TraceFlow Privacy Policy

Summary

TraceFlow is a developer tool that captures, edits, and replays HTTP requests made by the web pages you open it on. It runs entirely inside your browser. No captured request, response, header, cookie, environment variable, or saved bookmark is ever transmitted to any server operated by the developers of TraceFlow or any third party. The extension makes no network requests of its own.

Who we are

"TraceFlow", "we", "us", and "our" refer to the developers and maintainers of the TraceFlow Chrome extension. "You" refers to the user who installs and uses the extension.

What data the extension handles

When you open the TraceFlow side panel on a tab, the extension captures the following data only for that tab and only while the panel is in use:

• HTTP request and response payloads — URL, method, headers, request body, response body, status code, and timing for every fetch and XMLHttpRequest the page issues. Headers may include authentication tokens or cookies that the page itself sends; these are recorded as the page sees them.
• The origin of the active tab — used to scope saved-request bookmarks and per-site state.
• User-defined environment variables — names and values you enter in the environment manager (for example, {{baseUrl}} or {{token}}).
• Saved-request bookmarks — full request snapshots you choose to star for later replay.
• UI preferences — for example, the currently selected environment or whether the saved-only view is on.

Where the data is stored

All of the data above is stored locally in your browser, inside the browser's IndexedDB and chrome.storage for the TraceFlow extension. It never leaves your device.

Captured request data for a given tab is held in memory while that tab is open and is cleared when the tab is closed or when the page navigates. Saved-request bookmarks and environment variables persist until you delete them or until you uninstall the extension or clear your browser's site data for the extension.

What we do not do

• We do not collect, transmit, or receive any of your data.
• We do not run analytics, telemetry, crash reporting, or fingerprinting.
• We do not sell or transfer your data to third parties.
• We do not use your data for advertising, profiling, or to determine creditworthiness.
• We do not use your data for any purpose unrelated to the extension's single purpose of capturing, editing, and replaying HTTP requests for web debugging.
• We do not include any remotely hosted code in the extension.

Permissions and why we need them

• sidePanel— to render TraceFlow's UI as a Chrome side panel attached to your active tab.
• storage — to persist your environment variables, saved-request bookmarks, and UI preferences locally on your device.
• scripting — to inject the small interceptor script that patches window.fetch and XMLHttpRequestin the page's main JavaScript world so request and response bodies can be cloned for inspection.
• activeTab— to read the active tab's id and origin so captures and replays are scoped to the correct tab.
• Host access (all URLs) — debugging happens on whatever site you are working with, so the set of hosts cannot be enumerated in advance. Host access is only exercised on tabs where you have explicitly opened TraceFlow; the extension does not run in the background on tabs you have not engaged with.

Sensitive data that may be captured

Because TraceFlow captures the requests your active page makes, it may incidentally record sensitive data that the page itself sends or receives — for example, authentication tokens in Authorizationheaders, session cookies, or personal information in request and response bodies. This data is stored locally on your device only. You can delete it at any time by:

• Closing the tab (clears in-memory captures for that tab).
• Removing individual saved-request bookmarks from the side panel.
• Deleting environment variables from the environment manager.
• Uninstalling the extension or clearing your browser's site data for it (clears all stored data).

Children

TraceFlow is a developer tool not directed at children under 13 and does not knowingly collect data from anyone, regardless of age.

Changes to this policy

If this policy changes in any material way, the "Last updated" date at the top of this page will be revised. Because the extension does not contact us, the only way to learn of a change is to revisit this page.

Contact

Questions about this policy or the extension's data handling can be sent to the support contact listed on the TraceFlow Chrome Web Store listing.