// legal · browser extension
WhatSite — Privacy Policy
Last updated: 23 May 2026
The short version
WhatSite shows you the cookies, external connections, and threat scores for the page you are currently on, and can block domains flagged as malicious. It does not store your browsing data, does not send it to the developer, and has no analytics, advertising, or accounts. The only information ever sent off your device is the bare domain name of external servers a page contacts — sent to public geolocation and threat-intelligence APIs so WhatSite can tell you where those servers are and whether they are risky.
About This Policy
This privacy policy covers the WhatSite browser extension for Google Chrome and Microsoft Edge. WhatSite is developed and maintained by Tom Clark.
It applies to the extension only. The cloudsecurity.global website has its own separate privacy policy, available at cloudsecurity.global/privacy.
For any privacy-related enquiries about WhatSite, contact: tom@cloudsecurity.global
Single Purpose
WhatSite exists for one purpose: to give you real-time, per-tab visibility into — and control over — the first-party cookies, third-party cookies, and external network connections of the web page you are viewing. It displays cookie counts, lists each external connection with IP geolocation and a threat score, and can block domains that threat-intelligence sources flag as malicious. Every permission it requests and every piece of data it processes serves only that purpose.
What WhatSite Accesses
3.1 — Cookies
WhatSite reads the name and domain of cookies associated with the page you are viewing, in order to classify each cookie as first-party or third-party and count them.
WhatSite does not read, display, store, or transmit the values of any cookie.
3.2 — Network Connections
WhatSite observes the network requests a page makes — passively, via the browser's webRequest API — so it can list the external domains that page contacts and how many requests went to each. It records only the destination domain name and a request count.
It does not read the contents, headers, or responses of any request.
3.3 — Page Navigation
WhatSite detects top-level page navigations so it knows which page a tab is on and can reset its per-tab data each time you navigate. It identifies tabs only by their internal browser tab ID for the current session.
All of the above is processed on your device, in memory, per tab, in real time, and is discarded when you navigate away or close the tab. It is never written to disk and never sent to the developer — the only data that leaves your browser is described in Section 4.
What Leaves Your Browser — Domain Lookups
To enrich each external domain with geolocation and threat information, WhatSite sends a single piece of data — either the domain name alone (for example, cdn.example.com) or the server IP address the connection already went to — over HTTPS to the following third-party services:
| Service | Purpose | Provider policy |
|---|---|---|
api.ipquery.io | Geolocation of a server IP address (country, city, hosting provider) | ipquery.io |
urlhaus-api.abuse.ch | Malware-reputation lookup (only if you add an optional Auth-Key) | abuse.ch |
security.cloudflare-dns.com | DNS-over-HTTPS, malware-filtering resolver | Cloudflare |
dns.google | DNS-over-HTTPS, plain resolver (used for comparison) |
What IS sent
Only a bare external domain name, or the IP address of a server the page already connected to. Each unique domain is queried at most once per browsing session, and the result is cached in memory only.
What is NEVER sent
Full URLs, page content, form data, cookie names or values, the list of pages you visit, or any account, name, or identifier belonging to you.
These are functional API lookups made directly from your browser. The developer does not receive copies of them and operates no intermediary server. As with any HTTPS request your browser makes, each service necessarily receives your device's public IP address as the source of the request.
URLhaus (abuse.ch) is an optional upgrade. WhatSite works fully without it, scoring domains with the keyless DNS checks. If you choose to obtain a free abuse.ch Auth-Key yourself and enter it on the extension's Settings page, that key is sent to urlhaus-api.abuse.ch only, to authenticate those lookups exactly as abuse.ch requires. The key is personal to you and is never shared with the developer.
What WhatSite Stores
WhatSite persists only a few small, non-personal items, all in local browser storage on your device — never on a remote server:
Your optional abuse.ch Auth-Key, if you choose to enter one on the Settings page. It is held in the browser's native extension storage, scoped to this browser profile — it does not sync to other browsers, profiles, or devices. You can clear it at any time.
The Hover Inspector on/off preference.
When WhatSite auto-blocks a high-risk domain, or you grant a temporary "allow" exception, the browser stores the corresponding rule — a domain name and, for timed allows, an expiry timestamp — in its own declarativeNetRequest and alarms stores. These contain no browsing history and are removed automatically when the rule is lifted or expires.
No browsing history, no analytics, and no personal data are ever stored. The per-tab cookie and connection data WhatSite works with is held in memory only and is erased when you navigate away or close the tab.
What WhatSite Does Not Do
Permissions Explained
WhatSite requests the minimum browser permissions required for its single purpose:
| Permission | Why it's needed |
|---|---|
cookies | To read cookie names and domains for the current page and classify them as first-party or third-party. |
webRequest | To passively observe — without modifying — which external domains a page connects to, and count requests to each. |
declarativeNetRequestWithHostAccess | To block requests to domains that threat-intelligence sources flag as malicious, and to apply your time-limited per-site "allow" exceptions. |
webNavigation | To detect page loads so per-tab data is reset cleanly each time you navigate. |
alarms | To schedule the automatic expiry of a temporary "allow" exception, so a released domain is re-blocked when your chosen time window ends. |
storage | To store two non-personal preferences on your device: your optional abuse.ch Auth-Key and the Hover Inspector setting. |
<all_urls> | Cookies and external connections can occur on any website, and block / allow rules apply across all sites, so WhatSite must be able to observe and act on whichever page you inspect. It does not single out specific sites. |
Data Sharing & Compliance
WhatSite does not sell user data and does not transfer user data to third parties. The only outbound transmissions are the domain-name lookups described in Section 4, which are functional API calls necessary to deliver the extension's stated features.
WhatSite's handling of data is consistent with the Chrome Web Store and Microsoft Edge Add-ons developer program policies: the data it accesses is used solely for the single purpose described in Section 2. The developer does not sell or transfer user data outside approved use cases, does not use it for purposes unrelated to that single purpose, and does not use it to determine creditworthiness or for lending.
Children's Privacy
WhatSite is a general-purpose security tool and is not directed at children under the age of 16. It collects no personal data from any user, including children.
Changes to This Policy
This privacy policy may be updated from time to time — for example, if the extension's functionality changes. The "Last updated" date at the top of this page will reflect any change. Material changes will also be reflected in the extension's store listing.
Contact
For any questions about this policy or about how WhatSite handles data, contact: tom@cloudsecurity.global
This page is the official privacy policy for the WhatSite browser extension and may be referenced directly from its Chrome Web Store and Microsoft Edge Add-ons listings.