Update README and Privacy Policy

Foulest · Foulest · commit 4c5670e17a02 · 2026-03-22T03:02:30.000-07:00
diff --git a/.github/PRIVACY.md b/.github/PRIVACY.md
@@ -1,81 +1,108 @@
 # Privacy Policy
 
-**Effective Date:** 03/16/2026
+**Effective Date:** 03/22/2026
 
-Osprey: Browser Protection is committed to protecting your privacy. This Privacy Policy explains what data is processed
-when you use the extension, why, and how. URL checking is the core security function of the extension. When you
-navigate to a website, Osprey may send the URL to threat intelligence or DNS filtering services to determine whether
-the destination is malicious or inappropriate. This processing is limited to what is necessary for that purpose.
+Osprey: Browser Protection and the team behind [OspreyProject](https://github.com/OspreyProject) is committed to
+protecting your privacy. This Privacy Policy explains what data is processed when you use the extension, why, and how.
+
+Osprey consists of two components:
+
+- The **browser extension**, which runs locally on your device.
+- The **proxy server** (OspreyProxy), which runs on a VPS hosted in New York, NY
+  at [api.osprey.ac](https://api.osprey.ac).
+
+Understanding which component does what is important for understanding how your data is handled.
 
 ## What Data Is Processed and Why
 
-For DNS-based providers (AdGuard DNS, CERT-EE, CleanBrowsing, Cloudflare, Control D, Quad9, and Switch.ch), only the
-hostname is sent as part of a DNS-over-HTTPS query. For API-based providers (alphaMountain and PrecisionSec), the full
-URL including path is sent. These API requests are routed through Osprey's own proxy server hosted in New York, NY,
-rather than directly to the provider.
+URL checking is the core security function of the browser extension. When you navigate to a website, the browser
+extension sends the URL to the proxy server, which checks it against threat intelligence providers, DNS filtering
+services, and local threat intelligence lists to determine whether the URL is unsafe.
 
-The proxy does not log IP addresses in any form and does not log request bodies under normal operation. It may log the
-submitted URL if an upstream provider returns a 400 response, and the hostname may appear in error output on internal
-failures or blocked connection attempts. These messages are never written to disk; they exist only in the VPS's runtime
-memory via journald and are lost when the server restarts. The proxy also logs aggregate request counts per provider
-(requests per minute and a running total), which contain no IP addresses or URLs. The proxy source code is open-source
-and [available for review on GitHub](https://github.com/OspreyProject/OspreyProxy).
+The browser extension sends the full URL to the proxy server for all checks. How the proxy server handles it depends
+on the provider type:
 
-Osprey does not collect browsing history, user identifiers, or analytics of any kind.
+- **DNS-based providers** (AdGuard DNS, CERT-EE, CleanBrowsing, Cloudflare, Control D, Quad9, and Switch.ch): the
+  proxy server extracts only the hostname and submits it as a DNS-over-HTTPS query.
+- **API-based providers** (alphaMountain and PrecisionSec): the proxy server forwards the full URL including path.
+- **Local threat intelligence lists**: the proxy server checks the hostname against its own in-memory domain sets
+  without making any external requests.
 
-## Third-Party Recipients
+In all cases, your IP address is never forwarded to any provider directly; providers see only the proxy server's IP
+address.
 
-When a URL is checked, the relevant third-party providers receive a network request as part of the standard HTTP
-connection. Providers you have disabled in the extension's settings are not contacted.
+The proxy server does not log IP addresses in any form and does not log request bodies under normal operation. It may
+log the submitted URL if an upstream provider returns a 400 response, and the hostname may appear in error output on
+internal failures or blocked connection attempts. These messages are never written to disk; they exist only in the
+VPS's runtime memory via journald and are lost when the server restarts. The proxy server also logs aggregate request
+counts per provider (requests per minute and a running total), which contain no IP addresses or URLs. The proxy
+server's source code is open-source and [available for review on GitHub](https://github.com/OspreyProject/OspreyProxy).
 
-For alphaMountain ([privacy policy](https://alphamountain.ai/privacy-policy/)) and
-PrecisionSec ([privacy policy](https://precisionsec.com/privacy-policy/)), requests are routed through Osprey's proxy
-server, so your IP address is not forwarded to those providers directly.
+The proxy server does not collect browsing history, user identifiers, or analytics of any kind. The browser extension
+stores visited URLs locally in your browser as part of its caching system and does not transmit this cached data
+anywhere; this is described further in the Data Stored Locally section below.
 
-For DNS-based providers, your IP address is visible to the provider as part of the DNS-over-HTTPS query. These providers
-are AdGuard DNS ([privacy policy](https://adguard-dns.io/en/privacy.html)),
-CERT-EE ([privacy policy](https://ria.ee/en/authority-news-and-contact/processing-personal-data)),
-CleanBrowsing ([privacy policy](https://cleanbrowsing.org/privacy)),
-Cloudflare ([privacy policy](https://cloudflare.com/privacypolicy)),
-Control D ([privacy policy](https://controld.com/privacy)),
-Quad9 ([privacy policy](https://quad9.net/privacy/policy)),
-and Switch.ch ([privacy policy](https://switch.ch/en/data-protection)).
+## Third-Party Recipients
 
