Privacy Policy
Last updated: February 2026
EchoKit is a local-first developer tool. This page explains exactly what happens to your data.
What we collect
When recording is ON for a given tab, EchoKit captures each fetch / XMLHttpRequest call: URL, method, headers, body, response status, response headers, response body, timestamp, duration, and the tab URL for scoping. This data is stored exclusively in your browser's IndexedDB and never leaves your device.
What we don't collect
- No telemetry, analytics, crash reports, or usage pings.
- No accounts, logins, cloud storage, or sync services.
- No background network requests initiated by the extension itself.
Permissions
| Permission | Why we need it |
|---|---|
<all_urls> | Observe fetch/XHR on pages you record. Only active on tabs where you pressed REC. |
storage, unlimitedStorage | Persist your recordings + settings locally. |
tabs, activeTab | Track per-tab recording/mocking state. Display host in footer. |
declarativeNetRequest | Implement optional CORS override + URL blocklist. Rules written only when you enable the toggle, removed when you disable. |
scripting | localStorage copy/paste feature — read/write the active tab's localStorage only when you click the menu item. |
clipboardRead, clipboardWrite | Copy/paste localStorage payloads via the system clipboard. |
Data retention
Recordings live until you clear them (Menu → Clear, Settings → Wipe ALL) or uninstall the extension.
Third-party services
The UI loads two web fonts from Google Fonts (IBM Plex Sans and JetBrains Mono). This means Google can observe that the UI was opened. Prefer full isolation? Fork the repo and bundle fonts locally.
Open source
MIT-licensed. Audit every line.
Contact
Privacy questions or issues: support@echo-kit.com or GitHub issues.