AuditFocus Privacy Policy

Effective Date: April 2026 · Publisher: Loophead Labs LLC

This Privacy Policy applies to the AuditFocus browser extension ("AuditFocus", "the extension") published by Loophead Labs LLC ("we", "us", or "our"). It is consistent with the general Loophead Labs privacy policy; this page covers the extension-specific details that the Chrome Web Store requires publishers to disclose.

We are committed to protecting your privacy. This policy explains what data the extension accesses, how it is used, and your rights regarding that data.

1. What AuditFocus Does

AuditFocus is a developer tool that scans the current webpage against the WCAG 2.1 A and AA accessibility rule set using the open-source axe-core engine (Deque Systems, MPL 2.0). Results are displayed in Chrome's side panel. Its paid tiers add on-device AI fix suggestions, AI-generated alt text for image violations, PDF and Markdown report export, CSV export for issue trackers, branded report covers, scan history, and project tagging.

2. Data We Collect

We do not operate any servers and we do not collect, transmit, or store any of your personal data on remote systems.

Everything AuditFocus needs to function is stored locally in your browser using Chrome's built-in storage.local and IndexedDB APIs. This includes:

Your extension preferences (such as which tier is active, whether the upgrade banner has been dismissed, UI filters, and dev-only overrides).
On the paid tiers only: a local scan history log (up to 100 entries) containing the scanned URL, timestamp, violation counts by severity, and any project tags you applied. Each entry also stores the structured axe-core result used to regenerate a report. This log never leaves your device.
On the Agency tier only: your branding settings, specifically the company name, accent color, and an uploaded logo (stored as a data URL up to 500 KB). This data is kept in chrome.storage.local and is used solely to render the cover page of exported PDF reports.

We do not collect or transmit:

Your name, email address, or any account identifier tied to you personally.
The content, structure, or screenshots of the pages you scan. Scans are performed locally and the results remain on your device unless you choose to export and share a report yourself.
Your browsing history, cookies, or session tokens.
Microphone, camera, location, or any OS-level data. AuditFocus does not request access to any of these.
Analytics, telemetry, crash reports, or usage metrics.

3. Permissions

AuditFocus requests the following Chrome permissions, and uses each only for the stated purpose:

activeTab: to run an accessibility scan on the tab you are currently viewing when you click the toolbar icon or the Scan button in the side panel. activeTab grants one-off access at the moment of the user gesture and is the minimum permission required to audit a page.
scripting: to inject the bundled axe-core engine into the active tab's main execution world so it can evaluate the DOM against WCAG 2.1 rules. The injected code only reads DOM structure, styles, and ARIA attributes; it does not transmit anything.
sidePanel: to render the AuditFocus user interface in Chrome's side panel.
storage: to save your local scan history, project tags, tier status, UI preferences, and (on the Agency tier) your branding settings.
tabs: to capture the URL and title of the tab you are auditing so they can be shown on exported reports and listed in your local scan history, and so the side panel can clear stale results when the audited tab navigates. Tab content is not read through this permission.
downloads: to save PDF, Markdown, and CSV reports to your Downloads folder when you click Export. Downloads are only triggered by your explicit action and only write files the extension has generated locally; no remote files are fetched.
Host permission for https://extensionpay.com/*: to receive the purchase-completed callback from the ExtensionPay library after a user pays for Pro or Agency. A small content script is injected only on extensionpay.com to deliver this callback; no page content is read or transmitted.

4. AI Features

On the Pro and Agency tiers, AuditFocus uses Chrome's built-in Prompt API and the Gemini Nano on-device model to generate:

Plain-English fix suggestions for individual WCAG violations
Alt-text proposals for images flagged by the image-alt rule

All AI inference runs locally on your device through Chrome's built-in AI runtime. No element snippets, page content, or generated output is transmitted to any server by AuditFocus. Availability and device support are determined by Chrome (version 138 or later on a supported machine). If the Prompt API is not available, free-tier scanning still works fully and the AI actions show a fallback link to axe-core documentation.

5. Third-Party Services

AuditFocus uses a single third-party service, and only on the paid tiers:

ExtensionPay (operated by Glench, LLC), which uses Stripe to process one-time payments. When you click Upgrade, you are redirected to Stripe Checkout. We never see or store your payment card details. ExtensionPay and Stripe handle that data under their own privacy policies, available at extensionpay.com and stripe.com/privacy.

We do not use analytics providers (no Google Analytics, no Firebase, no Mixpanel), advertising networks, or tracking pixels. We do not sell, rent, or share any data with third parties for any purpose.

6. Children's Privacy

AuditFocus is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has used the extension in a way that raises concern, please contact us.

7. Data Security

Because AuditFocus stores all of its data locally on your device using Chrome's built-in storage and IndexedDB, the security of that data is a function of your device and your Chrome profile. We encourage you to keep your browser and operating system up to date. Payment data is handled entirely by Stripe, which is PCI-DSS certified and uses industry-standard encryption.

8. Your Rights and Choices

You can remove all data AuditFocus has stored by:

Clearing scan history from the history view in the side panel, or
Uninstalling the extension from chrome://extensions. Uninstalling clears all chrome.storage.local and IndexedDB data written by the extension.

Because we do not operate any servers and hold no personal data, there is nothing further to delete on our end.

9. Open Source Attribution

AuditFocus is powered by axe-core, an open-source accessibility testing engine developed by Deque Systems and licensed under the Mozilla Public License 2.0 (MPL 2.0). Attribution is preserved in every generated report, including when the Agency white-label setting is enabled.

10. Policy Changes

We may update this Privacy Policy as the extension evolves. Changes will be posted at this URL and reflected by the Effective Date above. Material changes will also be noted in the extension's release notes on the Chrome Web Store.

11. Contact

For questions about this Privacy Policy or AuditFocus, please contact: dev@loopheadlabs.com