Privacy Policy
Last updated: 2026-07-09
WebmasterNinja ("the extension") shows Google Search Console (GSC) performance, grounded on-page SEO fixes, and AI-citation (GEO) readiness for the page you're viewing. This policy explains exactly what data the extension accesses, where it goes, and what is stored. It is written to match what the extension's code actually does.
[OWNER: …]
item before publishing — especially the token-exchange backend's data-retention
practices and the contact email. Do not publish with placeholders unresolved.Summary
- The extension does not sell your data, show ads, or contain third-party advertising or tracking SDKs.
- Most processing happens locally in your browser.
- Data leaves your browser only to: Google's APIs (to fetch your Search Console data), a token-exchange backend operated by the developer, the web pages whose links you choose to scan (to check for broken links), and — only if you add your own API key — Google's Gemini API for optional AI suggestions.
- Signing into Google is optional. Without it, the on-page SEO and GEO audits still run, reading the current page's content locally.
What the extension accesses
1. Your Google account (only via a sign-in you initiate). With your consent, the extension requests these read-only Google scopes:
webmasters.readonly— read your Search Console performance and URL-inspection data.userinfo.email,userinfo.profile— identify your account and list your verified sites.
It cannot change anything in your Search Console or Google account. Search Console features (clicks, queries, decay, overlap, internal-link and topic-coverage analysis) work only for sites you have verified in your own Search Console account.
2. The page you're viewing. When you open the popup, the extension reads the current tab's content (title, meta description, headings, body text, author byline, structured-data types, canonical/hreflang tags, and links) and may fetch the site's robots.txt and rendered HTML. This powers the on-page SEO and GEO-readiness audits, which run on any page — including sites you don't own. This page content stays in your browser and is not transmitted anywhere, except the specific short snippets you choose to send for an AI rewrite (see "Optional AI features").
3. Links you choose to scan. The SEO tab has a "Scan links" button. Only when you click it, the extension makes lightweight requests (HEAD, falling back to GET) to the links on the current page — including external, third-party URLs — to detect broken links and redirects. These requests originate from your browser as normal web requests. Nothing about the results is sent to the developer. This is the sole reason the extension requests broad host access (see "Permissions").
Where data goes
- Google APIs (
www.googleapis.com,searchconsole.googleapis.com) — your Search Console performance and index-status requests, authorized by your Google token. - Token-exchange backend (
gapi.ibrahi.my.id), operated by the developer — exchanges your Google sign-in code for access tokens and refreshes them. It receives your authorization code and email during this exchange.[OWNER: state what this server logs, how long it retains tokens/emails, and how it secures them.] - Third-party websites you scan — when you click "Scan links", your browser requests the linked URLs to check their status. A direct browser-to-site request; no intermediary receives it.
- Google Gemini API (
generativelanguage.googleapis.com) — only if you add your own Gemini API key. When you use an AI feature, the extension sends a small snippet (your Search Console numbers for a verdict, or the specific sentence/title you asked to rewrite) to Google using your key. If you do not add a key, nothing is sent here. - On-device AI (Chrome's built-in model), when available — runs entirely on your machine; nothing leaves your browser.
The extension does not send your browsing data or Search Console data to the developer for analytics.
Usage statistics
The extension keeps a local count of which features you use (e.g. "opened the GEO tab", "scanned links"), stored in chrome.storage.local on your device. These counters never leave your browser by default.
Optional aggregate analytics via Google Analytics (Measurement Protocol) is disabled and unconfigured in this release, and — if ever enabled in a future version — will send only anonymous, aggregate feature-usage events and will require your explicit opt-in first. A random, non-identifying client id is generated locally to support that future opt-in path.
What is stored
Stored locally via chrome.storage.local, on your device only:
- Your Google access token and account email, to keep you signed in. (The long-lived refresh token is not persisted in the browser; token refresh is handled server-side.)
- Your per-site preferences (date range, scope, brand filter, active tab).
- Your brand terms (for the branded/non-branded split).
- Your Gemini API key, if you added one.
- Local feature-usage counters and a random client id.
Removing the extension, or using Log out, clears the authentication data. (Log out removes the token and email; it keeps your saved preferences and brand terms until you uninstall.)
Permissions
identity— start the Google sign-in flow you initiate.storage— save your tokens, preferences, and settings locally.tabs/activeTab/scripting— read the content of the page you're actively viewing so the audits can run on it.- Host access (
*://*/*) — used only by the "Scan links" feature, to check whether links on the current page are broken. The extension does not run in the background on other sites and does not read or modify other pages' content.
Optional AI features
AI suggestions are off by default. They activate only when Chrome's built-in model is available, or when you add your own Gemini API key. On-device suggestions never leave your machine. Gemini suggestions send only the minimal snippet needed, using your key, and are not stored by the extension.
Data retention and deletion
- Local data — removed when you uninstall the extension or clear its storage; the token and email are removed on Log out.
- Backend token data —
[OWNER: describe retention/deletion, and how a user can request deletion.] - Google / Gemini — governed by Google's own retention and privacy policies.
Children
The extension is a professional SEO tool and is not directed to children under 13.
Changes
Material changes to this policy will be reflected here with an updated date.