Privacy Policy

Last updated: June 16, 2026

Our commitment to your privacy

Owlmet exists to protect your browsing. That's all we do. We have no interest in your personal data, browsing habits, or online activity beyond keeping you safe. We believe a security tool that doesn't respect your privacy isn't worth using.

What Owlmet does

Owlmet is a browser extension focused entirely on web browsing protection. It guards against a wide range of online threats:

• Clipboard protection - blocks malicious scripts from secretly writing dangerous commands to your clipboard (ClearFake, ClickFix, and similar attacks)
• Page scanning - detects social engineering patterns on web pages, including fake CAPTCHAs, fake verification prompts, and paste-command instructions
• URL protection - checks every site you visit against Google Safe Browsing to warn you about known malware, phishing, and dangerous downloads
• Credential theft detection - catches attempts to steal your session tokens, API keys, cookies, and other sensitive data through your clipboard
• Behavioral analysis - identifies suspicious page behavior like hidden inputs combined with fullscreen overlays, even when no known attack pattern is matched
• Browser security checkup - audits your browser settings and installed extensions to flag potential risks

What data we collect

Account data

If you create an account, we store your email address and account plan. Your email is the minimum we need for login and password recovery. We do not use it for marketing or share it with anyone. Passwords are never stored in plain text. They are hashed using industry-standard encryption (bcrypt), meaning no one, including us, can see your password.

If you sign in with Google, we receive your email address from Google but do not access any other Google account data.

Extension data

All threat detection happens locally in your browser. Owlmet does not send your browsing history, clipboard contents, or page content to our servers.

The extension stores the following data locally on your device:

• Threat detection statistics (pages scanned, threats blocked)
• A log of recent detected threats (URL and threat type only)
• Your extension settings and allowed domains list
• Security checkup results

Browser permissions

Owlmet requests a set of browser permissions through the standard Chromium extension system. These permissions are required for Owlmet to protect you and are used solely for that purpose:

• Read your browsing activity. Allows Owlmet to check each site you visit against threat databases locally. We do not record, store, or transmit your browsing history. We have no way to associate browsing activity with any user.
• Display notifications. Allows Owlmet to alert you when a threat is detected or when your account is signed in.
• Manage your extensions. Allows Owlmet's security checkup to review your installed extensions for risky permissions. We do not modify or remove other extensions.
• Manage privacy-related settings. Allows Owlmet's security checkup to read and recommend changes to browser privacy settings like Safe Browsing and Do Not Track.

These are standard capabilities provided by Chromium-based browsers (Chrome, Edge, Opera, Brave, and others) to all extensions. Owlmet uses them strictly as a protective tool. All processing happens locally in your browser. Nothing is sent to our servers, and we have no access to your browsing data.

Google Safe Browsing

Owlmet uses Google's Safe Browsing Update API to check sites for malware and phishing. The URLs you visit never leave your browser. Instead, Owlmet downloads a local database of threat signatures from Google and checks URLs against it entirely on your device. Only if a partial match is found does Owlmet send a short, anonymous hash prefix to Google to confirm the threat. This prefix cannot be used to reconstruct the URL you visited. Google's use of this data is governed by Google's Privacy Policy.

Detection patterns

Owlmet periodically downloads updated threat detection patterns from our server. This request does not include any personal data or browsing information.

What data we do not collect

• Browsing history or visited URLs
• Clipboard contents
• Page content or form data
• Cookies or session tokens from other sites
• Personal files or documents

Third-party services

• Supabase - authentication and account storage
• Google Safe Browsing API - threat database updates and hash prefix confirmation (URLs are never sent to Google)
• Google OAuth - optional sign-in with Google
• Cloudflare - website hosting and delivery
• Paddle - payment processing for premium subscriptions. Paddle handles all payment data directly. Owlmet never sees or stores your credit card information.

We will update this list when we add or change service providers. Account holders will be notified of material changes at least 30 days in advance.

Data retention

Local extension data stays on your device and is cleared when you uninstall the extension. Account data is retained until you delete your account. You can request account deletion by emailing us.

Children's privacy

Owlmet is not directed at children under 16. We do not knowingly collect data from children.

Legal basis for processing

Under GDPR and similar regulations, we process data on the following bases:

• Legitimate interest. The extension's threat detection, URL checking, and security checkups serve the legitimate interest of protecting you from online threats. All processing happens locally in your browser.
• Contract performance. If you create an account, we process your email and account data to provide the service you signed up for.
• Consent. If you sign in with Google OAuth, you consent to sharing your email address with us through Google's authorization flow.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Access. You can request a copy of the personal data we hold about you.
• Rectification. You can ask us to correct inaccurate data.
• Deletion. You can request that we delete your account and associated data.
• Portability. You can request your data in a portable format.
• Objection. You can object to processing based on legitimate interest.
• Complaint. You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at support@getowlmet.com. We will respond within 30 days.

Data protection officer

Given our small scale and the fact that all browsing data is processed locally on your device, we are not required to appoint a Data Protection Officer. For any privacy-related inquiries, contact us at support@getowlmet.com.

Changes to this policy

We may update this policy from time to time. For material changes, we will notify account holders by email at least 30 days before the changes take effect. If you do not agree, you may delete your account before the effective date. Changes will also be posted on this page with an updated date.

Contact

Questions about this policy? Email us at support@getowlmet.com.