Privacy Policy - Account Manager
This policy explains what data the Account Manager Chrome extension and its companion backend at sharemyaccount.com collect, why, where it is stored, and your choices. The extension exists for a single purpose: to let you save and switch between multiple sets of website login state, including cookies and any allowlisted localStorage keys, on the same browser, and optionally share those sets with other people you choose.
We do not run analytics, advertising, telemetry, session replay, or tracking SDKs in the extension. We do not sell, rent, or trade user data.
1. Data we collect
We collect only the data the product needs to function.
1.1 Cloud account data
| Field | When collected | Purpose |
|---|---|---|
| Email address | Sign-up or sign-in | Account identifier and login. |
| Password hash | Email/password sign-up | Local-credential login. The plaintext password is never stored. |
| Google account ID | Google sign-in | Stable identifier returned by Google OAuth. |
| Google email and email verification status | Google sign-in | Account creation, account linking, and verification that Google confirmed the email address. |
1.2 Profile data
When you click Save profile for a website, the extension reads the cookies of the current tab and packages them into a profile with the origin URL and a label you choose. The extension does not save localStorage by default. localStorage is saved only for domains where you have configured a per-site allowlist, and only the allowlisted keys are included.
Local profiles are stored only in chrome.storage.local on your device and are not sent to our servers. They are stored on your device in the browser's extension storage, including saved cookies and any allowlisted localStorage values.
Cloud profiles are uploaded to sharemyaccount.com only after the extension encrypts the profile payload in your browser. Each cloud profile gets a random data-encryption key (DEK). The extension encrypts {cookies, localStorage} with AES-256-GCM, then wraps the DEK with the owner's public key. The server stores only the encrypted payload and wrapped DEK. The server cannot decrypt cloud profile cookies or localStorage. When you share a cloud profile, your extension re-wraps the DEK for the recipient's public key so the recipient's extension can decrypt it.
For cloud profiles, the server also stores non-secret metadata needed to show and manage profiles, including profile name, color, domain, origin, timestamps, sharing records, access-rule bindings, and latest probe status.
1.3 Master password and encryption keys
To use cloud profiles, you set a master password in the extension. The master password is used locally in your browser to unlock your private key. It is not sent to our servers.
The extension generates an E2EE keypair. The public key is stored on our backend so other users can share encrypted profiles with you. The private key is encrypted with a key derived from your master password and stored on our backend as an encrypted envelope. For convenience, the extension may also cache your master password locally in chrome.storage.local so it can unlock cloud profiles without asking every time. That local cache is cleared when you sign out, switch accounts, or when the extension detects an invalid cached password.
1.4 Proxy configuration
If you attach a proxy to a profile, the proxy host, port, scheme, and optional username/password are stored with the profile. For cloud proxies, proxy passwords are encrypted at rest on the server with AES-256-GCM and are only returned over the encrypted reveal channel when the extension needs to provide proxy authentication. For local proxies, proxy settings, including optional proxy passwords, are stored locally in chrome.storage.local on your device.
1.5 Probe templates and results
You may configure liveness probes so the extension can test whether a saved login is still valid when you run a probe or after profile switching. We store the probe template and the latest probe status, HTTP code, message, and timestamp.
1.6 Sharing and access-rule metadata
If you share a profile with another user, we store the grant relationship and any access rules you attach, such as allowed time windows or blocked IP ranges. These rules are delivered to the recipient's browser and enforced locally.
1.7 Authentication cookie
After login, the backend sets an auth_token HttpOnly cookie scoped to sharemyaccount.com. The extension calls our API with credentials included so that the cookie is sent with each request.
2. What we do not collect
- We do not read your browsing history.
- We do not log the URLs of tabs you visit. The extension reads the active tab origin only when you explicitly invoke a profile save or switch action.
- We do not collect form input, keystrokes, mouse activity, screenshots, biometric data, health data, or financial data.
- We do not embed third-party analytics, ad networks, or session replay.
3. How data is used
Collected data is used only to authenticate you, keep you signed in, persist and retrieve your saved profiles, decrypt profile contents in the extension, deliver profiles you have explicitly shared, enforce access rules, and run liveness probes you have configured.
4. Subprocessors
The backend is hosted on Vercel and uses a Postgres database. Vercel and the database provider process your data on our behalf solely to operate the service. Google processes your Google sign-in flow if you choose Continue with Google. No other third party receives your data except where strictly required to operate the service.
5. Data retention and deletion
Local profiles, local proxy configs, local storage-policy settings, and any locally cached master password live on your device and are deleted when you delete them from the extension, sign out where applicable, or remove the extension. Cloud profiles, cloud proxy configs, E2EE public keys and encrypted private key envelopes, probe templates, access rules, share records, and account records live on our backend until you delete them. Deleting your account cascades to all profiles, shares, grants, proxies, probes, access rules, and key material associated with the account. To request account deletion, email labuladong@gmail.com from the address registered on the account. We will confirm deletion within 30 days.
6. Security
- All transport is over HTTPS.
- Cloud profile cookies and allowlisted localStorage entries are encrypted end-to-end in the extension before upload. The backend stores encrypted profile payloads and wrapped DEKs and cannot decrypt cloud profile contents.
- Cloud proxy passwords are encrypted with AES-256-GCM at rest.
- Sensitive proxy-password responses are encrypted for client-side decryption by the extension.
- Authentication tokens are HttpOnly cookies with Secure and SameSite=None flags.
- Email/password login passwords are stored only as bcrypt hashes.
7. Chrome Web Store Limited Use
The extension's use and transfer of data received from Chrome extension APIs complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. We use Chrome API data only to provide the extension's single purpose: saving, switching, syncing, sharing, and applying account profiles that you choose. We do not use this data for advertising, analytics, credit eligibility, or unrelated purposes, and we do not sell it.
8. Children
The service is not directed to children under 13, or under 16 in the EEA, and we do not knowingly collect their data.
9. Changes to this policy
We will post any changes to this URL and update the effective date above. Material changes will additionally be communicated by email to active account holders.
10. Contact
Questions, deletion requests, and data-subject requests can be sent to labuladong@gmail.com.