LogoCawght

Privacy Policy

Last updated: March 24, 2026

What Cawght Does

Cawght is a browser extension (Chrome and Firefox) that analyzes web applications you are testing, generates adversarial test scenarios using AI, executes those tests, and reports findings about business logic vulnerabilities.

Data We Collect

  • Account information: Email address and a hashed password when you create an account. We never store plaintext passwords.
  • Application data:Information about your web application's behavior, collected only when you explicitly initiate a scan. This data is sent to our server for analysis.
  • Scan results: AI-generated test scenarios, execution results, and findings are stored on our server and associated with your account.

Data We Do NOT Collect

  • We do not collect browsing history, keystrokes, or personal files.
  • We do not collect application data unless you explicitly initiate a scan in the extension.
  • We do not sell, share, or transfer your data to third parties for advertising.
  • We do not store your Gemini API key on our servers — it is kept in your browser's local storage and sent per-request.

Third-Party Services

Cawght uses the Google Gemini API to analyze your application and generate test scenarios. When a scan runs, application data is sent to Google's Gemini API using your own API key. Google's API terms of service apply to that processing.

Data Storage & Security

  • Account data and scan results are stored in a PostgreSQL database.
  • Passwords are hashed with bcrypt before storage.
  • Authentication uses JWT tokens with 30-day expiry.
  • All API communication uses HTTPS in production.
  • All database queries are scoped to the authenticated user — you cannot access another user's data.

Data Retention

Your account and scan data are retained as long as your account exists. We use soft-delete — records are marked as deleted but retained for recovery purposes. You can request full deletion of your account and associated data by contacting us.

Your Rights

  • You can delete your local data from the extension Settings page at any time.
  • You can request export or deletion of your server-side data.
  • You can revoke the extension's access by uninstalling it from Chrome.

Contact

For privacy questions or data requests, open an issue on our GitHub repository or email the maintainer.