Privacy Policy
This Privacy Policy describes how Qheck ("we," "us," "our") collects, uses, stores, and shares information when you use the Qheck browser extension and the qheck.ai website ("the Service").
We have written this policy to be specific and accurate. Qheck is a browser extension that audits web applications by capturing screenshots and page data and sending them to a third-party AI service (Anthropic) for analysis. You should understand exactly what this means before using the Service.
If you do not agree with this Privacy Policy, do not install or use Qheck.
Summary in Plain Language
- Qheck takes screenshots of pages you audit and sends them to Anthropic for analysis.
- Don't run Qheck on pages with sensitive personal information (passwords, credit cards, health data) unless you're okay with that data being captured.
- Today, your audit data is stored on your device. Cloud sync, team accounts, and account features are on the roadmap and will be opt-in when they ship.
- You can delete sessions or your whole account anytime.
- We don't sell your data, train AI on it, or use it for advertising.
- Anthropic may retain data for up to 30 days under their trust and safety policy.
- AI output is fallible — verify findings before acting on them.
If any of this is not acceptable to you, do not use Qheck.
1. What Qheck Collects
When you use Qheck to audit a webpage, Qheck collects the following data from that page:
From every audited page:
- Screenshots of the visible viewport, captured as JPEG images
- DOM structure including selectors, text content, and bounding boxes of visible elements
- Computed styles of clicked or interacted elements (color, background, font size, opacity, etc.)
- Console output including warnings and errors emitted by the page
- URL and page title of every page visited during the session
- Browser viewport dimensions and user agent string
- Click events, navigation events, and friction signals (e.g., rapid clicking, long pauses)
From your interactions:
- Markup annotations you draw on screenshots
- Quality Focus selection and Query Declaration text
- Session timestamps and durations
From your account:
- Email address used to sign in
- Tier (Trial, Standard, Pro) and usage counts
2. What Qheck Does NOT Collect
Qheck does not collect:
- Form input values by default (but see Important Caveat below)
- Browsing history outside active Qheck sessions
- Pages you visit when Qheck is not actively recording
- Files stored on your device
- Other extensions you have installed
- Authentication cookies or session tokens from audited sites
While Qheck does NOT capture text typed into form fields by default, Qheck DOES capture screenshots of the visible page (which may include text visible on screen) and DOM snapshots that include the current value attribute of input elements at the moment of capture.
Do not enter sensitive information (passwords, credit card numbers, government ID, health information) into a page while Qheck is actively recording or running an AI Scan. We recommend running Qheck on test data, staging environments, or pages without sensitive personal information.
3. Where Your Data Goes
Sent to Anthropic (third-party AI provider):
When Qheck performs AI analysis, it sends to api.anthropic.com:
- A subset of captured screenshots (typically 20–90 images per session)
- DOM structure summaries
- Console errors
- Markup annotations
- Computed styles for elements involved in findings
- The synthesis prompt (the instructions Qheck sends to the AI)
This data is sent over HTTPS. Anthropic's data handling is governed by Anthropic's Privacy Policy. As of this policy's effective date, Anthropic states that data sent through the API is not used to train their models by default.
Stored on Your Device:
In the current version of Qheck, the following data is stored locally in Chrome's chrome.storage.local on your device:
- Session events (clicks, navigations, console output)
- Screenshots
- Markup annotations
- Session metadata
- Scan resume files
- Tier override settings
In the current version, this data does NOT leave your device unless you explicitly export a Qheck Deck. See “Sent to Qheck Servers” below for cloud features that are on the roadmap.
Sent to Qheck Servers:
In the current version of Qheck, the extension does not transmit your audit content (screenshots, DOM data, console output, Qheck Deck contents) to any Qheck-operated server. The extension communicates directly with Anthropic's API for analysis. Authentication servers store your email address, account tier, and usage counts — these servers do not receive audit content.
Cloud features are on the roadmap. Planned capabilities include cross-device session sync, team accounts, deck sharing, and a server-side Qheck Deck Analysis Dashboard. When any cloud feature ships, it will be opt-in per session, the data flow will be described in this policy, and we will notify users in-extension and via email before activating it. Until then, audit content stays on your device unless you explicitly export a Qheck Deck.
