Privacy policy

extstat is privacy-first analytics for browser extensions. The data an extension sends through extstat is anonymous by design — it can't identify a person. This page explains, in plain terms, what we collect and what we don't.

Last updated: June 2026.

What an event contains

When an extension uses extstat, each event carries only:

• a random client identifier — created on the user's own device and kept in the extension's storage. It is not a fingerprint and is not tied to any device, account, or personal identity. Clearing the extension's storage resets it.
• an event name (for example "install", or a custom name) chosen by the extension's developer.
• optional properties — a small bit of extra detail the developer attaches to an event.
• a timestamp.

We also record the time an event was received.

What we do not collect

• We don't store IP addresses. Our servers briefly see the connecting address to send a response and to protect the service from abuse, but it is never saved alongside events.
• We don't use cookies for analytics. The endpoint that receives events sets no cookies. (Cookies are used only to keep you signed in to your own dashboard.)
• No device fingerprinting, no cross-site identifiers, and no third-party trackers.

Controls for the people using an extension

extstat is built so end users stay in control:

• Do Not Track — if the browser signals Do Not Track, extstat collects nothing.
• Opt out — an extension can offer a switch that stops all collection and remembers the choice.
• Because the client identifier lives in the extension's own storage, clearing it removes any link to past activity.

How long we keep data

Events are kept for up to 2 years, then permanently deleted automatically. Once deleted, the data is gone from every report and cannot be recovered.

Your data and deletion

If you use extstat for your extension, you control your data:

• You can permanently delete a project and all of its events from your dashboard at any time.
• You can permanently delete your whole account, which removes all of your projects and their data and signs you out.

These deletions take effect immediately and cannot be undone.

Responsibilities of extension developers

If you send data through extstat, you choose what goes into event names and properties. Please don't put personal data there — no email addresses, no identifiers that single out a person, and no free-text that might contain personal information. extstat stores what you send as-is and cannot scrub personal data out of it.

Legal basis

Because the default data is anonymous (it contains no personal data), it generally falls outside the scope of laws such as the GDPR. If a developer chooses to send personal data anyway, that developer is responsible for having a lawful basis and any agreements their own users require — that is outside what extstat collects by default.

Security

We follow standard security practices: data is encrypted in transit, credentials and secrets are protected at rest, and access to your data requires signing in and is limited to your own account.

Contact

Questions about privacy? Email us at support@extstat.dev. We'll update this page if our practices change.