Privacy Policy for Script Sentinel

Last Updated:

This Privacy Policy explains how Script Sentinel processes information across our public website, free CSP scanner, Script Sentinel Premium monitoring product, and Chrome extension. The extension-specific policy is preserved below, and the newer premium monitoring and billing flows are covered in additional sections.

1. Scope

Script Sentinel provides a free CSP scanner and generator, a paid premium CSP drift monitoring service, and a Chrome extension that can initiate scans against the backend.

This policy covers how we process information when you use those products, sign in to a premium account, monitor a site, purchase a plan, receive product emails, or visit pages on our website.

2. Chrome Extension Privacy

The Script Sentinel extension is designed to be privacy-first. We do not use it to build advertising profiles, track your browsing history in the background, or sell extension user data.

The extension processes information only when you explicitly trigger a scan, such as by clicking Generate CSP or New Scan.

2.1 Active Tab URL

When you start a scan from the extension, it sends the URL of the active tab to our backend at https://script-sentinel.com so our scan service can analyze the page and generate a recommended Content Security Policy.

2.2 Scan Results

The generated policy and related scan output are returned to the extension so they can be displayed to you.

2.3 Local Extension Storage

The extension uses chrome.storage.local to save your 5 most recent scans on your device. That local extension history is not synced by us to another device and is not stored in our premium Postgres database.

3. Website Scanner and Public Service

When you use the public scanner on our website, we process the URL you submit, run a server-side browser scan, and generate scan artifacts such as the discovered origin, scanned pages, resource URLs, warnings, directives, a recommended CSP, and related score output. For some public scans, the artifact may also include a page snapshot used in the UI.

Because Script Sentinel performs a real browser scan, the website you ask us to scan and the resources that site loads may receive requests from our scanning infrastructure as part of the scan. If you do not want a site to receive such a request from Script Sentinel, do not submit that URL for scanning.

3.1 Anonymous Session Data

Public scan results are stored in temporary in-memory session state so the scanner UI, downloads, and live CSP editor continue to work during your session. That anonymous session state is separate from premium account storage and is not written to the premium monitoring database.

3.2 Technical Logs

Like most web services, we may process technical request data such as IP address, request metadata, and scan or monitor URLs in application logs for security, abuse prevention, debugging, reliability, and operational monitoring.

4. Premium Accounts and Monitoring

Script Sentinel Premium adds authenticated dashboards, recurring monitoring, run history, alerts, billing status, and site ownership verification. To operate those features, we store additional account and monitoring data.

4.1 Account and Sign-In Data

When you sign in to Premium, we process your email address, one-time magic-link records, auth session records, login timestamps, and the signed session cookie needed to keep you authenticated in the dashboard.

4.2 Site and Verification Data

When you add a monitored site, we store the site name, start URL, origin, selected scan options, verification token details, verification path, and verification timestamps so we can confirm ownership and operate recurring scans.

4.3 Monitor Runs and Drift History

Premium monitoring stores run history and review data, including generated CSP lines, directives, warnings, status, timestamps, raw scan artifact data, drift diffs, baseline acceptance state, and manual scan activation records. This is what powers the dashboard, drift comparison views, exports, and alerting.

4.4 Site Removal

If you remove a monitored site from the dashboard, the associated monitoring records for that site are deleted from the premium monitoring store as part of that removal flow.

5. Billing and Transactional Email

5.1 Stripe Billing

Paid subscriptions use Stripe for checkout, subscription management, billing portal access, and webhook-driven subscription updates. We store subscription-related records such as plan, status, current period end, cancel state, Stripe customer identifiers, Stripe subscription identifiers, checkout session references, and Stripe webhook payloads needed to reconcile billing state.

Payment card details are handled by Stripe, not stored directly by Script Sentinel in our application database.

5.2 Transactional Email

We use transactional email for magic-link sign-in, verification confirmations, drift alerts, monitor failure notices, and degraded monitor notices. We store email delivery records such as recipient address, subject, message kind, provider message ID, delivery status, event timestamps, and provider error details when available.

6. Cookies and Local Storage

Script Sentinel uses essential cookies to operate the service. The public website uses an ss_session cookie to maintain anonymous session state for scan results. Premium uses an ss_auth cookie to keep signed-in users authenticated.

These cookies support core product behavior rather than advertising. We do not currently use first-party analytics cookies or ad-tech cookies on the site.

The Chrome extension separately stores recent scans in chrome.storage.local on your device as described above.

7. Third-Party Services and Sharing

We do not sell your personal information or sell scan history. We share information only as needed to operate the service, process subscriptions, deliver product email, host the application, or comply with legal obligations.

Relevant service providers and recipients include:

  • our hosting and database providers that run Script Sentinel Premium infrastructure;
  • Stripe, for subscription checkout, billing portal actions, and billing webhooks;
  • Resend, for transactional email delivery and delivery event reporting;
  • the websites and resources your requested scan loads, because our scanner must request them to analyze CSP behavior;
  • certain site asset providers used by our own website, such as Google Fonts and the CDN that serves HTMX to browsers visiting Script Sentinel.

8. Retention

Anonymous public scan session data is temporary and is pruned from in-memory session storage after inactivity. Premium run history is retained according to the active plan's history window, which is currently shorter on Hobby and longer on Developer. Time-limited sign-in artifacts such as magic links and auth sessions are treated according to their configured expiration windows.

We may retain account, billing, email delivery, webhook, security, and operational records for longer when reasonably necessary to run the service, investigate abuse, resolve disputes, or comply with legal obligations.

9. Your Choices

You can use the public scanner without creating an account, decide whether to upgrade to Premium, remove monitored sites from the dashboard, or contact us with privacy-related questions. If you need help with an account or data request, please reach out through the Contact page.

If we materially change this Privacy Policy, we will update the date shown above and publish the revised policy on this page.