License Apache-2.0 v0.1.1 Rust

Privacy Policy

Last updated: March 19, 2026

This policy covers Plasmate (the browser engine) and the Plasmate Cookie Export Chrome extension. We take privacy seriously because our software handles authentication credentials.

We collect nothing. We send nothing. Everything stays on your machine.

Plasmate (browser engine)

Plasmate is a local binary that runs entirely on your computer. It does not phone home, check for updates, send telemetry, or transmit any data to Plasmate Labs or any third party.

  • No analytics or tracking of any kind
  • No crash reports sent externally
  • No usage data collected
  • Cookie profiles are stored locally and encrypted with AES-256-GCM
  • The master encryption key never leaves your machine

Plasmate Cookie Export (Chrome extension)

The Chrome extension reads cookies from the active tab and either pushes them to the local Plasmate bridge server or copies them to your clipboard. It communicates exclusively with 127.0.0.1:9271 (your own machine).

  • No external network requests. The extension never contacts any server other than localhost.
  • No data collection. We do not collect, store, or transmit any data about you, your browsing, or your cookies.
  • No analytics. No Google Analytics, no tracking pixels, nothing.
  • No persistent storage. The extension stores nothing in Chrome's storage APIs. Cookies are only held in memory while the popup is open.
  • No remote code. The extension is fully self-contained. No CDN scripts, no remote fetches.

Permissions explained

  • cookies - required to read authentication cookies from sites you want to give your agent access to
  • activeTab - required to detect the current tab's domain so we know which cookies to show
  • host_permissions (<all_urls>) - Chrome Manifest V3 requires this for chrome.cookies.getAll() to access cookies across domains. Without it, the extension can only see cookies for its own origin.

Bridge server

The plasmate auth serve bridge listens on 127.0.0.1:9271 only. It is not accessible from the network, other machines, or the internet. It accepts cookie data from the Chrome extension and writes it to encrypted local storage.

Data storage

Cookie profiles are stored at ~/.plasmate/profiles/, encrypted with AES-256-GCM. The encryption key is at ~/.plasmate/master.key with file permissions restricted to the owner (chmod 0600). You can delete any profile at any time with plasmate auth revoke <domain>.

Third-party services

Plasmate and the extension use zero third-party services. No cloud, no SaaS, no APIs. Everything runs locally.

Open source

Both Plasmate and the extension are open source. You can verify every claim in this policy by reading the code:

Changes

If we ever change this policy, we will update this page and the "last updated" date. Given that our software collects nothing, changes are unlikely.

Contact

Questions about this policy? Open an issue on GitHub.