MainWP Chrome Extension Privacy Policy

Introduction

MainWP (“we,” “our,” or “us”) respects your privacy. This Privacy Policy explains how the MainWP Browser Extension (“Extension”) handles your information. The Extension was built with privacy as a core design principle. The network traffic the Extension itself generates goes only to the MainWP Dashboard you configure. Nothing is sent to MainWP, analytics services, telemetry endpoints, or any other remote server the Extension contacts directly. There is one platform-level routing to be aware of: when you are signed into Chrome with Sync enabled, Chrome routes the non-sensitive values the Extension places in chrome.storage.sync through Google’s sync infrastructure so they follow you across devices. The sections below describe exactly what is stored there and what it transmits.

What Data the Extension Handles

The Extension stores the following data in your browser:

1. Dashboard URL: the URL of your MainWP Dashboard
2. API Credentials: a Bearer token (for Dashboard 5.2+) or Consumer Key + Secret (legacy Dashboard versions), stored only in Chrome local storage
3. Sync Preferences: which update types you want to monitor (plugins, themes, WordPress core, translations, non-MainWP changes)
4. Sync Frequency: how often the Extension polls your Dashboard
5. Currency Preference: the currency used for the Cost Tracker display
6. Update Counts: cached counts of available updates fetched from your Dashboard
7. Timer State: when using Time Tracker, the active task name, elapsed time, and related timestamps
8. Cost Data Cache: site costs, license details, and expiration dates from Cost Tracker
9. Availability Caches: whether Time Tracker and Cost Tracker are installed on your Dashboard (refreshed every 24 hours)
10. Dashboard Version Cache: which API version your Dashboard supports (refreshed every 24 hours)

How Data Enters the Extension

• Settings you enter: you provide the Dashboard URL and authentication token through the Extension’s settings page.
• Data fetched from your Dashboard: the Extension periodically calls the REST API of the Dashboard URL you specified to retrieve update counts, site information, cost data, and task lists.
• Data generated locally: timer elapsed time, cache timestamps, and badge display values are computed inside the Extension.

The Extension never collects data from any other source. It only communicates with the Dashboard URL you configured.

Where Data Is Stored

Your data lives in two places within Chrome’s secure extension storage:

• Chrome Sync Storage (chrome.storage.sync): holds a small set of non-sensitive values. The settings object contains the Dashboard URL, the detected API version, which update types to monitor, check frequency, currency preference, data-saving mode, chosen theme, notification preferences, and similar display and behavior preferences. A separate sync_updates entry holds cached counts of available updates fetched from your Dashboard, and last_updated records the timestamp of the most recent sync. When you are signed into Chrome with Sync turned on, Chrome routes these values through Google’s sync infrastructure so the same state follows you to any other Chrome browser where you are signed into the same Google account. Google’s handling of Chrome Sync data is governed by Google’s own privacy terms. No credentials are ever placed in sync storage. Disabling Chrome Sync for extensions in Chrome’s own settings prevents any of this data from leaving the device.
• Chrome Local Storage (chrome.storage.local): sensitive data stays on the current device only. This includes API credentials, timer state, cost data cache, and availability caches. None of this is synced across devices.

Chrome encrypts sync data in transit. At-rest protection for local storage depends on whether you have enabled full-disk encryption on your operating system (for example FileVault on macOS, BitLocker on Windows, or LUKS on Linux); the Extension itself does not guarantee at-rest encryption. We do not add a second encryption layer inside the Extension because any key material would have to live in the same local storage tier it was protecting.

How Data Is Used

• API Communication: connect to your MainWP Dashboard via REST API to retrieve information
• Update Monitoring: display available WordPress updates and non-MainWP changes
• Time Tracking: start, pause, and stop timers for tasks on your Dashboard (requires the Time Tracker Dashboard extension)
• Cost Monitoring: display cost summaries and warn about expiring licenses (requires the Cost Tracker Dashboard extension)
• Notifications: show desktop notifications for new updates or expiring licenses
• Badge Display: show update counts or active timer duration on the Extension icon

Data Transmission

• HTTPS only: every API request uses HTTPS, including requests to localhost, 127.0.0.1, and RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). The Extension never permits plain HTTP. Hostnames inside those local ranges are exempt from a separate public-TLD check so developers can point the Extension at a local Dashboard, and the HTTPS requirement still applies to them.
• Your Dashboard only: data flows only to the Dashboard URL you configured.
• No third-party sharing in Extension traffic: the Extension’s own HTTP requests go only to the Dashboard URL you configured. Nothing is sent to MainWP servers, analytics services, CDNs, or any other remote endpoint the Extension contacts directly. The one exception described under Where Data Is Stored is Chrome Sync: values the Extension writes to chrome.storage.sync are handled by Chrome itself and may transit Google’s sync infrastructure when Chrome Sync is enabled.
• No analytics or telemetry: the Extension does not collect usage analytics, telemetry, crash reports, or tracking data.

