Privacy Policy
Traceo Chrome Extension
Last updated: March 17, 2026
Overview
Traceo is a Chrome extension for visual CSS inspection, responsive preview, screenshots, annotations, and video bug reporting.
Traceo is local-first by default: most inspection and capture processing happens in your browser on your device.
Traceo also includes optional online features:
- Account sign-in and account/profile operations (via Supabase)
- Shareable recording links (via Traceo video share API)
If you do not use optional online features, Traceo can be used without creating an account.
Data Collection Summary
| Data Type | Collected? | Stored Where? | Transmitted Externally? |
|---|---|---|---|
| Page DOM/style data for inspection | Yes (only when you use inspect features) | On-device (runtime memory) | No |
| Screenshots / annotated images | Yes (only when you capture/save) | On-device (chrome.storage.local, downloads, clipboard) | No |
| Video recordings | Yes (only when you start recording) | On-device (IndexedDB/download) | No (unless you use Share Link) |
| Recording metadata (URL, title, viewport/window size, timestamps) | Yes (during recording) | On-device | No (unless you use Share Link) |
| Console/network/action telemetry for recordings | Optional (advanced recording toggles) | On-device (viewer data) | No (unless you use Share Link) |
| Account data (email, auth profile fields) | Optional (if you sign in) | On-device + Supabase | Yes |
| Auth/session tokens | Optional (if you sign in) | On-device (chrome.storage.local) | Yes (used for authenticated API calls) |
| Usage/limit counters | Yes | On-device (chrome.storage.local) | Not currently transmitted |
| Analytics/tracking SDK events | No | N/A | No |
Recording Telemetry Notes
When enabled by you in advanced recording options, Traceo can include console logs, network request summaries, and action timeline data in the recording viewer.
- Network URLs are sanitized to origin + pathname (query string and hash are removed).
- Sensitive headers (for example authorization, cookie, token, secret, set-cookie) are redacted before storage/export.
- Header values are also truncated for safety.
This telemetry is stored locally unless you explicitly create a share link.
Outbound Network Requests
1) Authentication and account features (optional)
If you sign in, Traceo communicates with your configured Supabase project for:
- signup/signin/signout
- OAuth code exchange (including Google OAuth flow)
- token refresh
- profile fetch/update
Data may include email, user id, auth tokens, and profile fields required for account features.
2) Share Link for recordings (optional)
If you click Share Link in the recording viewer, Traceo uploads:
- the recorded video blob
- optional trace payload (recording metadata and captured telemetry shown in viewer)
to the configured Traceo video share API (Cloudflare Worker + storage). Current default share retention is 3 days (after which shared links expire).
3) Asset export/download
If you export/download discovered assets, Traceo requests those asset URLs from their origin servers/CDNs to fetch bytes for download/zip operations.
Permissions and Why They Are Needed
Host Permissions (http://*/*, https://*/*)
Needed so Traceo can run inspection/capture/recording and responsive preview features on pages you choose to use it on. Traceo is user-driven. It does not run as a background web scraper independent of your extension actions.
Extension Permissions
| Permission | Purpose |
|---|---|
| activeTab | Capture active tab when requested |
| tabs | Tab/window context, messaging, recording coordination |
| scripting | Inject Traceo scripts/overlays into pages |
| sidePanel | Side panel UI |
| storage | Local preferences, session state, saved data |
| offscreen | Offscreen recording/finalization flows |
| alarms | Timers for recording/session/auth maintenance |
| windows | Recording window/focus orchestration |
| clipboardWrite | Copy values/images/share links on explicit user action |
| identity | OAuth flow support (chrome.identity) |
| webNavigation | Navigation-aware recording/auth callback handling |
| webRequest | Optional network event capture during recordings |
| declarativeNetRequest, declarativeNetRequestWithHostAccess | Responsify preview compatibility (frame/CSP header adjustments where required) |
| cookies | User-invoked site cookie clearing in Responsify tools |
| browsingData | User-invoked per-origin cache/storage clearing tools |
Storage and Retention
Traceo uses:
- chrome.storage.session for transient runtime state
- chrome.storage.local for preferences, auth tokens (if signed in), and saved local artifacts
- IndexedDB for recording binaries/viewer artifacts
Local data remains until cleared by you, extension cleanup routines, or extension uninstall.
How to clear data
- Uninstall Traceo, or
- Clear extension/site data in Chrome, or
- Use Traceo controls that clear scoped site cache/cookies/storage (Responsify tools)
For account/server-side data (Supabase profile/auth records), contact support for deletion requests.
Third-Party Services
Depending on features you use, Traceo may use:
- Supabase (authentication and profile/account data)
- Cloudflare Worker/R2/KV (optional share-link video hosting)
Traceo does not include advertising SDKs or product analytics SDKs.
Security Notes
- Extension code is packaged with the extension and loaded from extension assets.
- Sensitive auth/session data is stored locally in extension storage when account features are used.
- Shared recording links are time-limited based on configured retention.
Changes to This Policy
We may update this Privacy Policy as Traceo evolves. The "Last updated" date above reflects the latest revision.
Contact
If you have privacy questions or deletion requests:
- Email: cs@traceo.dev
- Website: https://traceo.dev