Skip to main content
Version: 1.0.1

Privacy Policy - Cookie Lens

Last Updated: July 2026

Cookie Lens is a privacy-first Chrome extension.

This page has a plain-language summary (below) and a technical breakdown — see Privacy in detail to verify exactly how the extension handles data.

Data Collection

  • Cookie Lens does not collect, transmit, or sell any user data.
  • All cookie inspection, decoding, and analysis happen locally on your device.
  • No data is sent to external servers or third parties.
  • No tracking, no analytics, no telemetry, no cross-device sync.

Storage

  • Preferences (theme, pinned cookies, layout) and the snapshots that power Freeze, Profiles, and the Report are stored locally in extension storage.
  • Because Freeze and Profiles have to restore cookie values, those snapshots necessarily contain cookie values — stored only on your device, never sent anywhere.

Changes to This Policy

We may update this policy occasionally. Continued use of the extension constitutes acceptance of any changes.

For questions, contact: [email protected]


Privacy in detail

The summary above is the policy in plain language. The sections below explain the technical specifics for users who want to verify how Cookie Lens handles data.

Where data lives

Cookie Lens uses browser-managed storage and nothing else.

  • Local (chrome.storage.local) — survives a browser restart: preferences (theme, pinned cookies, table layout), Report snapshots, and Freeze and Profile snapshots. Freeze and Profiles store cookie values here by necessity — that is the only way to restore a frozen value or switch to a saved profile. All of it stays on your device.
  • Session (RAM-only) — cleared on browser restart: the Activity change feed for the inspected tab and the request metadata used to attribute a cookie to the response that set it. Never written to disk.
  • Panel UI (localStorage) — DevTools-panel-scoped preferences such as column widths and panel theme.

Cookie values themselves are read from the inspected tab's cookie jar at inspection time and decoded for display; they are only persisted when you freeze a cookie or save a profile.

Request attribution ("Set by Request")

Cookie Lens observes Set-Cookie response headers (via the webRequest permission) so it can show which request set or updated a cookie in the Activity feed.

  • Captures only metadata: HTTP method, request URL, response status, timestamp.
  • Does not capture request/response bodies or other headers.
  • Kept in RAM only, cleared on browser restart.
  • Only observes sites you have granted host access to.

Incognito

Cookie Lens runs against the separate incognito cookie jar when you enable Allow in Incognito. Freeze/Profile snapshots belonging to a closed incognito session are purged when the service worker next starts.

Message authentication

Background messages are authenticated by sender id, so only the extension's own surfaces can drive cookie reads and writes.

Permissions

PermissionWhen grantedWhat it allows
cookiesOn installRead, write, delete cookies and receive the change feed
storageOn installPersist preferences and Freeze/Profile/Report snapshots locally
tabsOn installResolve the inspected tab's URL to scope the DevTools panel list
activeTabOn installScope the popup to the tab you invoked it on
webRequestOn installObserve Set-Cookie response headers for request attribution
<all_urls> host accessPer site, from your clickRead/write cookies on the site you're inspecting

Host access is optional and requested per site from a user gesture — it is not part of the default install. You can revoke it any time at chrome://extensions.

Exports are your responsibility

Import/Export produces CSV and JSON files containing real cookie values — including auth tokens, session ids, and anything else your app stores in cookies.

  • Treat them like credentials: don't commit them to public repos or paste them into shared documents.
  • Once a file is on your filesystem, it is fully under your control; Cookie Lens doesn't track it.

Data retention

DataLifetimeHow to clear
Cookie values (in view)While the surface is openClose the popup / DevTools
Activity feed & request metadataUntil browser restartRestart the browser
Freeze / Profile / Report snapshotsUntil you unfreeze / delete / uninstallUnfreeze, delete the profile/snapshot, or uninstall
PreferencesUntil you change or uninstallUninstall the extension
Exported filesUp to youManual deletion
  • Does not contact any remote server.
  • Does not include analytics, telemetry, or crash reporting.
  • Does not sync anything across devices.
  • Does not load any third-party scripts or fonts.
  • Does not access browser data beyond the cookies of sites you inspect (no history, bookmarks, passwords, or other extensions' data).
  • Does not require an account, login, or any personal information.