Privacy Policy

Last updated: March 5, 2026

ThreatCaddy is a personal open-source project. It is not affiliated with any employer, organization, or company — past, present, or future.

Data Storage

By default, all notes, tasks, timelines, and investigation data are stored locally in your browser using IndexedDB. No data leaves your device unless you choose otherwise.
Extension clips are stored in chrome.storage.local on your device.
The standalone HTML file and the default web app require no accounts and use no cookies.

Optional Team Server

You may optionally connect to a self-hosted team server for real-time sync and collaboration. This is entirely opt-in — no data is sent until you configure a server URL and sign in.
When connected, notes, tasks, timelines, IOCs, and other investigation entities are transmitted to the server you configure. Authentication tokens are stored in your browser.
The team server is open-source and self-hosted. ThreatCaddy does not operate any hosted server infrastructure and has no access to your data.

API Keys & AI Features

API keys you configure for AI features (e.g., OpenAI, Anthropic, Google, or other LLM providers) are stored locally in your browser.
Keys are transmitted only to your chosen provider's API endpoint when you use CaddyAI features. They are never sent anywhere else.

Extension Permissions

The ThreatCaddy extension requests only the permissions necessary to capture clips and deliver them to your ThreatCaddy instance.
Optional host permissions are requested only when you configure a custom target URL or enable file:// access.
The extension does not collect browsing history, form data, or any information beyond what you explicitly clip.

Analytics

The hosted site at threatcaddy.com uses Cloudflare Web Analytics, which collects anonymous page-view metrics only. It does not use cookies, does not collect personal information, and does not track individual users.
The standalone HTML file and the extension include no analytics whatsoever.

Third Parties

ThreatCaddy does not share any data with third parties. The only external network requests are:

CaddyAI requests sent to the LLM provider endpoint you configure (e.g., api.openai.com).
URL fetch requests you explicitly initiate through CaddyAI tools.
Sync traffic to a self-hosted team server, if you choose to configure one.

Disclaimer: ThreatCaddy is provided "as is" without warranty of any kind, express or implied. Users assume all liability for their use of the tool. The author is not responsible for any data loss, security issues, or other damages arising from use of this software.