Privacy Policy — BannerBye

BannerBye exists to keep cookie banners away from you. It would be a poor product if it tracked you while doing it. So it doesn't. This page explains exactly what the extension does, what it doesn't, and where the data lives.

The short version

No accounts. No sign-up. Nothing to log into.
No analytics. No telemetry. No usage tracking.
No personal data leaves your browser. Ever.
Your settings live on your own device, in your browser's storage.
The extension talks to one URL, only to fetch a public list of cookie-banner button labels. That request contains no identifying information.

What BannerBye does

BannerBye is a browser extension that prevents cookie consent banners from interrupting you. It works in three ways, in this order:

Global Privacy Control (GPC). The extension adds a Sec-GPC: 1 header to outgoing requests, telling websites you do not consent to the sale or sharing of your data. This is a public web standard and is added by your browser, not transmitted to BannerBye.
IAB TCF v2.2 signal. When a site uses the IAB Transparency & Consent Framework, the extension answers consent calls on your behalf with a "reject all" string before the banner can render.
Auto-click fallback. For sites with custom banners, the extension reads the visible button labels in the page and clicks the "reject" or "necessary only" option for you. This happens entirely inside your browser.

What BannerBye stores — and where

The extension stores a small amount of data, all locally, on your own device:

Settings (extension on/off, per-site pause list) — saved in chrome.storage.sync, which means your browser may sync them across your own signed-in devices. BannerBye never sees this sync.
Cached rules (the public list of button labels, see below) — saved in chrome.storage.local on your device only.

That's it. No browsing history, no visited URLs, no clicks, no timestamps, no IDs. None of this data is sent anywhere by the extension.

The one network request

Once a day, the extension fetches a static JSON file from https://bannerbye.com/rules.json. That file contains an updated list of "reject" button labels in different languages, so the extension keeps working when websites change their banners.

The request is a plain GET. It sends no extension ID, no user ID, no settings, no browsing data, no headers we control beyond what your browser adds for any HTTP request. The server logs the request the same way any web server logs any visitor: an IP address and a user agent string, retained briefly by the hosting provider for abuse protection. Those logs are not used by BannerBye for any purpose, are not joined with any other data, and are not shared.

Report broken site (one-tap, opt-in)

The popup has a "Report broken site" button. It is the one situation where data leaves your device, and only when you tap it. Tapping the button opens a small dialog where you can optionally add what's going wrong, then sends the following to https://bannerbye.com/api/report:

The hostname of the current tab (e.g. zalando.nl) — no path, no query string, no URL parameters.
The BannerBye version you're running (e.g. 0.2.0).
Your browser's User-Agent string — the same one every website you visit already receives with every request.
Your IP address — automatically attached by your network connection, as with any HTTP request.
Any additional context you typed into the optional textarea.

Reports land in our private inbox (hello@bannerbye.com) and are stored in our own private database (Upstash Redis) so we can see which sites are reported most often. We use them only to find and fix sites where BannerBye stops working. Stored reports are kept for at most 180 days and then automatically deleted; they are not shared with anyone and not joined with any other data. Each IP can submit up to five reports per hour to prevent abuse.

This is a one-tap user action, not background telemetry. The extension does not contact /api/report in any other circumstance.

What BannerBye does not do

It does not read the content of pages you visit beyond the cookie banner itself.
It does not collect or transmit form data, passwords, or anything you type — outside the optional "Report broken site" textarea, where you choose what to write.
It does not run analytics scripts, A/B tests, or feature flags.
It does not phone home with passive crash reports or performance data.
It does not sell, share, or rent any data, because there is no data to sell, share, or rent.
It does not contain third-party advertising or tracking SDKs.

Why does Safari say BannerBye can read passwords?

When you install BannerBye on Safari (Mac or iOS), Apple shows a permission dialog warning that the extension can read "sensitive information on web pages, including passwords, phone numbers, and credit cards, and your browsing history on the current tab's web page when you use the extension."

This text is identical for every Safari extension that accesses page content. It is not specific to BannerBye, and it tells you what the extension is technically capable of, not what it actually does. Chrome and Firefox show similar warnings for the same reason.

What BannerBye actually does on every page:

Reads the page's DOM (HTML structure) to detect cookie banners.
Sends a "no consent" signal via web standards (GPC, IAB TCF).
Auto-clicks "Reject all" on custom consent UIs.

What BannerBye does not do:

Read passwords, credit cards, or phone numbers.
Read or store your browsing history.
Send anything to our servers, except hostname when you tap "Report broken site" — see the section above.
Track you across sites or build user profiles.
Run analytics, telemetry, or crash reporting.

You don't have to trust this page. The full source code is open and auditable on GitHub: github.com/BannerBye/BannerBye (MIT license). Search the codebase for "password" or "credit-card" yourself — you won't find any reference to reading those.

Permissions explained

Browser extension stores show a list of permissions the extension requests. Here is why each one is needed:

storage — to save your on/off setting and per-site pause list locally.
tabs, activeTab — to know which site you are on so the popup can show the correct status and let you pause it on this site.
declarativeNetRequest — to add the GPC header. This API runs entirely inside your browser; the extension does not see the requests it modifies.
scripting — to inject the cookie-banner handler into the pages you visit.
alarms — to schedule the once-a-day fetch of the public rules file.
<all_urls> host permission — required because cookie banners can appear on any site.

Children

BannerBye does not collect data, so it does not knowingly collect data from children. The extension is suitable for any age permitted to use the underlying browser.

Changes to this policy

If we ever change what the extension does in a way that affects this page, we will update the "Last updated" date above and post a note on the homepage. We will not retroactively start collecting data from existing users.

Contact

Questions, doubts, corrections, or a direct request to delete data we don't have: hello@bannerbye.com.

Legal basis (for the EU readers)

Because BannerBye does not process personal data, GDPR's processing rules do not apply to the extension itself. Your browser's local storage is yours; you can clear it at any time by removing the extension. The hosting provider for bannerbye.com processes server logs as a "legitimate interest" controller for abuse protection, retained briefly and not shared.

We collect nothing. That's the policy.