← Back to Header Forge

Privacy Policy

Last updated: 2026-06-24

Scope

This policy covers the Header Forge browser extension and its website at https://headerforge.mongooselabs.dev, both published by Mongoose Labs. It explains what data the extension handles, why, and the choices you have.

Header Forge modifies HTTP request and response headers (and, on the Pro tier, redirects and request blocking) using Chrome's declarativeNetRequest engine. Your rules live in your browser. There is no account, no cloud, and nothing about your browsing is uploaded anywhere.

Summary

• Your content stays in your browser. We do not run servers that receive it.
• We collect a small set of anonymous usage events, and you can opt out in the extension options.
• Payments are handled by ExtensionPay and Stripe. We never see your card details.
• We do not sell or rent any data, and we do not use it for advertising or credit purposes.

Browser permissions and how they are used

Header Forge requests the following browser permissions. Each one exists to support a user-facing feature, never to gather data:

• declarativeNetRequest: Applies your header, redirect, and blocking rules to matching network requests through Chrome's declarative engine. Because the rules are declarative, the extension tells the browser what to change but does not receive the contents of your requests or responses. We did not request declarativeNetRequestFeedback, so the extension cannot observe which requests matched.
• storage: Stores your profiles, rules, and the most recent license status locally in your browser. This data stays on your device (and in your browser profile sync, if you have that enabled). It is never sent to our servers.
• activeTab: Used only by the optional Pro scoping feature, to read the id of the tab or window you are currently viewing so a rule can be limited to it. It does not read page content.

Sites the extension communicates with

The extension is permitted to communicate with the following sites, and no others:

• https://extensionpay.com/*: Used to check your license status and to process upgrades through ExtensionPay, our payment provider.
• https://plausible.io/*: Used to send a small set of anonymous usage events to Plausible Analytics.

Optional site access for applying rules

To modify headers on a site, Chrome requires the extension to have host access to that site. Header Forge does not request this at install time. The first time you switch on a rule, it asks for access (the narrowest origin it can derive from the rule, or broad access for patterns that can match any site). You can decline, and the extension keeps working for everything that does not need that access. When granted, the access is used only to let Chrome apply your rules; the extension itself does not read the traffic. You can revoke access at any time from the extension options page or at chrome://extensions.

Payments

Paid upgrades are handled by ExtensionPay (extensionpay.com), which uses Stripe to process payments. When you upgrade, ExtensionPay and Stripe receive the information needed to complete the purchase, such as your email address and payment details. We never see or store your card details. We receive only your license status and the email address associated with it, which we use to unlock paid features and provide support.

The extension periodically contacts extensionpay.com to confirm your license. If you are offline, your last known license is kept on your device and honored for a short grace period.

• ExtensionPay privacy policy: https://extensionpay.com/privacy
• Stripe privacy policy: https://stripe.com/privacy

Analytics

We use Plausible Analytics, a privacy-focused analytics service, to understand how the extension is used in aggregate. Events are limited to product milestones such as install, first rule applied, and upgrade. They contain no rule contents, no request data, no browsing history, and no personal information, and Plausible does not use cookies or store IP addresses in a way that can identify you.

You can opt out of analytics at any time in the extension’s options page. The opt-out takes effect immediately and is respected by every event the extension would otherwise send.

• Plausible data policy: https://plausible.io/data-policy

Data sharing

We do not sell, rent, or trade any data. We do not transfer data to third parties other than the service providers named above, and only as needed to operate the extension. We do not use or transfer data to determine creditworthiness, for lending purposes, or for personalized advertising. Our use of data complies with the Chrome Web Store User Data Policy, including its Limited Use requirements.

Data retention and deletion

Rules and settings stored by the extension live in your browser profile and are removed when you uninstall the extension or clear extension data. You can also export and delete your rules at any time from the options page. License records held by ExtensionPay persist so your purchase can be restored; contact us to have them deleted.

To request deletion of anything we hold, email support@mongooselabs.dev and we will respond within 30 days.

Security

All communication between the extension and the services above uses encrypted HTTPS connections. The extension requests the minimum permissions needed for its features.

Children

Header Forge is not directed at children under 13, and we do not knowingly collect personal information from them.

Changes to this policy

If we change this policy, we will update this page and the date at the top. Material changes that affect what data is handled will also be called out in the extension’s release notes.

Contact

Mongoose Labs publishes Header Forge. For privacy questions or requests, email support@mongooselabs.dev.