Back to Home

Privacy Policy

This policy explains what data Header Specter processes and how it is protected.

Last updated: March 20, 2026

1. Information We Process

Header Specter is a browser extension with an optional paid subscription. We intentionally keep data collection minimal.

  • Subscription identifiers from Polar webhooks (customer ID, subscription ID, status, expiration).
  • Encrypted customer email when provided for subscription recovery workflows.
  • Webhook audit metadata required for security, fraud prevention, and debugging.
  • Rate-limit keys derived from hashed network identifiers to reduce abuse.

2. Data We Do Not Intentionally Collect

  • We do not process payment card numbers. Billing is handled by Polar.
  • We do not upload your browsing content to our servers for core extension features.
  • We do not transmit full browsing history or page content as part of VPN/privacy scoring checks.
  • We do not use third-party advertising trackers in the subscription app.

3. How Data Is Used

  • Activate, verify, restore, and cancel subscription access.
  • Respond to data-subject requests (export and deletion).
  • Defend APIs against abuse through request validation and rate limiting.
  • Maintain auditability for security-relevant events.

4. Security Controls

  • HTTPS enforcement and hardened security headers across app routes.
  • Nonce-based Content Security Policy for script execution controls.
  • Request signing between extension and API, plus API rate limiting.
  • Email encryption at rest and deterministic hashing for lookup operations.
  • Webhook idempotency and event audit logging.

5. Third-Party Processors

We rely on a limited processor set. See Third-Party Services for details.

  • Polar: subscription checkout, billing records, and webhook events.
  • Neon: hosted PostgreSQL database infrastructure.
  • Vercel: hosting and serverless runtime for subscription routes.
  • Public IP lookup services: used by optional VPN scoring checks to resolve your current public IP.
  • X4BNet list mirror on GitHub: provides VPN CIDR ranges used by optional VPN scoring checks.

6. Retention

  • Expired rate-limit windows are cleaned automatically.
  • Subscription/audit records are retained only as long as required for operations and security review.
  • Deletion requests remove customer records and related event payloads from app-owned storage.

7. Your Rights

You can request export or deletion of data we hold for your subscription account via the privacy API routes integrated in the product.

  • Data export endpoint: /api/privacy/export
  • Data deletion endpoint: /api/privacy/delete

8. Contact

For privacy or security inquiries, open a private report using the process in SECURITY.md.

Terms of ServicePrivacy PolicySubscription AgreementThird-Party ServicesData Processing AgreementAI Data ProcessingAI Risk Assessment