Privacy Policy

Last updated: 14 April 2026

CleanWatch is built on a simple principle: your data belongs to you. This policy explains exactly what is stored, where, and why.

1. Local-first by default

All settings, watch-time stats, keyword blocklists, and dashboard data are stored in your browser's local storage (chrome.storage.local). This data never leaves your device unless you explicitly enable server sync.

The extension makes no external network requests during normal browsing.

2. No tracking or analytics

CleanWatch does not include any analytics, crash reporting, telemetry, or usage tracking of any kind. There are no third-party scripts, no pixels, no fingerprinting.

3. No accounts

CleanWatch does not require or support user accounts. There is no email, no username, no password. If you enable sync, a random pairing code is used instead.

4. Optional server sync

Server sync is disabled by default. When you enable it, CleanWatch encrypts your settings and per-device stats on your device using AES-256-GCM before sending anything to the server. The encryption key is derived from your sync code using HKDF and never leaves your device.

What the server stores

  • Encrypted settings blob (ciphertext + IV) — the server cannot decrypt this
  • Encrypted per-device stat snapshots (ciphertext + IV) — the server cannot decrypt these
  • A cryptographic group ID derived from your sync code (not reversible)
  • A hashed authentication token (SHA-256, not reversible)
  • A randomly generated device ID (not tied to your hardware or identity)
  • Timestamps indicating when data was created or last accessed

What the server does NOT store

  • Your IP address — a salted SHA-256 hash is stored for abuse prevention, but the original IP cannot be recovered
  • Any decrypted settings, watch history, blocked channels, keyword lists, or stats
  • Any account information, email, username, or password

What the server can observe during requests

  • Your IP address (visible to any web server during a request, but not stored — only a salted hash is saved)
  • Request timing and frequency
  • Approximate device count per sync group
  • Payload size of encrypted data

5. Limits and data retention

To protect against abuse and keep the service lean, the sync server enforces the following limits:

  • Maximum 10 devices per sync group
  • Maximum 50 sync groups per IP address
  • Rate limiting: 120 requests per minute per IP, 180 requests per minute per group
  • Request body size limited to 128 KB

Sync groups that have not been accessed for 365 days are automatically deleted, along with all associated device snapshots and encrypted settings. Any sync request resets the inactivity timer. The extension will warn you if your group is approaching this threshold.

6. Self-hosting

The sync server is open source and self-hostable using the included Docker image. If you run your own instance, your data stays entirely on your own infrastructure. This privacy policy covers only the default server at cleanwatch.365devnet.eu.

7. Your data, your control

You can export, import, or reset all your data at any time from the CleanWatch dashboard. Settings transfer uses local JSON files or private settings codes — these are generated on your device and are not uploaded to any external service by the extension.

8. This website

The CleanWatch website (cleanwatch.365devnet.eu) does not use cookies, analytics, or any third-party services. Your language and theme preferences are stored in your browser's local storage and are never transmitted.

9. Changes to this policy

If this policy changes, the update will be reflected on this page with a new "last updated" date. Significant changes will also be noted in the extension's changelog.

10. Contact

CleanWatch is built by 365DevNet. If you have questions about this privacy policy, reach out via the contact information on 365devnet.eu.