Your data stays on your device.

What we don't collect

The extension does not:

• Collect or transmit your browsing history
• Record which flights you search for, which prices you saw, or which sites you visited
• Require a user account, login, or sign-in
• Use tracking pixels, analytics scripts, or third-party advertising
• Set cookies of its own
• Rewrite booking URLs or inject affiliate links
• Earn commission when you book a flight — there are no partnerships in the code

What we store locally

BaggageIQ uses Chrome's storage.sync to save preferences that follow you across devices signed into the same Chrome profile:

• Bag configuration — how many cabin and check-in bags you travel with
• Scoring preference — whether to rank flights by price, time, or a balance
• Per-site enable toggle — which flight sites you've granted permission to
• Wallet (optional) — the list of travel cards you've added for the card benefits feature (card keys only, e.g. amex_delta_platinum_us — no card numbers, no personal data)

It also uses Chrome's storage.local (not synced across devices) for caches:

• The decrypted airline baggage database (the encrypted bundle ships with the extension; decryption keys are fetched from the BaggageIQ data API)
• The decrypted card benefits database (same arrangement)
• Daily FX rates (from open.er-api.com)
• A locally-generated random client ID used only if you opt into anonymous telemetry

Network requests

The extension's background service worker makes a handful of outbound requests against the BaggageIQ data API and one third-party FX endpoint, all carrying no personal data beyond an anonymous install identifier:

• Anonymous token — api.baggageiq.app/v1/anonymous-token, refreshed every 30 days. Carries a random per-install UUID so the rest of the API can rate-limit; never tied to your identity.
• Database unlock — api.baggageiq.app/v1/unlock, fetched once per service-worker wake. Returns AES decryption keys for the airline and card-benefit bundles that ship inside the extension.
• Airline data (lazy) — api.baggageiq.app/v1/airline, called only when the extension encounters an airline whose data isn't in the bundled snapshot.
• Card benefit lookups — api.baggageiq.app/v1/card-benefit, called when matching a wallet card against an airline.
• FX rates — open.er-api.com/v6/latest/USD, fetched once a day.
• Corrections endpoint — api.baggageiq.app/v1/corrections, only when you explicitly submit the "Report wrong fee" form in the tooltip; the payload contains only the airline / route / cabin / fare type / your reported fee / your anonymous client ID.
• Telemetry endpoint — api.baggageiq.app/v1/telemetry, only if you turn the telemetry toggle on; see below.

None of these requests contain your browsing history, your identity, or the flight prices you're looking at.

Anonymous telemetry (opt-in)

There is an optional telemetry switch in the popup's Privacy section. It is off by default. When enabled, once a day the extension sends an aggregated counter to our backend:

• Which site the parser ran on (e.g. skyscanner)
• Whether the parse succeeded and how many flights were found
• How many airlines matched our database vs. were unknown
• Your extension version and browser family
• Your timezone (e.g. Asia/Kolkata) and language tag (e.g. en-IN), read from your browser's locale settings — used only to bucket aggregate analytics by approximate region. We never request or store your IP address.
• An anonymous client ID (a random UUID generated on your device, never linked to you)

What is never sent: the URL of the flight page you were on, the origin or destination you searched, any prices, any timestamps beyond daily bucketing, your IP address, or any identifying info. You can turn it off at any time in the popup and the client ID is cleared if you uninstall the extension.

Host permissions

Flight sites are listed under Chrome's optional_host_permissions, which means the extension does not request access to them at install time. When you toggle a site on in the popup's Enabled sites section, Chrome shows its native permission prompt and you explicitly grant access just to that domain. You can revoke any site permission at any time from the same popup.

Feedback forms

If you voluntarily submit the feedback, bug report, or feature request forms on this website, the information you type (name, email, message) is sent via FormSubmit.co to the developer's email. The forms work without providing a name or email — those fields are optional and only used if you want a reply. Nothing from these forms is linked to your extension usage.

Legal basis for processing (GDPR Art. 6)

Under the EU/UK General Data Protection Regulation, each processing activity needs a legal basis. Ours:

• Running the extension on your device — Article 6(1)(b), performance of a contract with you (you install the extension, we provide the service). No personal data leaves your device here.
• Remote database fetches (airline DB, card benefits DB, FX rates) — Article 6(1)(f), legitimate interest in delivering an accurate service. The requests are anonymous static-file GETs and contain no personal data.
• Opt-in telemetry — Article 6(1)(a), consent. You explicitly turn the toggle on; you can withdraw consent at any time by turning it off.
• Feedback forms — Article 6(1)(a), consent (you voluntarily submit). And 6(1)(f) legitimate interest in improving the product when we read the feedback.
• Corrections submissions (Report wrong fee) — Article 6(1)(a), consent (you explicitly click submit), and 6(1)(f) legitimate interest in maintaining an accurate fee database.