Data Retention and Deletion

• Until you clear it: data persists until you use the “Clear All Data” button in settings or uninstall the Extension.
• On uninstall: Chrome automatically clears both chrome.storage.local and chrome.storage.sync for the Extension. Credentials and caches are removed with the Extension.
• Revoking server-side access: Chrome wipes all local Extension data at uninstall, yet any bearer token or API key your Dashboard issued remains valid on the server until you revoke it. Delete the key under Settings → REST API in your MainWP Dashboard after uninstalling to close off API access completely.
• Cache expiration: version and availability caches automatically refresh every 24 hours.

Your Rights and Control

• Access: view all stored data in the Extension’s settings page
• Modification: change settings, credentials, or preferences at any time
• Deletion: use “Clear All Data” in settings or uninstall the Extension
• Data Portability: view and copy settings from the settings page

Permissions Explained

Storage

Store your settings, credentials, cached update counts, timer state, and cost data locally.

Alarms

Schedule periodic background sync operations and timer display refreshes. No data is accessed; the permission is used purely for timing.

Notifications

Show desktop notifications when new updates are available or licenses are expiring. Notification content comes from your Dashboard’s own data.

Optional Host Permissions

The Extension requests host permission for your Dashboard URL only, and only after you save your Dashboard URL in settings. This permission is never granted at install time.

Security Measures

1. HTTPS enforcement: HTTPS is required for every Dashboard request. The localhost and private-IP exemption discussed under Data Transmission only waives the public-TLD hostname check; it never permits HTTP.
2. Bearer token authentication: the v2 API (Dashboard 5.2+) uses Bearer tokens in standard HTTP Authorization headers.
3. Legacy credentials: Dashboard versions below 5.2 use Consumer Key + Consumer Secret, combined into a Bearer token.
4. Local-only credential storage: credentials live in chrome.storage.local and never enter sync storage.
5. Credential redaction in logs: sensitive values are automatically stripped from all console output by pattern matching against tokens, keys, secrets, JWTs, session IDs, and similar identifiers.
6. Production logging disabled: the Extension detects Chrome Web Store builds and suppresses all development logging output.
7. Input validation: user entries, API responses, storage values, and inter-component messages are validated and sanitized before use.
8. Sender authentication: the Extension’s background worker verifies that every message originates from the Extension itself before processing it.
9. Content Security Policy: the Extension uses a strict CSP (script-src 'self'; object-src 'self') that blocks inline scripts and external code execution.
10. Permission minimization: the Extension requests only three core permissions (storage, alarms, notifications) at install time. Host permissions are requested dynamically, scoped to the Dashboard URL you enter.

Third-Party Services

The Extension does not call any third-party services directly. No analytics, no advertising, no external APIs, no social integrations, no data collection services. Every library the Extension uses (fonts, icons, notifications) is bundled locally, so nothing loads from external CDNs.

One platform dependency sits outside this boundary. Chrome’s built-in Sync service, when you have it enabled, routes data from chrome.storage.sync through Google’s sync infrastructure so that your non-sensitive settings and cached update counts follow you across devices. This is a Chrome platform capability the Extension opts into by using the standard sync storage API. MainWP does not run this service, transmit data to it on your behalf, or control what Chrome does with sync storage behind the scenes. Disabling Chrome Sync in Chrome’s own settings stops this routing entirely.

Children’s Privacy

The Extension is not directed at children under 13. We do not knowingly collect personal information from children under 13.

Compliance

This Extension is built with GDPR, CCPA, and Chrome Web Store Developer Program Policies in mind. The statements below describe our intent and current practices; specific legal determinations (such as controller/processor designations and statutory applicability) should be confirmed with qualified legal counsel for your jurisdiction.

Legal Basis for Processing (GDPR)

Processing is based on your consent, expressed by installing the Extension, entering your Dashboard URL and credentials, and configuring sync preferences. You can withdraw consent at any time by clearing Extension data or uninstalling the Extension.

Data Controller

MainWP generally acts as the data controller for data processed by this Extension, subject to confirmation by legal counsel for your jurisdiction.

Data Processors

MainWP does not engage any processors or sub-processors for your Extension data. The computation the Extension performs (syncing with your Dashboard, calculating timer elapsed time, formatting badge values, and so on) runs locally inside your browser. Chrome Sync, when you have it enabled, is a Chrome platform feature under Google’s own terms, and Chrome itself performs the sync routing using the standard chrome.storage.sync API without MainWP directing or controlling it.

California Privacy Rights (CCPA)

California residents have the right to know what personal information is collected, to request deletion, and to opt out of data sale. The Extension does not sell personal information.

Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated through Chrome Web Store update notes. Continued use of the Extension after an update constitutes acceptance of the revised policy.

Contact

• Support Forum: https://community.mainwp.com/
• Email: support@mainwp.com
• Website: https://mainwp.com
• Documentation: https://docs.mainwp.com/