-Osprey also fetches local filtering lists from GitHub every 5 minutes to stay current. These requests are made to
-GitHub's CDN (operated by Microsoft), which receives your IP address as part of the connection. The lists are
-Phishing.Database and PhishDestroy. GitHub's privacy policy applies to these requests and is available
-at [GitHub's General Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement).
+When a URL is checked, the browser extension sends it to the proxy server, which then contacts the relevant
+third-party providers on your behalf. Providers you have disabled in the browser extension's settings are not
+contacted. Because all provider requests originate from the proxy server rather than your device, third-party
+providers never receive your IP address.
+
+- **API-based providers** receive the full URL:
+    - alphaMountain ([privacy policy](https://alphamountain.ai/privacy-policy/))
+    - PrecisionSec ([privacy policy](https://precisionsec.com/privacy-policy/))
+- **DNS-based providers** receive only the hostname as part of a DNS-over-HTTPS query:
+    - AdGuard DNS ([privacy policy](https://adguard-dns.io/en/privacy.html))
+    - CERT-EE ([privacy policy](https://ria.ee/en/authority-news-and-contact/processing-personal-data))
+    - CleanBrowsing ([privacy policy](https://cleanbrowsing.org/privacy))
+    - Cloudflare ([privacy policy](https://cloudflare.com/privacypolicy))
+    - Control D ([privacy policy](https://controld.com/privacy))
+    - Quad9 ([privacy policy](https://quad9.net/privacy/policy))
+    - Switch.ch ([privacy policy](https://switch.ch/en/data-protection))
+- **Local threat intelligence lists** are checked entirely within the proxy server and involve no external requests.
 
 ## Browser Permissions
 
-Osprey requires several browser permissions to function. The tabs permission is used to detect navigation events and
-apply protection. The storage permission is used to cache results locally and persist your settings. The webNavigation
-permission is used to intercept page navigations before they complete. The notifications permission is used to alert you
-when a malicious website is blocked. The contextMenus permission is used to provide the right-click menu options. The
-host permissions entry covering all URLs is used to inspect navigated URLs across all websites.
+The browser extension requires several permissions to function:
+
+- `tabs`: used to detect navigation events and apply protection.
+- `storage`: used to cache results locally on your device and persist your settings.
+- `webNavigation`: used to intercept page navigations before they complete.
+- `notifications`: used to alert you when a malicious website is blocked.
+- `contextMenus`: used to provide the right-click menu options.
+- `host` permissions covering all URLs: used to inspect navigated URLs across all websites.
 
 These permissions are used strictly for the security features described above and are not used to collect or transmit
 personal information.
 
 ## Data Stored Locally
 
-Osprey stores several categories of data in your browser's local extension storage. It stores a URL cache containing
-domains that have been checked, along with their result and an expiration time; this data never leaves your device
-except as part of normal URL checking. It also stores your protection preferences, such as which providers are enabled,
-and the downloaded local filtering lists from PhishDestroy and Phishing.Database. All locally stored data is cleared
-when you uninstall the extension.
+The browser extension stores several categories of data in your browser's local extension storage and session storage.
+None of this data is transmitted to the proxy server or any third party.
+
+- An **allowed cache** (local storage) containing URLs that have been checked and found safe, keyed per provider, each
+  with an expiration time.
+- A **blocked cache** (local storage) containing URLs that have been flagged, keyed per provider, each with an
+  expiration time and the result type (such as malicious or phishing).
+- A **processing cache** (session storage) tracking URLs that are currently being checked, to prevent duplicate
+  requests. This cache is cleared when the browser session ends.
+- Your **protection preferences** (local storage), such as which providers are enabled and your cache expiration
+  settings.
+
+All data in local storage is cleared when you uninstall the browser extension or manually via the context menu.
 
 ## Data Retention
 
-Local extension data is retained until you uninstall the extension or clear it manually via the context menu. Any
-error-case proxy server log messages exist only in the VPS's runtime memory via journald and are never written to disk;
-they are lost when the server restarts and are not retained in any form. Aggregate request counts are retained
-indefinitely but contain no personal data.
+Local extension data is retained until you uninstall the browser extension or clear it manually via the context menu.
+Any error-case log messages on the proxy server exist only in the VPS's runtime memory via journald and are never
+written to disk; they are lost when the server restarts and are not retained in any form. Aggregate request counts on
+the proxy server are retained indefinitely but contain no personal data.
 
 ## Changes to This Privacy Policy
 
-We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the date of the
-most recent revision. We encourage you to review this page periodically.
+We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the date of
+the most recent revision. We encourage you to review this page periodically.
 
 ## Contact
 
diff --git a/README.md b/README.md
@@ -86,8 +86,9 @@ security researchers, and end-users can trust to secure their browsing, wherever
 Osprey is committed to being non-profit, non-commercial, and open-source, **forever**, with no plans to monetize the
 project in any way. Unlike other free browser extensions, Osprey doesn't collect, profile,
 or [sell your browsing data](https://ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over/?utm_source=osprey)
-behind your back. We're committed to being as transparent as possible. Osprey runs locally on your device with **zero
-telemetry**, user-identifiable back-end analytics, or user accounts needed. Check out
+behind your back. URL checks are routed through Osprey's privacy-respecting proxy server
+at [api.osprey.ac](https://api.osprey.ac), which forwards requests to our protection partners without transmitting any
+personally identifiable information. No user accounts are required. Check out
 our [Privacy Policy here](https://osprey.ac/privacy) for more info.
 
 The more protection providers join the project, the better the Osprey threat intelligence platform becomes. If you're
