Privacy Policy for Script Sentinel

Last Updated:

This Privacy Policy explains how Script Sentinel processes information across our public website, free CSP scanner, Script Sentinel Premium monitoring product, and Chrome and Firefox browser extensions. The extension-specific policy is preserved below, and the newer premium monitoring and billing flows are covered in additional sections.

1. Scope

Script Sentinel provides a free CSP scanner and generator, a paid premium CSP drift monitoring service, and browser extensions that can initiate scans against the backend.

This policy covers how we process information when you use those products, sign in to a premium account, monitor a site, purchase a plan, receive product emails, or visit pages on our website.

2. Browser Extension Privacy

The Script Sentinel browser extensions are designed to be privacy-first. We do not use them to build advertising profiles, track your browsing history in the background, or sell extension user data.

The extensions process information only when you explicitly trigger a scan by clicking Generate CSP. They do not collect your browsing history in the background.

2.1 Active Tab URL

When you start a scan from an extension, it sends the URL of the active tab, selected scan depth, and selected scan options to our backend at https://script-sentinel.com so our scan service can analyze the page and generate a recommended Content Security Policy.

2.2 Scan Results

The generated policy and related scan output are returned to the extension as scan results so they can be displayed to you. Extension scans use the public scanner path and are not written to the premium monitoring database.

2.3 Local Extension Storage

The extensions can use browser extension-local storage to save your 5 most recent scans on your device. You can disable local history or clear it from the extension UI. That local extension history is not synced by us to another device and is not stored in our premium Postgres database.

3. Website Scanner and Public Service

When you use the public scanner on our website, we process the URL you submit, run a server-side browser scan, and generate scan artifacts such as the discovered origin, scanned pages, resource URLs, warnings, directives, a recommended CSP, and related score output. For some public scans, the artifact may also include a page snapshot used in the UI.

Because Script Sentinel loads pages in a server-side Chrome browser, the website you ask us to scan and the resources that site loads may receive requests from our scanning infrastructure as part of the scan. If you do not want a site to receive such a request from Script Sentinel, do not submit that URL for scanning.

3.1 Anonymous Session Data

Public scan results are stored in temporary in-memory session state so the scanner UI, downloads, and live CSP editor continue to work during your session. That anonymous session state is separate from premium account storage and is not written to the premium monitoring database.

3.2 Technical Logs

Like most web services, we may process technical request data such as IP address, request metadata, and redacted scan or monitor URLs in application logs for security, abuse prevention, debugging, reliability, and operational monitoring. Query strings and fragments are removed from logged scan and monitor targets.

4. Premium Accounts and Monitoring

Script Sentinel Premium adds authenticated dashboards, recurring monitoring, run history, alerts, billing status, and site ownership verification. To operate those features, we store additional account and monitoring data.

4.1 Account and Sign-In Data

When you sign in to Premium, we process your Google or GitHub provider identity, trusted provider email, optional verified contact email, OAuth sign-in attempt records, auth session records, login timestamps, and the signed session cookie needed to keep you authenticated in the dashboard.

4.2 Site and Verification Data

When you add a monitored site, we store the site name, start URL, origin, selected scan options, verification token details, verification path, and verification timestamps so we can confirm ownership and operate recurring scans.

4.3 Monitor Runs and Drift History

Premium monitoring stores run history and review data, including generated CSP lines, directives, warnings, status, timestamps, raw scan artifact data, drift diffs, baseline acceptance state, and manual scan activation records. This is what powers the dashboard, drift comparison views, exports, and alerting.

4.4 Site Removal

If you remove a monitored site from the dashboard, the associated monitoring records for that site are deleted from the premium monitoring store as part of that removal flow.

5. Billing and Transactional Email

5.1 Stripe Billing

Paid subscriptions use Stripe for checkout, subscription management, billing portal access, and webhook-driven subscription updates. We store subscription-related records such as plan, status, current period end, cancel state, Stripe customer identifiers, Stripe subscription identifiers, checkout session references, and Stripe webhook payloads needed to reconcile billing state.

Payment card details are handled by Stripe, not stored directly by Script Sentinel in our application database.

5.2 Transactional Email

We use transactional email for contact email verification codes, site verification confirmations, drift alerts, monitor failure notices, and degraded monitor notices. We store email delivery records such as recipient address, subject, message kind, provider message ID, delivery status, event timestamps, and provider error details when available.

6. Cookies and Local Storage

Script Sentinel uses essential cookies to operate the service. On HTTPS, the public website uses __Host-ss_session for anonymous session state and Premium uses __Host-ss_auth for authentication. Localhost development uses the legacy ss_session and ss_auth names.

These cookies support core product behavior rather than advertising. We do not currently use first-party analytics cookies or ad-tech cookies on the site.

The browser extensions separately store recent scans in extension-local storage on your device as described above.

7. Third-Party Services and Sharing

We do not sell your personal information or sell scan history. We share information only as needed to operate the service, process subscriptions, deliver product email, host the application, or comply with legal obligations.

Relevant service providers and recipients include:

  • our hosting and database providers that run Script Sentinel Premium infrastructure;
  • Stripe, for subscription checkout, billing portal actions, and billing webhooks;
  • Resend, for transactional email delivery and delivery event reporting;
  • the websites and resources your requested scan loads, because our scanner must request them to analyze CSP behavior.

8. Retention

Anonymous public scan session data is temporary and is pruned from in-memory session storage after inactivity. Premium run history is retained according to the active plan's history window, which is currently shorter on Hobby and longer on Developer. Time-limited sign-in and verification artifacts such as OAuth attempts, contact email verification codes, and auth sessions are treated according to their configured expiration windows.

We may retain account, billing, email delivery, webhook, security, and operational records for longer when reasonably necessary to run the service, investigate abuse, resolve disputes, or comply with legal obligations.

9. Your Choices

You can use the public scanner without creating an account, decide whether to upgrade to Premium, remove monitored sites from the dashboard, or contact us with privacy-related questions. If you need help with an account or data request, please reach out through the Contact page.

If we materially change this Privacy Policy, we will update the date shown above and publish the revised policy on this page.