PII Fortress

Privacy Policy

Effective date: March 1, 2026 · Last updated: March 1, 2026

    The short version: PII Fortress is a privacy tool. We practice what we preach.
    We do not sell your data. We do not track you. Almost everything stays on your device.
    The only data that leaves your browser is what you explicitly choose to send (like an email
    address when purchasing a license or setting up breach monitoring).
  

1. Who We Are

PII Fortress ("we," "us," "our") is a Chrome browser extension designed to protect user privacy online. Contact: support@pii-fortress.com

2. Data We Collect

2a. Data That Never Leaves Your Browser

The following data is stored exclusively in chrome.storage.local on your device and is never transmitted to us or any third party:

Your extension settings and preferences (consent mode, toggle states, whitelist/blacklist)
Tracker and consent statistics (count of trackers blocked, consents handled, links cleaned)
Per-site visit logs and heatmap data
Cookie Jar entries
Your HIBP (Have I Been Pwned) API key — stored locally only, never transmitted to us
Breach monitoring results and history
Scheduled scan results
Your license key and the email address associated with it

2b. Data You Choose to Share

The following data is only processed when you actively use specific features:

License purchase (Stripe): If you purchase via Stripe, Stripe collects payment information per their privacy policy. We receive your email address to issue a license key.
Crypto payment: If you pay via MetaMask, Phantom, or Xaman, your transaction hash is used on-chain to derive your license key. No wallet addresses are stored by us.
Breach monitoring (HIBP email check): When you use the email breach monitoring feature, your email address is sent to the Have I Been Pwned API (HIBP privacy policy). This requires your own HIBP API key, which is stored only on your device.
Password breach check: We use the k-anonymity method. Only the first 5 characters of the SHA-1 hash of your password are transmitted to HIBP. Your actual password and full hash are never sent anywhere.
Scam Scanner: URLs you explicitly submit for scanning are sent to the Google Safe Browsing API. No browsing history is transmitted — only URLs you manually scan.

3. Data We Do NOT Collect

We do not collect or transmit your browsing history
We do not track which websites you visit
We do not use analytics, telemetry, or crash reporting services
We do not use advertising or tracking cookies
We do not sell, rent, or share your data with third parties for marketing purposes
We do not collect or store passwords, financial information, or health data
We do not fingerprint your browser or device

4. Permissions We Use and Why

declarativeNetRequest: Blocks trackers and cleans URLs — operates locally using rules, does not transmit URLs to us
scripting: Injects the consent rejection script into pages — no data is collected
storage: Saves your settings and statistics locally
alarms: Schedules periodic breach checks and site scans — runs locally
notifications: Sends local notifications when breaches or threats are detected — no data leaves your device
tabs: Required to apply settings on page load and open the payment tab — does not record or transmit navigation history

5. Third-Party Services

When you use certain features, data is sent to these third parties under their own privacy policies:

Have I Been Pwned (HIBP) — email breach checking. HIBP Privacy Policy
Google Safe Browsing API — scam URL scanning. Google Privacy Policy
Stripe — credit/debit card payment processing. Stripe Privacy Policy
Resend — transactional email (license key delivery only). Resend Privacy Policy

6. Local Data Storage and Deletion

All extension data is stored in chrome.storage.local on your device. You can delete all stored data at any time by:

Uninstalling the PII Fortress extension from Chrome
Using Chrome's built-in "Clear browsing data" function and selecting extension data
Using the Reset button in PII Fortress Settings (if available in your version)

We do not retain any copies of your local extension data — it exists solely on your device.

7. License Key Data

For Stripe-purchased licenses, we retain the following on our payment verification server for up to 13 months:

Your email address (used solely to issue and validate your key)
Your license tier (Sentinel or Vault)
The derived license key (a 16-character hash — not your password)
Payment transaction ID (for dispute resolution)

For crypto-purchased licenses, all verification is done on-chain — no email or personal data is required or stored by us. To request deletion of Stripe-related data, email support@pii-fortress.com.

8. Children's Privacy

PII Fortress is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy at this URL with a new "Last updated" date. Continued use of the extension after changes constitutes acceptance of the updated policy.

10. Contact

For privacy questions, data deletion requests, or concerns:

Email: support@pii-fortress.com

11. Open Source Acknowledgements

PII Fortress incorporates the following open source data and components. Full license texts are available on the Open Source Notices page.

EasyList — CC BY-SA 3.0 — Used for approximately 30,000 ad-blocking network rules (converted from ABP to DNR format).
EasyPrivacy — CC BY-SA 3.0 — Used for approximately 30,000 tracker-blocking network rules (converted from ABP to DNR format).
Peter Lowe's Ad and Tracking Server List — MIT License — Used for approximately 3,500 domain-level ad and tracker blocking rules.
Consent-O-Matic — Mozilla Public License 2.0 — Copyright © Janus Bager Kristensen & Rolf Bagge, CAVI, Aarhus University. Used for CMP detection and consent interaction rule definitions.