Privacy Transparency Report
We believe you deserve to know exactly what a security tool does with your data — especially one that runs on every website you visit. This page is our commitment to full transparency. If anything here is unclear, email us at privacy@cyberxrai.com.
Last updated: March 29, 2026
| Data | Leaves Device? | Format / Notes | Stored Where | Retention | Shared? |
|---|---|---|---|---|---|
| Full URLs | Never | — | — | — | Never |
| Hash prefixes (8 hex chars of SHA-256) | Yes | Partial hash only — original URL mathematically unrecoverable | Our servers | 24 hours | Never |
| Browsing history | Never | — | — | — | Never |
| Form contents / passwords | Never | — | — | — | Never |
| Threat event logs | Yes | Anonymized — no URL, no identity, only threat type + timestamp | Our servers (AWS DynamoDB) | 90 days | Never |
| Device ID | Yes | Random UUID generated at install — not linked to your identity | Our servers | Account lifetime | Never |
| Telemetry (optional) | Yes | Aggregate counts only — e.g. '12 threats blocked this week' with differential privacy noise | Our servers | Aggregated, never individual | Never |
Why we need hash prefixes
To check whether a URL is on a threat database, we use the same k-anonymity model as Google Safe Browsing. We compute a SHA-256 hash of the URL, take only the first 8 hex characters (32 bits), and send that prefix to our backend. Our server returns all known threat hashes that match that prefix. Your device then checks locally whether the full hash matches any returned threat. The original URL is never sent — and with only 8 hex characters, it is mathematically impossible to reconstruct the URL from the prefix.
What “anonymized threat logs” means
When a threat is detected, we log the threat type (e.g. “phishing” or “malicious script”) and a timestamp. We do NOT log the URL where the threat was found. We do NOT log your device identity. We do NOT log any page content. The logs exist so we can improve detection accuracy over time using aggregate patterns.
Optional telemetry
Telemetry is off by default. If you opt in, we collect aggregate counts (e.g. how many threats were blocked in a week) with differential privacy noise applied to prevent re-identification. You can toggle telemetry off at any time in extension settings.
Your rights
- Request deletion of all data associated with your device ID
- Opt out of telemetry at any time from extension settings
- Uninstall the extension — all local data is deleted automatically
- GDPR: data access, correction, portability, and erasure
- CCPA: do not sell (we never sell data), right to know, right to delete
To exercise any of these rights, email privacy@cyberxrai.com.