COBRASEC

Privacy Policy

TRACE Browser Extension · Last updated: 22 May 2026

    Short version: TRACE captures HTTP request metadata from your browser for security analysis. All data stays on your device. The only time data leaves your device is when you explicitly click an Analyse button — at which point selected traffic metadata is sent to the Groq API. We do not collect, store, or transmit any data ourselves.
  

1. What TRACE Is

TRACE is a browser developer tool designed for security professionals and developers. It passively observes HTTP and HTTPS requests made by your browser, scores them for security relevance, and optionally sends selected traffic metadata to an AI service for analysis.

2. What Data TRACE Collects

TRACE observes the following data from browser network requests, stored only in your browser's session memory (cleared when you close the browser):

Request URL, HTTP method, and status code
Request and response headers
Request body (up to 300 characters)
Response body (up to 500 characters)
Request timing (duration in milliseconds)

TRACE does not collect: usernames, passwords, payment information, or personal identification information beyond what appears in the URLs you visit. The extension applies a risk scoring model to identify security-relevant requests and drops low-interest traffic.

3. Where Your Data Goes

By default, your data goes nowhere. All captured traffic is stored in your browser's session storage (chrome.storage.session), which is local to your device and cleared automatically when your browser session ends.

When you click Analyse: If you click "Analyse Session", "Deep Analysis", or "Analyse this request", selected traffic metadata (URLs, methods, status codes, headers, and partial request/response bodies) is sent to the Groq API (api.groq.com) using your own Groq API key. This transmission is initiated solely by your explicit action.

Groq's handling of that data is governed by Groq's Privacy Policy. CobraSEC has no access to this data.

4. Data We Do Not Collect

CobraSEC does not operate any server that receives data from TRACE. We do not collect:

Any browsing history or traffic data
Telemetry, analytics, or crash reports
Your Groq API key (stored locally in chrome.storage.sync, never transmitted to us)
Any personal data of any kind

5. Permissions Explained

<all_urls> host permission — Required to observe network requests on any website you choose to analyse. TRACE cannot function as a traffic inspector without access to the URLs you visit. You remain in full control — you can pause capture at any time using the ⏸ button.
webRequest — Required to observe network request metadata (URL, method, status code) as a fallback for requests not captured by the content script.
scripting and activeTab — Required to inject the traffic capture script into the current page so that fetch and XHR request bodies can be observed.
storage — Used to store your Groq API key locally in chrome.storage.sync and to persist session traffic in chrome.storage.session.

6. Security of Your Data

Your Groq API key is stored using Chrome's built-in chrome.storage.sync, which is encrypted at rest by Chrome. Traffic data is stored in chrome.storage.session and is never written to disk beyond what Chrome manages. TRACE does not use any remote database or logging service.

7. Children's Privacy

TRACE is a professional security tool intended for adults. We do not knowingly collect any data from children under 13.

8. Changes to This Policy

We may update this policy to reflect changes in the extension's functionality. Material changes will be noted in the extension's update changelog. Continued use of TRACE after an update constitutes acceptance of the revised policy.

9. Contact

Questions about this privacy policy: support@cobrasec.online