Privacy Policy

Last updated: 18 March 2026

ShowMeYourPassy is built on a simple principle: your passwords never leave your browser. We collect nothing, store nothing, and track nothing.

What data we collect

None. ShowMeYourPassy does not collect, transmit, or store any personal data, browsing data, or password data. The extension runs entirely within your browser using local JavaScript.

How the extension works

ShowMeYourPassy operates by modifying the visual display of password input fields on web pages you visit. Specifically, it changes the input type attribute from "password" to "text" so you can see what you are typing. This happens locally in your browser and no data is sent anywhere.

Password strength scoring (Pro)

The real-time strength meter analyses your password entirely within your browser using local algorithms. No passwords or password data are transmitted to any server.

Breach detection (Pro)

The breach check feature uses the Have I Been Pwned (HIBP) k-anonymity API. This means:

Your password is hashed locally using SHA-1
Only the first 5 characters of the hash are sent to the HIBP API
Your full password, or even the full hash, is never transmitted
The check is performed over HTTPS

This is the same privacy-preserving approach used by password managers like 1Password. You can read more about how k-anonymity works at HIBP.

Licence key validation (Pro)

When you enter a Pro licence key, the extension sends only the licence key string to our validation endpoint to verify it is valid. No other data is sent. The validation response (valid/invalid) is stored locally in your browser's extension storage.

Permissions

ShowMeYourPassy requests the following Chrome permissions:

activeTab — to access the current page and modify password field display
storage — to save your preferences (toggle state, per-site rules, licence key) locally in Chrome

We do not request access to browsing history, bookmarks, downloads, or any other browser data.

Third-party services

The only external service the extension communicates with is:

Have I Been Pwned API (Pro feature, optional) — for breach detection using k-anonymity as described above
Licence validation endpoint (Pro feature, one-time) — to verify your licence key

We do not use analytics, tracking pixels, advertising networks, or any other third-party services.

Data storage

All user preferences (toggle state, per-site rules, licence key) are stored locally using Chrome's built-in chrome.storage.local API. This data stays on your device and is not synced or transmitted.

Cookies

ShowMeYourPassy does not use cookies of any kind.

Children's privacy

ShowMeYourPassy does not knowingly collect any information from children under the age of 13. The extension does not collect information from anyone.

Changes to this policy

If we update this privacy policy, we will revise the "Last updated" date at the top of this page. Material changes will be noted in the extension's changelog.

Contact

If you have questions about this privacy policy, contact us at support@stackeddigital.com.

ShowMeYourPassy is built by Stacked Digital, based in Australia.