Privacy Policy for Session Vault

Last updated: June 30, 2026

TL;DR

Session Vault is a 100% local-only Chrome extension. We do not collect, transmit, store, or sell any of your data. Nothing leaves your device.

Who we are

Session Vault is an open-source Chrome extension that lets users export and import their browser session data, including cookies, localStorage, and sessionStorage, as password-encrypted local files using AES-GCM 256-bit encryption with PBKDF2-SHA256.

This Privacy Policy explains what data the extension accesses, how it is processed, and what we, the developer, do and do not do with it.

Data we access

To perform its function, Session Vault accesses the following data on your local device:

Data type Why it is needed Where it goes
Cookies for the current site or all sites To export and import authentication sessions Encrypted into a local file on your device
localStorage / sessionStorage To export and import full browser session state Encrypted into a local file on your device
Active tab URL / tab list To detect which domain to export from, or which tabs are open for "All sites" mode Used in memory only, never stored or sent
Extension storage (chrome.storage) To temporarily hold pending localStorage entries until you revisit the site, only for "All sites" import Local browser storage, on your device only

Data we do NOT collect

We do not:

The extension has no remote server. There is no backend.

How encryption works

When you export, your data is encrypted entirely inside your browser using:

The resulting .json file is meaningless without your password. We cannot decrypt it. There is no key escrow, no backdoor, and no recovery mechanism. If you lose your password, your data is unrecoverable.

Permissions explained

Chrome requires us to request these permissions:

We never silently scan, read, or transmit data from any website. All actions are user-initiated.

Your responsibility

Because data never leaves your device, you are responsible for:

Anyone who obtains both your .json file and your password will be able to log in as you on the included sites, including after 2FA has already been completed.

Children's privacy

Session Vault is not directed at children under 13 and does not knowingly collect data from anyone.

Changes to this policy

If this policy ever changes, the updated version will be published in the same location with a new "Last updated" date. Since the extension does not have any remote service, changes to this policy will not retroactively affect any data. There is no data to affect.

Contact

For questions about this Privacy Policy, please open an issue in the public GitHub repository for Session Vault or use the support contact listed on the Chrome Web Store listing.

Verifiability

Session Vault is open source. The public repository that serves this page contains the full source code for the extension, including manifest.json, popup.js, background.js, crypto.js, and storage-deep.js.

The source code contains zero fetch(), XMLHttpRequest, or WebSocket calls to any remote endpoint.