Full Legal Privacy Policy: https://www.theimpulsejudge.com/privacy.html
Full Legal Terms of Use: https://www.theimpulsejudge.com/terms.html

1. Introduction

The Impulse Judge ("we," "our," or "the extension") is a browser extension designed to help users resist impulse purchases through humor and gamification. We are committed to protecting your privacy and being transparent about our practices.

This Privacy Policy explains what information (if any) we collect, how we use it, and your rights regarding your data.
2. Information the Extension Collects

Short answer: None. Zero. Zilch. Nada.

The Impulse Judge browser extension does not collect, transmit, or store any personal information on external servers. We have no database of your purchases. We have no tracking pixels embedded in the extension. We literally cannot see anything you do while using the extension.

The extension code is open source - you can verify this yourself. If we ever tried to sneak in tracking, someone would catch us faster than The Judge catches you at checkout.
3. Data Stored Locally on Your Device

The extension stores the following data locally in your browser using Chrome's storage API:

Usage Statistics: Number of items resisted, items bought anyway, estimated money saved, current streak
Achievement Progress: Which badges you've unlocked
Activity History: A log of your resist/buy decisions (stored locally only)
Preferences: Your settings like sound on/off, roast intensity, budget amounts
Blacklisted Sites: Websites where you've chosen to disable the extension


This data never leaves your device. It is not transmitted to us or any third party. You can delete all this data at any time using the "Reset Stats" button in the extension popup, or by uninstalling the extension.
4. Data Controller & Contact Information

Data Controller: The Impulse Judge Project

Contact: support@theimpulsejudge.com

Location: Ontario, Canada

For GDPR/CCPA purposes, we are the data controller for any personal information collected (limited to newsletter email addresses). We do not currently have a designated Data Protection Officer (DPO) as we are a small volunteer project processing minimal personal data.
Security Practices

We implement the following security measures:

Extension: All data stored locally using browser storage APIs (encrypted by the browser). No transmission to external servers.
Newsletter: Email addresses managed by Brevo, a GDPR-compliant service with industry-standard encryption (TLS/SSL), access controls, and regular security audits.
Website: Hosted on Vercel with HTTPS encryption, DDoS protection, and automated security scanning.
No Database: We maintain no centralized database of user information.


Security Framework & Standards

While we are not currently ISO 27001 certified (a formal certification requiring paid audits), we implement security controls aligned with industry best practices:

Access Control: Principle of least privilege - only project maintainers have repository write access
Code Review: All changes require pull request approval before merging to production
Dependency Management: Zero external npm dependencies reduces supply chain attack surface
Vulnerability Scanning: GitHub Dependabot alerts enabled for any future dependencies
Secure Communications: All external communications use TLS 1.2+ encryption
Data Minimization: We collect only essential data (email addresses for newsletters only)
Third-Party Audits: Brevo (newsletter provider) undergoes regular SOC 2 Type II audits


Incident Response Plan

In the event of a security incident or data breach, we will follow this response protocol:

Phase 1 - Detection & Assessment (0-24 hours):

Identify the nature and scope of the incident
Determine what data (if any) was affected
Contain the incident to prevent further unauthorized access
Document all findings and actions taken


Phase 2 - Containment & Eradication (24-72 hours):

Isolate affected systems or revoke compromised credentials
Remove malicious code or unauthorized access
Implement patches or configuration changes to prevent recurrence
Notify relevant service providers (GitHub, Vercel, Brevo) if their systems are involved


Phase 3 - Notification & Disclosure (Within 72 hours of discovery):

GDPR Compliance: If the breach involves EU residents' data, we will notify the relevant supervisory authority within 72 hours
User Notification: If the breach poses a high risk to users' rights and freedoms, we will notify affected users without undue delay via email and website banner
Transparency: We will disclose the nature of the breach, data affected, steps taken, and mitigation recommendations on our website and GitHub
Regulatory Reporting: Comply with breach notification requirements under GDPR, PIPEDA (Canada), CCPA (California), and other applicable laws


Phase 4 - Recovery & Post-Incident (Ongoing):

Restore normal operations and monitor for residual issues
Conduct post-mortem analysis to identify root cause
Update security controls to prevent similar incidents
Document lessons learned and update this incident response plan


Breach Notification Contact: If you discover or suspect a security vulnerability or data breach, immediately email security@theimpulsejudge.com (or support@theimpulsejudge.com with subject "SECURITY INCIDENT").

