Version: 0.1.0

Privacy Policy

Last updated: May 8, 2026

Event Lens's privacy principle: Your data stays with you.

What Data Does Event Lens Collect?

Event Lens records the following information only in your browser.

Event information

Event name (e.g. user:login).
Event type (CustomEvent, postMessage, BroadcastChannel, PubSub).
Event payload (the data the user code emitted).
Timestamp.
Source (file and line).
Subscriber count and names.

Network requests

fetch / XHR URL.
HTTP method (GET, POST, etc.).
Request headers.
Request body.
Response status code.
Response body.
Request duration.

Listener information

addEventListener calls.
removeEventListener calls.
Active listener count.
Potential memory leaks.

Session information

All events (the most recent 500).
Network requests.
Memory leak report.
Listener counts.
Breakpoints.
Performance budget settings.
Replay history.

Technical information

Page URL.
Page title.
Browser console errors.
Extension version.

What Data Is Sent Anywhere?

Nothing. Event Lens runs entirely offline.

An event happens on the page
        |
Event Lens records it
(in browser memory)
        |
DevTools panel shows it
(stays with you, sent to no one)

Where data is not sent

Servers (no backend calls).
Analytics services (Google Analytics, Mixpanel, etc.).
Cloud storage (Google Drive, S3, etc.).
Telemetry systems (no usage tracking).
Ad networks.

Where data is stored

Browser memory — RAM, for the current session.
Chrome localStorage — under the extension's storage.
Browser cache — cleared when the browser closes.

Where Is Data Stored?

Browser memory

Events are kept in RAM while the DevTools panel is open.

Panel open → in RAM.
Panel closed → discarded.

If the tab closes, the data is gone.

Chrome localStorage

Some settings persist even when the panel is closed:

Settings (budget, theme, filter preferences).

localStorage is managed by Chrome. To wipe it, see Clearing Data below.

Export files

The JSON file produced by Export:

Lives in your browser's Downloads folder.
Is not encrypted (plain JSON).
Is yours to manage (you delete or share it).
Is not tracked by Event Lens.

Clearing Data

1. From the DevTools panel

Event Lens → Settings → Clear All Logs

Result:

The event list is wiped.
Memory is freed.
RAM contents are gone.
localStorage settings are kept.

2. From Chrome settings

Chrome → Settings → Privacy and security → Clear browsing data
  Time range: All time
  Cookies and other site data
  Cached images and files
  → [Clear data]

Result: localStorage is wiped, the extension session is reset.

3. By uninstalling the extension

chrome://extensions
  Event Lens → Remove

Result: the extension and all its data go away. If you reinstall, you start from scratch.

Sensitive Data

What can end up in an export?

The exported JSON can contain things like:

{
  "events": [
    {
      "name": "user:login",
      "payload": {
        "userId": "12345",
        "email": "[email protected]",
        "token": "abc123xyz...",
        "password": "secret123"
      }
    },
    {
      "name": "api:request",
      "payload": {
        "creditCard": "4111-1111-1111-1111"
      }
    }
  ]
}

Risk levels

Data type	Risk	Example
User ID	Medium	`userId: "user123"`
Email	Medium	`email: "[email protected]"`
Session token	High	`token: "eyJhbG..."`
API key	High	`apiKey: "sk-..."`
Password	Critical	`password: "secret"`
Credit card	Critical	`cardNumber: "4111-1111-..."`
SSN	Critical	`ssn: "123-45-6789"`

Exporting safely

Sanitise before sharing:

Event Lens → Export
Open the JSON
Remove sensitive fields (e.g. password, token)
Share the cleaned JSON

Don't paste raw exports into public GitHub issues.

Event Lens is technically GDPR-compliant:

Data is stored locally (no server).
Users control the data (delete, download, export).
No third-party transfers.

If your app logs PII (personally identifiable information), Event Lens captures it locally too:

app.js:
  fires user:login with:
    {
      userId: "123",      <- GDPR risk
      email: "...",       <- GDPR risk
      ip: "192.168..."    <- GDPR risk
    }

Event Lens records it
  -> PII now lives locally

What to do?

1. Don't log PII

// Wrong
window.dispatchEvent(new CustomEvent('user:login', {
  detail: { userId, email, ip }
}));

// Right
window.dispatchEvent(new CustomEvent('user:login', {
  detail: { success: true }
}));

2. Mask PII

{
  "userId": "***MASKED***",
  "email": "user***@example.com",
  "ip":    "192.168.***"
}

3. Disable Event Lens on sensitive pages

// On the payment page
window.__EVENT_LENS_DISABLED__ = true;

CCPA (California Privacy Rights)

The same approach satisfies CCPA:

Users can download their data (Export).
Users can delete their data (Clear Logs).
The system doesn't ship data anywhere (local only).
If sensitive data is logged, a transparency notice is required.

Security

Content Security Policy (CSP)

Event Lens is CSP-compatible:

No inline script injection.
No connections to external domains.
No eval().

Apps with strict CSP may need this directive:

script-src 'self' chrome-extension://[extension-id]

MITM attacks

Because data stays local, Event Lens is safe against MITM:

Browser
  Event Lens (data stays here)
  -> nothing leaves the network

A wire tap finds no payload to read.

XSS

Event Lens is XSS-safe:

It uses textContent, not innerHTML.
Payloads are JSON-escaped.
Script tags aren't executed.

Data Retention

Data	Retention	Cleared by
Event (RAM)	Session lifetime	Closing the panel
Event (localStorage)	Persistent	Clear Logs or uninstall
Export file	Up to you	Manual deletion
Network cache	1–2 hours	Automatically

Contact

Privacy concern

Open a GitHub issue with a [Privacy] ... title.

Data deletion request

Event Lens → Settings → Clear All Logs
Chrome Settings → Clear browsing data
Uninstall the extension (chrome://extensions)

Is it safe to use in a test environment?

Yes — data isn't sent to the test server, it stays in localStorage, and there's no telemetry.

Can I use it in production?

Not recommended — Event Lens is built as a dev tool:

Events keep being recorded.
Memory leaks can build up.
~1–2% CPU overhead.

For production analytics, use Segment, Mixpanel, or your own backend logging.

Policy Changes

This policy may change. Updates will be reflected in the "Last updated" date at the top.

What Data Does Event Lens Collect?​

Event information​

Network requests​

Listener information​

Session information​

Technical information​

What Data Is Sent Anywhere?​

Where data is not sent​

Where data is stored​

Where Is Data Stored?​

Browser memory​

Chrome localStorage​

Export files​

Clearing Data​

1. From the DevTools panel​

2. From Chrome settings​

3. By uninstalling the extension​

Sensitive Data​

What can end up in an export?​

Risk levels​

Exporting safely​

GDPR & Compliance​

GDPR​

Possible GDPR risk​

1. Don't log PII​

2. Mask PII​

3. Disable Event Lens on sensitive pages​

CCPA (California Privacy Rights)​

Security​

Content Security Policy (CSP)​

MITM attacks​

XSS​

Data Retention​

Contact​

Privacy concern​

Data deletion request​

Is it safe to use in a test environment?​

Can I use it in production?​

Policy Changes​

See also​