keyCocoon Privacy Policy

Last Updated: November 12, 2024

1. INTRODUCTION

keyCocoon ("we," "our," or "the Extension") is a browser extension that acts as a secure bridge between webSlinger automation and your locally-stored credentials in keyBunker. This Privacy Policy explains our zero-knowledge architecture and how we handle your information.

CRITICAL PRIVACY PRINCIPLE:

keyCocoon NEVER stores, transmits, or accesses your credentials. We act solely as a secure communication bridge between webSlinger and keyBunker. All credential data remains encrypted on your local device.

2. INFORMATION WE COLLECT

2.1 Configuration Settings (LOCAL ONLY)

keyCocoon stores ONE setting locally in browser storage:

Authentication expiration duration preference (e.g., 1 hour, 8 hours, 24 hours)

This preference is stored to improve user experience by pre-populating your preferred duration the next time you authenticate with keyBunker.

That's it. We collect no other data.

2.2 What We DO NOT Collect

keyCocoon does NOT collect, store, or transmit:

Website passwords
TOTP secrets or shared authentication keys
Multi-factor authentication codes
Personal data entered in forms
Credit card numbers or financial information
Browsing history
Website content
Any credential-related data
User analytics or usage statistics
IP addresses or device identifiers

3. HOW keyCocoon WORKS (ZERO-KNOWLEDGE ARCHITECTURE)

3.1 Credential Flow

When webSlinger needs to inject credentials:

1. webSlinger Extension
↓ (sends request via extension messaging)
"Please log into example.com for user john@example.com"

2. keyCocoon Extension (THIS EXTENSION)
↓ (forwards request via native messaging)
"Retrieve password for example.com/john@example.com"

3. keyBunker Native App
↓ (decrypts from local vault)
Returns encrypted password to keyCocoon

4. keyCocoon Extension
↓ (injects into target tab)
Fills password field, clears from memory immediately

KEY PRIVACY POINTS:

Credentials retrieved from keyBunker on-demand only
Held in memory ONLY during injection (< 1 second)
Immediately cleared from memory after injection
NEVER logged, cached, or persisted by keyCocoon
NEVER transmitted over network
NEVER shared with webSlinger extension

3.2 TOTP Code Generation

For two-factor authentication codes:

webSlinger requests TOTP code for domain/username
keyCocoon requests code from keyBunker via native messaging
keyBunker generates 6-digit TOTP code using RFC 6238 algorithm
keyCocoon receives code (NOT the secret)
keyCocoon injects code into authentication form
Code cleared from memory immediately

TOTP secrets NEVER leave keyBunker. Only the generated 6-digit codes (which expire in 30 seconds) are transmitted to keyCocoon for injection.

4. DATA STORAGE

4.1 What We Store

keyCocoon stores exactly ONE item in Chrome's local storage API:

authExpirationMinutes: Your preferred authentication duration

This is stored locally in your browser and is NOT:

Synchronized across devices
Transmitted to any servers
Shared with any third parties
Accessible to other extensions (except via Chrome's extension APIs)

4.2 What keyBunker Stores (NOT keyCocoon)

keyBunker (the native application) stores:

Encrypted credentials in local vault file
TOTP shared secrets
Domain/username mappings

This data is:

Stored on your local disk only
Encrypted with AES-256 using master password-derived key
NEVER accessed by keyCocoon except during credential retrieval
NEVER synchronized to cloud services
Under YOUR control (not ours)

5. DATA SHARING AND THIRD PARTIES

5.1 We Do NOT Share Data

keyCocoon does NOT share any data with:

webSlinger servers
Cloud services
Analytics providers
Advertising networks
Third-party services
Anyone

5.2 Inter-Extension Communication

keyCocoon communicates with:

webSlinger Extension (Optional Integration)

Purpose: Receive credential injection requests
Data shared: Domain and username only (NOT passwords)
Method: Chrome extension messaging API
Privacy: Credentials never passed to webSlinger

keyBunker Native App (Required)

Purpose: Retrieve encrypted credentials from local vault
Data shared: Domain/username lookups, authentication state
Method: Chrome native messaging API
Privacy: Local-only communication, no network involved

5.3 No External Services

keyCocoon does NOT communicate with:

Web servers
APIs
Cloud storage
Analytics services
Any network endpoints

ALL communication is local-only between browser extensions and native apps.

6. SECURITY MEASURES

6.1 Credential Encryption in Transit

When keyBunker sends passwords to keyCocoon:

Extension generates ephemeral RSA key pair
Public key sent to keyBunker
keyBunker encrypts password with public key
Encrypted password sent to extension
Extension decrypts with private key
Keys discarded after use

This ensures credentials are encrypted even over the local native messaging channel.

6.2 Memory Management

Credentials held in memory < 1 second during injection
Immediately overwritten after injection
JavaScript garbage collection ensures no residual data
No caching or buffering of sensitive data

6.3 No Logging

keyCocoon does NOT log:

Credentials or TOTP codes
Injection requests
Domain/username combinations
User actions
Error messages containing sensitive data

Console logging may occur for debugging but NEVER includes sensitive data.

