SYBA Shield extension privacy policy · Syba

1. Who we are and how to reach us

The SYBA Shield extension is published by Syba Security Corp, INC. (US headquarters: 2972 Webb Bridge Road, Alpharetta, GA 30009; EU entity: SYBA Inc., Katelijne Business Center, Baron Ruzettelaan 5/1.1, 8000 Brugge, Belgium). For any privacy question about the extension, email customer.service@syba.io or support@sybainsurance.com.

2. Single purpose

SYBA Shield has one purpose: to detect and warn you about phishing pages, lookalike domains, and malicious links while you browse. Every permission it requests and every piece of data it touches exists to serve that purpose. The extension does not sell your data, does not use it for advertising, and does not transfer it to data brokers.

3. Data we collect, and how each type is handled

The table below lists every category of data the extension can access. Most analysis happens on your device and never leaves your browser. The only data sent off your device is the data needed to complete an action you explicitly start (a vision scan or a chat message) plus the account token used to authorize it.

Web page URLs and page titles.The address and title of pages you visit, and the URLs of the network requests those pages make, are inspected on your device by the extension’s offline heuristics (lookalike-domain, IDN-homograph, suspicious-TLD, IP-literal, and embedded-credential checks). These URLs are not transmitted to us or to any third party, except the single page URL and title that accompany a vision scan you trigger (see “Website content” below).
Website content — page-structure signals.A content script reads passive structural signals from the pages you visit (for example, whether a password field submits to a different domain, or whether a login form is themed for one brand but hosted on another). This runs on your device; only derived true/false signals reach the extension’s own background process. We do not collect keystrokes, passwords, form values, or full page text.
Website content — screenshots, only when you click “Scan”. When you explicitly start a vision scan, the extension captures an image of the currently visible browser tab and sends it, together with that tab’s URL and title, to a vision-AI model for analysis. Screenshots are never captured in the background and never on a schedule — only on your click. A screenshot may contain whatever is visible on that page at that moment.
Authentication information.If you choose to sign in with your Syba account, we issue a rolling 30-day opaque access token. It is stored in your browser’s local extension storage and, as a hashed reference, on our servers. It is used only to authorize the extension’s API calls (vision verdicts, the safety co-pilot chat, and subscription-tier lookup) and is revocable at any time.
Safety co-pilot chat messages.If you open the side panel and send a message to the SYBA agent, the text you type — and, if you attach the current page for context, that page’s URL and title — are sent to the AI model to generate a reply.
Settings and local cache. Your preferences, per-site allowlist, recent verdicts, and scan history are stored locally via chrome.storage.local on your device. They are not synced across devices and are not transmitted to us. An optional OpenRouter API key you enter is stored locally and is never sent to Syba.

We do not collect health, financial, or location data; we do not use analytics SDKs or third-party trackers inside the extension; and we do not maintain a per-page audit trail of your browsing.

4. How we use the data

To produce the green / amber / red safety verdict for the page you are on.
To run the on-demand vision scan you trigger and return its findings.
To answer the questions you ask the safety co-pilot chat.
To apply the correct rate limits and feature flags for your subscription tier.
To notify you when a page is flagged as phishing or a high-severity network request fires (only if you enable notifications).

We do not use your data for advertising, profiling, creditworthiness or lending decisions, or for any purpose unrelated to the security features above.

5. How we store it

On your device. Settings, allowlist, recent verdicts, scan history, and any OpenRouter key live only in chrome.storage.local. Removing the extension deletes them.
On our servers. Only a hashed reference to your access token and your subscription tier are stored, so we can validate and revoke the token. Vision-scan screenshots are processed to produce the verdict and are not retained on our servers after the verdict is returned.

6. How we share it, and every party it is shared with

We share data only as needed to deliver the scan or chat you request. The full list of parties:

Syba’s servers (sybainsurance.com), hosted on Netlify, Inc. When you are signed in, your scan screenshot, page URL/title, and chat messages are sent to our endpoint, which forwards the request to the AI provider below.
OpenRouter, Inc. routes vision-scan and chat requests to the AI model selected for your account or in Settings.
AI model providers. Depending on the model used, the screenshot and/or text is processed by Google LLC (Gemini), Anthropic, PBC (Claude), or OpenAI, L.L.C. (GPT).
Your own key path. If you provide your own OpenRouter API key instead of signing in, scan and chat data is sent directly from your browser to OpenRouterand never touches Syba’s servers.
Legal authorities, only where disclosure is required by law.

We do not sell extension data and do not share it with any party other than those listed above.

7. Data retention

Local data persists on your device until you clear it or remove the extension. Vision-scan screenshots are not retained on our servers after the verdict returns. Your hashed token is retained while your account is active and is deleted when you sign out, revoke it, or delete your account. To request deletion of your account and associated data, email customer.service@syba.io; we comply within 30 days, subject to legal retention requirements.

8. Your choices and controls

Use it without an account. All on-device protection works with no sign-in. Sign-in is optional and unlocks the cloud vision scan and chat.
Trigger scans yourself. Screenshots are only captured when you click “Scan”.
Allowlist. Mark sites you trust so they are not flagged.
Sign out from the side panel at any time to clear and revoke your token.
Bring your own key so scan data bypasses Syba’s servers entirely.
Notifications and network monitoring are optional permissions you grant or deny.

9. Children

SYBA Shield is not directed to children under 13 (or the minimum age in your jurisdiction) and we do not knowingly collect their data.

10. Chrome Web Store Limited Use

SYBA Shield’s use of information received from Google APIs, and all user data it handles, adheres to the Chrome Web Store User Data Policy, including its Limited Use requirements. Specifically: we collect and use user data only to provide and improve the single security purpose described above; we do not sell user data; we do not use or transfer it for personalized advertising, creditworthiness, or lending; and we do not allow humans to read user data except (a) with your affirmative consent for a specific message, (b) as necessary for security or to comply with applicable law, or (c) where the data is aggregated and anonymized for internal operations.

11. Security

We use TLS for all network calls, store the access token as a hashed reference, scrub tokens from URLs during the sign-in handoff, and request only the permissions each feature needs. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Changes to this policy

We may update this policy as the extension evolves. Material changes will be posted here with an updated effective date; continued use after changes take effect constitutes acceptance.