Privacy Policy

Stash Chrome Extension — Last updated: February 12, 2026

Overview

Stash is a Chrome extension that captures full-page screenshots with embedded cryptographic metadata for tamper-evident documentation. This policy explains what data the extension accesses, how it is used, and what is transmitted.

Data the Extension Accesses

When you click the capture button, Stash accesses the following from the active tab:

• Page URL and title — embedded in the screenshot metadata
• Page DOM HTML — used to compute a SHA-256 hash (the raw HTML is never stored or transmitted)
• Visible tab content — captured as screenshot tiles and stitched into a single image
• Viewport dimensions and device pixel ratio — used for accurate tile stitching
• Portal context — on supported sites (Procore, Textura, GC Pay, Trimble Pay, TeamPlayer), the extension reads the logged-in user name, company, and project name from the page DOM

The extension only accesses tab content when you explicitly click the capture button. It does not run in the background or monitor browsing activity.

Data Stored Locally

• ECDSA P-256 signing keypair — generated once on install and stored in chrome.storage.local. Used to sign screenshot metadata. Never transmitted.
• Last capture timestamp — stored locally for the popup status display.

No screenshots, browsing history, or personal information are stored by the extension.

Data Transmitted

When a screenshot is captured, the following data is sent to the Stash attestation server for timestamping:

• SHA-256 hash of the image pixel data
• SHA-256 hash of the page DOM
• Page domain and URL
• Client-side timestamp
• Attestation ID (a random UUID)
• Extension ID

The attestation server does not receive:

• The actual screenshot image
• The page HTML content
• User names, emails, or company information
• Browsing history or any data from other tabs

The server returns a signed timestamp and public key. It does not store the request data beyond processing the response.

Third-Party Services

The attestation server queries crt.sh (a public Certificate Transparency log) for TLS certificate fingerprints associated with the captured page's domain. This is a public lookup and does not transmit any user data.

No Accounts, No Analytics

• No user accounts or sign-in required
• No analytics, telemetry, or usage tracking
• No cookies or tracking pixels
• No advertising

Data Sharing

The extension does not sell, share, or transfer user data to any third party for advertising, marketing, or any purpose unrelated to the extension's core functionality (screenshot capture and attestation).

Permissions Explained

• activeTab — capture the visible tab as a screenshot and read the URL/title
• downloads — save the screenshot PNG to your Downloads folder
• scripting — inject scripts to read viewport size, DOM HTML (for hashing), and portal context
• offscreen — stitch screenshot tiles into a full-page image
• storage — persist the local signing keypair across browser sessions

Changes to This Policy

If this policy is updated, the changes will be reflected here with an updated date. Significant changes will be noted in the extension's changelog.

Contact

For questions about this privacy policy or the extension's data practices, contact chris@gostash.ai.