Data retention

We keep as little data for as short a time as possible:

• Extension preferences (bag counts, wallet cards, site toggles) — stored in your Chrome profile until you uninstall the extension or clear the data yourself. We have no copy on any server.
• Anonymous telemetry events (if opted in) — aggregated daily; individual event records deleted after 90 days. The aggregate counters (parser success rates per site) are kept indefinitely but contain no personal data.
• Feedback / bug / feature form submissions — kept in the developer's email inbox. You can ask us to delete yours by emailing support@baggageiq.app.
• Corrections submissions — kept in the corrections database indefinitely as part of the fee research pipeline. Your anonymous client ID is the only "identifier"; we have no way to tie it back to you.

Your rights (GDPR Art. 15–22)

If you're in the EU, UK, or another jurisdiction with similar data-protection law, you have these rights over personal data we process about you:

• Right of access — ask us what personal data we hold on you. For nearly all users the answer is "none" — the extension stores everything locally on your device.
• Right to rectification — ask us to correct any inaccurate data.
• Right to erasure ("right to be forgotten") — ask us to delete your data.
• Right to data portability — ask for a copy of your data in a machine-readable format.
• Right to object — object to processing based on legitimate interest. For telemetry, this is a one-click toggle in the popup.
• Right to withdraw consent — turn off the telemetry toggle, or email us to withdraw from any consent-based processing. Withdrawing consent doesn't affect processing that already happened lawfully before withdrawal.
• Right to lodge a complaint — with your national data protection authority. For India, that's the Data Protection Board (Ministry of Electronics & IT). For the EU, it's the DPA in your member state. For the UK, it's the Information Commissioner's Office (ICO).

To exercise any of these rights, email support@baggageiq.app. We aim to respond within 30 days as required by GDPR Art. 12(3).

Data controller

The data controller for BaggageIQ is the project's maintainer, contactable at support@baggageiq.app.

Cookies & website analytics

The BaggageIQ website (baggageiq.app) does not set any cookies of its own, and there is no cookie banner because there is nothing for you to accept. The extension itself also sets no cookies — it uses chrome.storage.sync for preferences, which is internal to your Chrome profile and not a web cookie.

The website uses Cloudflare Web Analytics for aggregate page-view counts, referrers, country, and browser type. It is privacy-first by design: no cookies, no localStorage, no fingerprinting, no cross-site tracking, no advertising IDs, and no per-visitor profiles. Cloudflare does not retain visitor IP addresses; analytics are bucketed and aggregated at the edge. There are no tag managers, advertising pixels, Google Analytics, or third-party trackers on this site. See the Third-party services section below for the link to Cloudflare's privacy policy.

Third-party services

The extension itself uses no third-party SDKs. This landing page uses:

• Fonts — the Space Grotesk, JetBrains Mono, and Inter typefaces are self-hosted on baggageiq.app. No third-party font CDN is contacted, so no external server sees your visit when fonts load.
• FormSubmit.co — processes feedback / bug / feature form submissions only when you voluntarily submit one.
• images.kiwi.com — public airline-logo CDN used by the extension tooltip; each logo request contains the airline IATA code only (e.g. DL.png).
• GitHub Pages — hosts this website (baggageiq.app). GitHub may log IPs when you visit the site; see GitHub's privacy statement.
• Cloudflare — fronts the BaggageIQ data API (api.baggageiq.app) as a thin proxy to our Supabase backend. Cloudflare may log connection metadata (IP, user-agent) for abuse prevention; see Cloudflare's privacy policy.
• Cloudflare Web Analytics — privacy-first, cookieless aggregate analytics for the website (baggageiq.app). Counts page views, referrers, countries, and browsers without setting cookies, fingerprinting, or storing visitor IPs. No data is shared with advertisers; see Cloudflare Web Analytics and Cloudflare's privacy policy.
• Supabase — backend that serves the BaggageIQ data API. Receives only the anonymous install identifier (no name, email, IP-derived location, or browsing data); see Supabase's privacy policy.

Changes to this policy

If we make material changes to this privacy policy, we will update this page and change the date below.

Contact

Questions about this policy? Reach out at support@baggageiq.app or via the feedback form on the home page — no account needed.