No data ever leaves your browser except outbound API queries made directly to:
- CISA (cisa.gov) to download the Known Exploited Vulnerabilities catalogue
- NVD (nvd.nist.gov) to fetch CVE records matching the vendor of the site you are visiting

Visited hostnames are cached locally in browser.storage.local only. They are never transmitted to any server or third party.

The optional NVD API key is stored locally in browser.storage.local. It is never transmitted anywhere except as a request header in HTTPS calls made directly to nvd.nist.gov.

No analytics, no telemetry, no third-party services. The extension makes no requests other than the two listed above and collects no usage data of any kind.

All locally stored data (cached CVE results and your API key) can be cleared at any time using the Clear Cache button in the extension popup, or by removing the extension entirely.