card details are handled by Stripe, not stored directly by Script Sentinel in our application database.
5.2 Transactional Email
We use transactional email for contact email verification codes, site verification confirmations, drift alerts, monitor failure notices, and degraded monitor notices. We store email delivery records such as recipient address, subject, message kind, provider message ID, delivery status, event timestamps, and provider error details when available.
8. Retention
Anonymous public scan session data is temporary and is pruned from in-memory session storage after inactivity. Premium run history is retained according to the active plan's history window, which is currently shorter on Hobby and longer on Developer. Time-limited sign-in and verification artifacts such as OAuth attempts, contact email verification codes, and auth sessions are treated according to their configured expiration windows.
We may retain account, billing, email delivery, webhook, security, and operational records for longer when reasonably necessary to run the service, investigate abuse, resolve disputes, or comply with legal obligations.
9. Your Choices
You can use the public scanner without creating an account, decide whether to upgrade to Premium, remove monitored sites from the dashboard, or contact us with privacy-related questions. If you need help with an account or data request, please reach out through the Contact page.