Current Risk Assessment: Given our architecture (local-only data storage, zero backend, minimal PII collection), the most likely security scenarios are:

Brevo (newsletter provider) breach affecting email addresses - Low risk (Brevo has enterprise-grade security)
Malicious browser extension impersonating our extension - Medium risk (mitigated by monitoring app stores)
GitHub repository compromise - Low risk (2FA required, limited write access)
User device compromise exposing local stats - Out of scope (local data only, no PII)


However, no method of transmission or storage is 100% secure. Use the extension at your own risk.
5. Website Access

The extension requires broad website permissions to function on all shopping sites. Here's exactly what we do with this access:

What we DO: Scan the page for checkout/buy buttons to know when to show the intervention modal
What we DON'T do: Read your personal information, access your passwords, track your browsing history, collect product data, or monitor your purchases


We only look for button elements with text like "Buy Now," "Add to Cart," "Checkout," etc. That's it.
Server Logs & Website Access Logs

Important Technical Note: While the browser extension does not transmit any usage data, our website (theimpulsejudge.com) is hosted on Vercel, which may automatically generate standard server access logs as part of hosting infrastructure. These logs may temporarily contain:

IP addresses (anonymized/hashed by Vercel)
Timestamps of website visits
HTTP request information (pages accessed, user agent strings)
Referrer information (where you came from)


We do NOT actively collect, store, or analyze these server logs. They are managed by Vercel for infrastructure purposes (security, DDoS protection, performance monitoring) and are subject to Vercel's data retention policies. See Vercel's Privacy Policy for details.

Reaffirming Our Promise: The browser extension itself collects ZERO data and never transmits usage information to any server. The server log note applies only to website visitors, not extension users.
6. Newsletter & Email Collection

If you subscribe to The Impulse Judge newsletter, we collect:

Email Address: Required to send you the newsletter (obviously)


How we use your email:

Send newsletters with tips, updates, and humor about resisting impulse purchases
Notify you about major updates to The Impulse Judge
Potentially share curated money-saving recommendations (see our Affiliate Oath)


Email processing: Our newsletter is managed by Brevo (formerly Sendinblue), a GDPR-compliant email service provider based in the EU. Your email is stored securely on their servers and is subject to their Privacy Policy.

Your rights: You can unsubscribe from our newsletter at any time by clicking the unsubscribe link in any email. Upon unsubscribing, your email will be removed from our mailing list.

📧 We will never sell, rent, or share your email address with third parties for marketing purposes. The Judge may be judgmental, but never sneaky.
6. Website Analytics (Vercel Analytics)

The Impulse Judge website (theimpulsejudge.com) uses Vercel Analytics, a privacy-friendly, cookieless analytics service. This applies only to the website, NOT the browser extension.
What Vercel Analytics Collects:

Page views & events: Which pages are visited and basic interactions
Referrer: Where you came from (Google, Twitter, etc.)
Device info: Browser type, operating system, screen size (aggregated)
Geographic region: Country-level only, derived from IP address
Timestamps: When visits occur


What Vercel Analytics Does NOT Collect:

❌ Your IP address is not stored, it's anonymized/hashed immediately
❌ No cookies or persistent identifiers
❌ No cross-site tracking
❌ No personal information (name, email, etc.)
❌ No fingerprinting techniques


How We Use This Data:

Understanding which pages are popular (so we can make more helpful content)
Seeing if our site loads properly on different devices
General traffic patterns (are people finding us through search? social media?)


We do NOT use this data for advertising, retargeting, or selling to third parties. The Judge doesn't do sneaky. We just want to know if anyone's actually reading the boring blog posts.
Legal Basis (GDPR folks, this one's for you):

We process this data under legitimate interest, specifically, understanding basic website performance and content effectiveness. Since Vercel Analytics is cookieless and privacy-preserving, it generally does not require consent under GDPR/ePrivacy regulations. However, we respect your right to opt out where technically feasible.
Data Retention:

Extension Local Storage Data: Retained indefinitely on your device until you manually reset stats or uninstall the extension. We have no access to this data and cannot delete it for you.
Newsletter Email Addresses (Brevo): Retained until you unsubscribe or request deletion. Automatically purged 30 days after unsubscribe.
Vercel Analytics (website only): Aggregated analytics data retained according to Vercel's Privacy Policy. No raw IP addresses or personal identifiers are stored.


Data Location:

Vercel is a U.S.-based company. Analytics data may be processed on servers in the United States and other locations. For details on their data handling and any applicable data transfer mechanisms, see Vercel's Privacy Policy.

🔒 To be crystal clear: The browser extension has NO analytics whatsoever. Only the website uses Vercel Analytics, and even that is privacy-preserving and cookieless.
7. Third-Party Services

The extension contains a link to Buy Me a Coffee for optional donations. If you choose to click this link and make a donation, you will be subject to Buy Me a Coffee's privacy policy. We do not receive any personal information from Buy Me a Coffee, only that a donation was made.

The extension does not contain any analytics services, tracking pixels, or third-party scripts. It's just code that makes fun of your shopping habits, locally, on your device, in the privacy of your own shame.
8. Data Sharing

We do not sell, trade, rent, or otherwise share any user data with third parties. The extension doesn't collect data to share. The website's Vercel Analytics data is aggregated and anonymized - we couldn't sell your personal info even if we wanted to (we don't). Newsletter emails go through Brevo for delivery only.
9. Affiliate Links & Recommendations

In the future, we may include affiliate links in our newsletter or website - links where we earn a small commission if you make a purchase.

