Anonymous,
nothing more.

Both the Iframe Detector extension and the marketing website you're on now send anonymous, aggregate feature-usage events— things like “popup opened”, “export clicked”, or “FAQ expanded”. We do not send URLs, page content, iframe contents, or anything that could identify you. This page explains, in plain language, exactly what each side tracks and what neither of them ever touches.

Effective:1 April 2026Version:1.0.0Maintainer:Iframe Detector team

The short version

Reads the active tab's DOM, locally.

Only when you click the toolbar icon.

Stores your preferences in Chrome sync.

Theme, filters, export defaults — that's it.

Extension: anonymous feature-usage events.

Counts like 'popup opened' or 'export clicked' — no URLs, no iframe contents, no PII.

Website: anonymous, opt-in GA4.

Cookieless by default; accept to enable cookies. No PII, no sale.

No reading of page content, frame bodies, cookies, or forms.

We never touch what's inside the iframes or the rest of the page.

No third-party SDKs besides GA4.

No ads, trackers, affiliate links.

No account. Ever.

There's nothing to sign up for.

What the extension reads

When you click the Iframe Detector toolbar icon, the extension reads the DOM of the currently active tab for <iframe> elements. For each frame, it reads: the srcattribute, computed size, visibility, and the frame's origin relative to the parent page. That information is held in memory and shown in the popup.

The extension does not read the contents of the frames themselves, cookies, local storage, form data, or anything outside <iframe> elements.

What the extension stores

Only preferences. Specifically:

UI state: last-used filter (all / visible / hidden), selected export format, theme.
Highlight settings: whether to show the in-page outline by default, and the outline color.

These are saved in chrome.storage.sync. If you are signed into Chrome, they sync across your Chrome profile — this is handled by Chrome, not by us, and we never see the data.

What the extension sends

The extension fires anonymous, aggregate feature-usage events via Google Analytics 4. These are counters — not logs — and answer questions like: how often is the popup opened, which filter is used most (all / visible / hidden), which export format gets picked, and whether users open the in-page highlight toggle.

Every event carries only the action name (e.g. popup_opened, export_clicked) and a small set of non-identifying parameters (e.g. the export format chosen). Events are subject to Consent Mode v2 — in aggregate / cookieless mode by default on the website, and aggregate-only for extension events.

What is never sent: page URLs, iframe src values, iframe contents, page content, cookies, forms, passwords, tokens, or anything tied to a specific site you visit.

What the extension does NOT do

No reading of page content, forms, passwords, cookies, tokens, or storage.
No tracking of which websites or URLs you visit — events carry no site identity at all.
No crash reporter, heatmap, or session replay.
No sale or sharing of data — the events are aggregate-only.

Chrome permissions we request

activeTab

Lets the extension run only on the tab you explicitly click from. We do not have background access to your other tabs.

storage

Saves your UI preferences (theme, filters) in chrome.storage.sync. Nothing else is written here.

host_permissions: <all_urls>

Required so the extension can read <iframe> elements on any page you explicitly open it on — iframe detection has to work equally on any site. The extension only runs when you click the toolbar icon; it does not monitor your browsing in the background, does not track which sites you visit, and sends no network requests beyond anonymous feature-usage events (see “What the extension sends” below).

Exports

When you use JSON / CSV / Markdown export, the file is generated in the browser and downloaded directly by Chrome. It is never uploaded anywhere. You choose where the file goes.

Third parties

Extension: Google Analytics 4 — used only for the anonymous feature-usage events described above. No other third-party SDKs or runtime dependencies; all shipped code is audited and pinned.

This website: loads Google Fonts for typography and uses Google Analytics 4 to understand which parts of the page people find useful (aggregate clicks, sections reached, FAQ questions opened). Neither the extension nor the website fingerprints you, sells your data, or cross-references with any other service. If you block analytics scripts, everything works identically.

Cookies & consent

We use Google Consent Mode v2 with default denied. On your first visit analytics cookies are not set and Google Analytics runs in a cookieless, aggregate-only mode. A small banner asks whether you want to opt in to standard analytics; your choice is stored locally in your browser via localStorage (not a cookie) and applies to subsequent visits.

You can change your mind at any time via the Cookie settings link in the footer — it re-opens the banner. Cookies we use only after you accept:

_ga — Google Analytics client identifier, 2-year expiry.
_ga_J2L7C1PNSV — session tracker for this property, 2-year expiry.

We do not use advertising cookies (ad_storage, ad_user_data, ad_personalization), personalization cookies, or any third-party cookies beyond Google Analytics.

Children's privacy

The extension does not collect any personal information, from anyone, at any age. There is nothing to say here beyond “we don't know, and don't want to know, who you are.”

Changes to this policy

If we ever change the extension in a way that touches privacy — for instance, if we ever added an opt-in sync feature — this page would be updated before the feature ships, and the version number at the top would bump. The repository's commit history is the source of truth.

Contact

Questions, audits, responsible-disclosure? Open an issue on the project's GitHub repository, or email lewawebextensions@gmail.com. We try to reply within two business days.