4. How We Use Your Data
We use data to:
- Generate audit reports for your sessions
- Manage your account, tier, and usage limits
- Improve Qheck (debugging, aggregate metrics)
- Respond to support requests
We do NOT use your data to:
- Train AI models
- Sell to third parties
- Target advertising
- Profile your browsing behavior beyond active sessions
5. How Long We Keep Your Data
| Location | Retention |
|---|---|
| Your device (sessions) | Until you delete them or uninstall Qheck |
| Your device (flagged sessions) | Protected from automatic cleanup |
| Our authentication servers | Until you delete your account |
| Usage counters | Reset monthly |
| Anthropic API (per their policy) | Up to 30 days for trust and safety |
6. Sharing Your Data
We do NOT sell your personal data.
We share data only:
- With Anthropic, as required for AI analysis
- With service providers essential to operating Qheck (authentication, email forwarding)
- When legally required, in response to valid subpoenas or court orders
- In a business transfer, with notice to users before any data handling change
7. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access data we have about you
- Correct inaccurate data
- Delete your account and data
- Port your data in a machine-readable format
- Object to certain processing
- Withdraw consent at any time
Specifically:
- Delete any session through the Session Manager
- Delete all sessions with the "Delete all" button
- Uninstall Qheck to remove all locally-stored data
- Email privacy@qheck.ai for account deletion
We respond to data requests within 30 days.
European Users (GDPR)
If you are in the EEA, UK, or Switzerland, you have additional rights under GDPR. Our legal basis is your consent (granted by installation) and our legitimate interests in providing the Service. You may lodge a complaint with your local supervisory authority.
California Users (CCPA)
California residents have rights under CCPA. We do not sell personal information.
8. Children's Privacy
Qheck is not intended for users under 18. We do not knowingly collect data from minors. Contact hello@qheck.ai if you believe a minor has used Qheck.
9. Security
We use industry-standard security measures: HTTPS for all API communication, encrypted storage of authentication tokens, and minimal Qheck-side data exposure. In the current version of the extension, audit content stays on your device — see Section 3 for what changes when cloud features ship.
However, no security system is perfect. You acknowledge using Qheck at your own risk.
10. Cookies and Tracking
The Qheck extension does NOT use cookies or tracking pixels. The qheck.ai website may use minimal cookies for the waitlist form (provided by Formspree).
11. International Data Transfers
Qheck and Anthropic operate globally. Your data may be transferred to, stored in, and processed in countries other than your own, including the United States. By using Qheck, you consent to these transfers.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last Updated" date and notify you of material changes via email or in-extension notice.
13. Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Anthropic | AI analysis | View |
| Vercel | Website hosting | View |
| Formspree | Waitlist form | View |
| ImprovMX | Email forwarding | View |
| GoDaddy | DNS | View |
14. Contact Us
- General: hello@qheck.ai
- Privacy: privacy@qheck.ai
- Support: support@qheck.ai
- Website: qheck.ai
15. Important Disclaimers
Accuracy of AI Output
Qheck uses AI to analyze your audits. AI output can contain errors including factually incorrect findings, recommendations that don't apply to your codebase, severity assessments differing from your judgment, and occasional hallucinated claims. You are responsible for verifying findings before acting on them.
Audit Scope
Qheck audits what it can observe through the browser. It does NOT audit backend code, database integrity, or security vulnerabilities outside the rendered DOM. Network requests, performance metrics, console output, and runtime exceptions are captured in Dev Mode (Pro tier) via Chrome's debugger. Accessibility tree analysis, mobile viewport emulation, and code coverage are pending in v0.4 Phase 4.4.
No Warranty
Qheck is provided "as is" without warranties of any kind.
16. Pre-Release Notice
If you are using a beta or alpha version of Qheck:
- Behavior may change between versions
- Data formats may not be backward-compatible
- We may collect additional diagnostic information for debugging
- We may contact you for feedback (you may opt out)