Cody Privacy Policy

Last updated: April 8, 2026

What Cody does

Cody is a Chrome extension that detects and blocks browser-based scam attacks. It catches threats across 13 attack vectors: screen hijacks (fullscreen, pointer lock, keyboard lock), dialog spam, exit prevention traps, history spam, popup storms, phishing link detection, scam phone number detection, remote-access tool detection, suspicious download scanning, screen-share interception, and clipboard hijacking.

Data we collect

By default, none. All scam detection happens locally in your browser. No data leaves your device unless you sign in and join a team.

• No browsing history is collected or sent anywhere.
• No analytics, telemetry, or tracking of any kind.
• No page content is read or stored — Cody only monitors for scam behavior patterns.

Signing in (opt-in)

If you sign in with Google (via the Chrome extension or the website), the following data is sent to our server:

• Email address — Your Google account email, used as your identity.
• Display name — Your Google account name (you can change this).
• Profile photo URL — Your Google account photo URL (not the image itself).
• Google account ID — An opaque identifier from Google, stored to link your sessions.

This data is stored in our users table so your profile persists across sessions.

Team Sharing (opt-in)

If you create or join a team, the following additional data is stored on our server:

• Team membership — Your email, name, photo, and role (admin or member) within the team.
• Block count — The total number of scams Cody has blocked on your browser.
• Last seen — A timestamp updated each time your extension syncs with the server.
• Block events — For each blocked scam: the severity level, the type of attack (e.g. "combo-lock", "phishing-link"), the website's domain (eTLD+1 only, not the full URL or path), and a timestamp. Your email is attached to each event so team members can see whose browser encountered the threat.
• Invite records — When you invite someone, we store their email, your email, and whether the invite was accepted.

What is never sent, even with Team Sharing enabled:

• Full URLs or page paths — only the top-level domain (e.g. "example.com", never "example.com/private/page")
• Page content, text, or screenshots
• Browsing history or non-blocked site visits

Who can see your data: All team members can see every other member's name, photo, block count, last-seen time, and block events. Team admins can remove members.

You can leave your team at any time from the dashboard. Leaving removes your membership record and stops all data sharing immediately. Your events remain in the team log.

Data stored locally

Cody stores the following data in your browser's local storage (chrome.storage.local). This data never leaves your device:

• Block event log — A log of blocked scam attempts (up to 100 entries), including the website hostname, which attack was blocked, and when. You can clear this at any time from the popup.
• Allowlist — Domains you've chosen to exempt from blocking. Empty by default.
• Enabled state — Whether blocking is turned on or off.
• Team ID — Your team's identifier, used to sync block events to the team dashboard.
• Auth token — A Google OAuth access token, stored locally to authenticate API requests.
• User profile — Your name, email, and photo URL, cached locally for display in the popup.

Permissions

• Host permissions (all URLs) — Required to inject the detection script on every page, since scam pages can be on any domain. Cody patches browser APIs before page scripts run and scans links for phishing signals.
• Identity — Used for Google Sign-In via the Chrome identity API (only when you choose to sign in).
• Notifications — Used to alert you when a scam attempt is blocked.
• Storage — Used to store the block log, allowlist, and enabled state locally.

Third-party services

Cody does not include any third-party analytics, tracking SDKs, or ads. When you use optional features, the following services are involved:

• Google OAuth — Used for sign-in (only if you choose to sign in).
• Supabase — Auth and Postgres database for sign-in sessions and team data.
• Vercel — Hosts the website and serverless API functions.
• Stripe — Processes payments for the Team plan (only if you subscribe).

Open source

Cody is open source. You can review the full source code at github.com/robbalian/scamblock.

Changes to this policy

If we change this policy, we'll update the date above. Material changes will be noted in the extension's changelog.

Contact

Questions? Open an issue on GitHub.