Privacy Policy

Secure TOTP Authenticator · Last updated: 28 May 2026

Secure TOTP Authenticator ("the Extension") is a Chrome browser extension that generates time-based one-time password (TOTP) codes for two-factor authentication. Your privacy is important to us. This policy explains what data the Extension uses and how it is handled.

Summary

• All TOTP secrets are stored only on your device.
• We do not collect, transmit, sell, or share your TOTP secrets or account data.
• The Extension does not use analytics, advertising, or tracking.
• Pro license validation sends only your license key and Chrome extension ID — never your TOTP secrets.

Data stored locally

When you add an account, the Extension saves the account name (username or email) and the Base32 TOTP secret in chrome.storage.local on your computer. This data never leaves your device except when you explicitly export an encrypted backup (Pro feature).

Pro license status and your license key (if activated) are also stored locally in chrome.storage.local so the Extension can verify your purchase offline between periodic checks.

How the Extension uses page access

The Extension requests access to web pages you visit for these user-facing features only:

• Auto-fill (Pro): Detects OTP verification input fields and may fill a code when the username or email shown on the page matches an account you saved.
• QR capture (Pro): When you right-click an image or choose "Scan page for QR code," the Extension reads QR image data on that page to import a TOTP setup code.

Page content is processed locally in your browser. It is not uploaded, logged, or transmitted to us or any third party.

Pro license validation

If you purchase a Pro license, the Extension contacts our license server (secure-totp-license-api.piyushchhabbi.workers.dev) to validate your license key. The following data is sent:

• Your license key (format: TOTP-XXXX-XXXX-XXXX)
• Your Chrome extension ID (to bind the license to your browser profile)

Your TOTP secrets, account names, and page content are never sent during license validation. We do not store personal information beyond what is needed to issue and validate license keys (license key, extension ID, purchase timestamp).

Payments are processed by Gumroad. We do not receive or store your payment card details.

Permissions

• storage — save your TOTP accounts and license state on your device
• contextMenus — show right-click options to add QR codes (Pro)
• scripting — read QR images when you use the context menu (Pro)
• host access — detect OTP fields and QR codes on pages you visit
• license server access — validate Pro license keys only

Data deletion

You can remove individual accounts from the Extension popup at any time. You can remove your Pro license from the Pro tab. Uninstalling the Extension removes all locally stored data from Chrome.

Children

The Extension is not directed at children under 13 and does not knowingly collect information from anyone.

Changes

We may update this policy occasionally. Changes will be posted on this page with an updated date.

Contact

Questions about this policy? Contact: support@securetotp.app