Legal

Privacy Policy

Last updated: May 29, 2026

KeyLeak does not collect, transmit, or store any user data. The extension, CLI, and scanner run entirely on your own device.

What KeyLeak does

KeyLeak Detector is a security tool that runs entirely in your browser or on your machine. It analyzes web traffic and code to detect exposed API keys, Backend-as-a-Service (BaaS) misconfigurations, and secrets in JavaScript bundles.

Data collection

KeyLeak performs all analysis locally. Specifically:

All analysis happens locally in your browser or on your machine.
No data is sent to any external server.
No analytics, telemetry, or tracking of any kind.
No user accounts or registration required.
Findings are stored only in your browser's local storage (per-tab) and cleared when the tab closes.

What the extension accesses

Web requests: Intercepts HTTP requests and responses on pages you visit to scan for secrets. This data never leaves your browser.
Page content: Reads the DOM, inline scripts, and browser storage to detect exposed credentials. This data never leaves your browser.
The <all_urls> permission: Required so the scanner can run on any website you choose to visit. The extension only reads data while you are actively browsing a page, and never transmits it.

Optional local server

The "Run Full Scan" feature connects to http://127.0.0.1:5002 — a local Python server you run on your own machine. No data leaves your local network.

Changes to this policy

If this policy changes, the "Last updated" date above will be revised. Material changes will also be reflected in the extension's store listing.

Contact

Questions about this privacy policy: amal@utopianlabs.co
Source & issues: github.com/Amal-David/keyleak-detector