7. BROWSER EXTENSION PERMISSIONS

keyCocoon requests the following permissions:

7.1 activeTab

Purpose: Access current page when injecting credentials
Use: Required to fill password fields in login forms
Privacy: Only accesses page during active injection request

7.2 scripting

Purpose: Inject credential entry code into login forms
Use: Fill username/password fields, submit forms
Privacy: Injection code runs < 1 second, contains no tracking

7.3 nativeMessaging

Purpose: Communicate with keyBunker native application
Use: Retrieve encrypted credentials from local vault
Privacy: Local-only communication, no network transmission

7.4 storage

Purpose: Save authentication expiration preference
Use: Remember user's preferred session duration
Privacy: Stores ONE non-sensitive configuration value

7.5 tabs

Purpose: Identify correct tab for credential injection
Use: Ensure credentials injected into intended login page
Privacy: Only reads tab URL during injection requests

7.6 management

Purpose: Detect if webSlinger extension is installed
Use: Enable/disable integration features
Privacy: Only queries installed extension list

7.7 Content Scripts (<all_urls>)

Purpose: Listen for credential injection requests
Use: Receive commands from webSlinger to inject credentials
Privacy: Content scripts are passive listeners, don't access page content unless explicitly triggered by webSlinger

NOTE: keyCocoon does NOT request host_permissions. Content scripts run on <all_urls> but only activate when explicitly requested by webSlinger for credential injection. This is more privacy-friendly than host_permissions.

8. YOUR PRIVACY RIGHTS

8.1 Data Access

Since keyCocoon stores only one configuration value:

You can view it in Chrome's extension storage inspector
Setting: authExpirationMinutes (your authentication duration preference)

8.2 Data Deletion

To delete all keyCocoon data:

Uninstall the extension (removes the stored preference)
Or: Clear browser extension data in Chrome settings

Note: Uninstalling keyCocoon has NO effect on keyBunker data. Your credentials remain safely stored in keyBunker's encrypted vault.

8.3 Credential Control

Credentials stored in keyBunker (not keyCocoon)
Access keyBunker directly to manage credentials
keyCocoon cannot access credentials without keyBunker
Master password required for all credential operations

9. CHILDREN'S PRIVACY

keyCocoon is not intended for use by children under 13 years of age. We do not collect any personal information from users of any age. If a parent believes their child has installed keyCocoon, they may uninstall it without any data loss (credentials remain in keyBunker).

10. INTERNATIONAL CONSIDERATIONS

keyCocoon operates entirely locally on your device:

No data transmitted across borders
No cloud storage or servers
All processing happens on your local machine
GDPR, CCPA, and other privacy laws do not apply (no data collection)

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect changes in:

Chrome extension API capabilities
Security improvements
Integration with webSlinger updates

When we make changes:

"Last Updated" date will change
Significant changes announced in extension update notes
Previous versions available upon request

Since keyCocoon collects no data, privacy policy changes typically reflect architectural improvements rather than data handling changes.

12. SECURITY VULNERABILITIES

If you discover a security vulnerability in keyCocoon:

Email: security@webslinger.ai
Subject: keyCocoon Security Issue
Include: Detailed description and reproduction steps

We take security seriously and will respond within 48 hours.

13. CONTACT US

For privacy questions about keyCocoon:

Email: privacy@webslinger.ai
Subject: keyCocoon Privacy Inquiry
Website: https://webslinger.ai/keycocoon

14. COMPARISON WITH OTHER PASSWORD MANAGERS

Unlike cloud-based password managers, keyCocoon:

✓ Better Privacy:

Does NOT store credentials (keyBunker does, locally)
Does NOT sync across devices
Does NOT transmit credentials over network
Does NOT require trust in cloud provider
Does NOT charge subscription fees
Does NOT analyze your password patterns

✗ Trade-offs:

No cross-device sync
Requires keyBunker setup
Less convenient than cloud solutions

keyCocoon prioritizes PRIVACY and SECURITY over CONVENIENCE.

15. FREQUENTLY ASKED QUESTIONS

Q: Does keyCocoon send my passwords to webSlinger?

A: NO. Credentials are injected directly into web pages. webSlinger only receives success/failure status, never the actual credentials.

Q: Can keyCocoon access my credentials without my permission?

A: NO. keyBunker requires master password authentication. Without authenticating keyBunker, keyCocoon cannot retrieve credentials.

Q: What happens if I uninstall keyCocoon?

A: Your credentials remain safe in keyBunker's encrypted vault. keyCocoon is just a bridge; uninstalling it has no effect on stored credentials.

Q: Does keyCocoon work without webSlinger?

A: Not currently. keyCocoon is designed specifically as a credential bridge for webSlinger automation. Standalone credential injection features may be added in future versions.

Q: How is this different from LastPass or 1Password?

A: keyCocoon doesn't store credentials itself (keyBunker does, locally). No cloud sync, no subscription, no trust in third-party servers. Pure local storage with zero-knowledge architecture.

Q: Can keyCocoon be audited?

A: Yes. Security researchers can request source code review. We plan to open-source keyCocoon after initial release to enable community audits.