What this means for your privacy:

Clicking an affiliate link may use cookies on the partner's website to track the referral
We never receive your personal information or purchase details from affiliate partners
Any affiliate tracking is handled entirely by the third-party retailer, not by us


Our commitment: We've made a solemn oath to only affiliate with reputable companies that help you save money. Read our full Affiliate Oath in our Terms of Use.
10. Children's Privacy

The Impulse Judge is a general audience extension suitable for all ages. The extension collects no data from anyone: children, adults, or sentient shopping carts. The website's analytics are aggregated and contain no personal information about any individual user, regardless of age.
11. Data Security

Extension data: Stored locally on your device using your browser's built-in storage API. Security is handled by your browser and operating system. We recommend keeping your browser updated.

Website analytics: Handled securely by Vercel's infrastructure. We have no access to raw logs or IP addresses - only aggregated, anonymized metrics.

Newsletter: Managed by Brevo, a GDPR-compliant email provider with industry-standard security practices.
12. Your Rights

You have complete control over your data:

Extension Data - Access: View your stats anytime in the extension popup
Extension Data - Export: Use the Export button to download your data as JSON
Extension Data - Delete: Use "Reset Stats" or uninstall the extension to delete all data
Extension Data - Portability: Export your data and import it on another device
Newsletter - Unsubscribe: One-click unsubscribe in any email
Website Analytics - Opt Out: Since Vercel Analytics is cookieless, you can use browser privacy features or simply not visit the website (but we'd miss you)


For California Residents (CCPA Rights):

Under the California Consumer Privacy Act (CCPA), California residents have specific rights:

Right to Know: Request what personal information we collect (for newsletters: your email address only)
Right to Delete: Request deletion of your personal information
Right to Opt-Out of Sale: We do NOT sell personal information and never will
Right to Non-Discrimination: You won't be treated differently for exercising your privacy rights


Do Not Sell My Personal Information: We do not sell personal information. This statement serves as our CCPA-required notice.
How to Exercise Your Rights

To exercise GDPR or CCPA rights, email us at support@theimpulsejudge.com with the subject line "Data Subject Request" and include:

Your email address (so we can locate your data)
Your specific request (access, deletion, correction, export)
Verification (we may ask you to reply from the email address on file to confirm identity)


Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA).

What We Can Provide:

Access Request: We'll confirm if we have your email address in our newsletter list
Deletion Request: We'll unsubscribe you and request Brevo delete your email (typically processed within 24-48 hours)
Export Request: We'll provide a copy of your email address (that's literally all we have)


Extension Data: Since all extension data is stored locally on your device, you can access it via browser DevTools (Application > Storage) or delete it via the "Reset Stats" button. We cannot access or delete this data remotely as we never receive it.
Regulatory Inquiries & Governmental Requests

If we receive inquiries or requests from data protection authorities, regulators, or government agencies (e.g., ICO, OPC, CNIL, FTC, OAG, etc.), we will:

Cooperate in Good Faith: We will respond to lawful regulatory inquiries and provide requested information to the extent we possess it
Verify Legitimacy: We may request verification of the regulator's identity, authority, and the scope/legal basis of the request before responding
Scope Limitation: Given our minimal data collection (only newsletter email addresses), most inquiries will have limited responsive data. We cannot provide extension usage data as it is never transmitted to us.
User Notification: Where permitted by law and not prohibited by the request itself (e.g., lawful gag orders), we will notify affected users of regulatory inquiries concerning their data
Legal Process: We reserve the right to consult legal counsel and challenge requests we believe are overbroad, lack proper legal foundation, or violate user rights


Transparency: If we receive a regulatory order or finding that materially affects our privacy practices, we will update this policy and notify users via email and website notice.

Contact for Regulators: Data protection authorities or regulators may contact us at support@theimpulsejudge.com with subject line "REGULATORY INQUIRY - [Authority Name]" or via registered mail at the address we provide upon verified request.
13. Changes to This Policy

If we ever change this privacy policy, we will update the "Last updated" date at the top. For significant changes, we'll notify users through the extension update notes and/or newsletter.
14. Future Service Changes Notice

Important: The Impulse Judge extension currently collects zero data and operates entirely on-device. If we ever introduce cloud features (account sync, server-side stats, AI recommendations, etc.), we will:

Update this Privacy Policy with detailed information about new data collection
Notify all users via extension update notes and newsletter
Make any such features opt-in only
Provide at least 30 days notice before collecting any new data types


We will NEVER silently start collecting data. Any changes to our "no data leaves your device" promise will be clearly communicated.
15. Open Source Transparency

The Impulse Judge's extension code is available for review. You can verify that we don't transmit any data by examining the source code yourself.
16. Contact Us

If you have any questions about this Privacy Policy or the extension, you can reach us at:

Email: support@theimpulsejudge.com
Website: theimpulsejudge.com