User data usage is disclosed and justified

Why it matters

Chrome Web Store's user data policy (chrome-cws-user-data-policy) requires that any extension collecting data disclose what is collected and why. GDPR Article 5 adds a lawfulness requirement: processing personal data without transparent disclosure is a violation, not just a policy gap. An extension with tabs, cookies, or webRequest permissions can access sensitive browsing behavior; users have no visibility into whether that data leaves their device unless you explicitly document it. Undisclosed data collection is also a top source of negative store reviews and user complaints that trigger review team investigations.

Remediation

Document every data-access permission and state explicitly what data (if any) is collected and where it goes. Add a Data Usage section to your README.

## Data Usage

- **Tab titles and URLs** — Read locally to display your tabs. Never transmitted.
- **User preferences** — Stored in `chrome.storage.local`. Never sent to external servers.

This extension does not collect personal information or share data with third parties.

If you do transmit data, name the destination server and the legal basis (consent, legitimate interest, etc.). Match every disclosed item against the permissions in your manifest — undisclosed permissions are as bad as undisclosed data.

Detection

ID: extension-store-readiness.policy-compliance.data-usage-disclosed
Severity: medium
What to look for: Check the README, privacy policy, or any user-facing documentation for disclosure of what user data is collected (if any) and how it's used. Review the manifest permissions to infer what data the extension can access (tabs, storage, cookies, etc.). Verify the disclosed usage matches the capabilities.
Pass criteria: Enumerate all data-access permissions (tabs, cookies, webRequest, storage, etc.). If the extension collects any user data, this is clearly disclosed in at least 1 location (README section, privacy policy, or store listing). The disclosure explains what data is collected and why. If no data is collected, this is also stated clearly.
Fail criteria: The extension has at least 1 capability to collect sensitive data (e.g., tabs, cookies, webRequest) but does not disclose what data (if any) is actually collected or used.
Cross-reference: For comprehensive privacy compliance review including GDPR and data handling practices, the AI Data Privacy audit covers data exposure and retention patterns.
Skip (N/A) when: Never — data usage transparency is a Chrome Web Store requirement.
Detail on fail: "Extension requests 'tabs' permission but no documentation explains what tab data is collected or used" or "Privacy policy is silent on data collection despite storage permission".

Remediation: Document your data usage clearly:

## Data Usage

This extension collects the following:
- **Tab titles and URLs**: Used locally to display your open tabs. Not sent to any server.
- **User preferences**: Stored locally in browser storage. Never transmitted.

We do not collect personal information, browsing history, or send data to external services.

Why it matters

Remediation

Document every data-access permission and state explicitly what data (if any) is collected and where it goes. Add a Data Usage section to your README.

## Data Usage

- **Tab titles and URLs** — Read locally to display your tabs. Never transmitted.
- **User preferences** — Stored in `chrome.storage.local`. Never sent to external servers.

This extension does not collect personal information or share data with third parties.

Detection

ID: extension-store-readiness.policy-compliance.data-usage-disclosed
Severity: medium
What to look for: Check the README, privacy policy, or any user-facing documentation for disclosure of what user data is collected (if any) and how it's used. Review the manifest permissions to infer what data the extension can access (tabs, storage, cookies, etc.). Verify the disclosed usage matches the capabilities.
Pass criteria: Enumerate all data-access permissions (tabs, cookies, webRequest, storage, etc.). If the extension collects any user data, this is clearly disclosed in at least 1 location (README section, privacy policy, or store listing). The disclosure explains what data is collected and why. If no data is collected, this is also stated clearly.
Fail criteria: The extension has at least 1 capability to collect sensitive data (e.g., tabs, cookies, webRequest) but does not disclose what data (if any) is actually collected or used.
Cross-reference: For comprehensive privacy compliance review including GDPR and data handling practices, the AI Data Privacy audit covers data exposure and retention patterns.
Skip (N/A) when: Never — data usage transparency is a Chrome Web Store requirement.
Detail on fail: "Extension requests 'tabs' permission but no documentation explains what tab data is collected or used" or "Privacy policy is silent on data collection despite storage permission".

Remediation: Document your data usage clearly:

## Data Usage

This extension collects the following:
- **Tab titles and URLs**: Used locally to display your open tabs. Not sent to any server.
- **User preferences**: Stored locally in browser storage. Never transmitted.

We do not collect personal information, browsing history, or send data to external services.

User data usage is disclosed and justified

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

User data usage is disclosed and justified

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History