Bastion — Privacy Policy

Last updated: March 29, 2026

  Summary: Bastion processes data locally in your browser only. We do not collect, store, or transmit your personal data to any servers we control.

1. What Bastion Does

Bastion is a browser security extension that protects you from phishing, trackers, fingerprinting, data exfiltration, and other threats. All analysis happens locally on your device.

2. Data We Process Locally

Page content: Bastion scans the current page's localStorage, sessionStorage, and cookies to detect exposed secrets (JWT tokens, API keys, passwords). This data never leaves your browser.
URLs and domains: Used locally to detect phishing, block trackers, and check security headers. Not transmitted to any server.
Security headers: HTTP response headers are read and analyzed locally to grade the site's security posture.
Scan history: A local log of visited domains and security findings is stored in chrome.storage.local on your device only.

3. Third-Party API: HaveIBeenPwned (Passwords)

When you manually trigger the breach check feature, Bastion may contact api.pwnedpasswords.com (operated by Troy Hunt) to check if passwords found in your browser storage have been exposed in known data breaches.

This check uses k-anonymity: only the first 5 characters of a SHA-1 hash of the password are sent — the full password or hash never leaves your device. This is the same technique used by browsers like Chrome and Firefox.

See HaveIBeenPwned's privacy policy at haveibeenpwned.com/Privacy.

4. Permissions Explained

activeTab / scripting: Required to scan the current page for security issues.
webRequest: Used to read HTTP response headers for security grading. Read-only — Bastion does not modify or block requests through this API.
declarativeNetRequest: Used to block known tracker domains when the tracker-blocker feature is enabled.
storage: Saves your settings and scan history locally on your device.
notifications: Shows alerts when critical security issues are detected (e.g., exposed credentials).
host_permissions (<all_urls>): Required to analyze security on any website you visit.

5. Data Sharing

Bastion does not share any data with third parties, does not send telemetry, analytics, or usage data to any server, and does not monetize user data in any form.

6. Data Retention

All data (scan history, settings, shield events) is stored locally using Chrome's chrome.storage.local and chrome.storage.session APIs. You can clear it at any time by removing the extension or using Chrome's "Clear browsing data" feature.

7. Children's Privacy

Bastion does not knowingly collect any data from children under 13.

8. Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date above. Continued use of the extension after changes constitutes acceptance.

9. Contact

Questions about this privacy policy? Contact us via the Chrome Web Store developer contact page.