Privacy Policy

Okto Authenticator Chrome Extension — Last updated: May 18, 2026

1. Overview

Okto Authenticator ("Okto", "the extension") is a Chrome browser extension that provides two-factor authentication (TOTP) code generation and phishing site protection. This Privacy Policy explains what data is collected, how it is used, and your rights regarding that data.

2. Data collected automatically

When you install or use Okto, the following data is sent to our server:

• Anonymous installation ID — a randomly generated UUID created locally on your device at install time. It is not linked to your Google account, browser profile, or any personally identifiable information. It is used solely to count unique installs and deliver the phishing blocklist.
• Extension version — the version string of the extension (e.g. "1.0.0"), sent with the installation ping.
• Country (approximate) — derived from your IP address by the server at registration time using a local geolocation database. Your IP address itself is not stored.
• Phishing warning events — if a phishing site is detected and a warning is shown, the anonymous installation ID and the blocked domain are sent to the server for statistical purposes only.

No other data is collected automatically.

3. Data you provide

• TOTP secrets and account labels — stored locally on your device using the Chrome storage API. They are never transmitted to any server.
• QR code images — when you use the QR scan feature to add an account, the image may be sent to our server for decoding. The image is processed immediately and not stored after decoding.

4. How data is used

• To count anonymous installs and track which extension version is in use.
• To deliver the phishing domain blocklist to the extension every hour.
• To decode QR code images when explicitly requested by the user.
• To record phishing warning events for improving blocklist accuracy.

Data is never used for advertising, profiling, or sold to third parties.

5. Data sharing

Okto does not sell, trade, or share user data with advertisers, data brokers, or any third party for commercial purposes. Data may be processed by infrastructure providers (hosting) solely as necessary to operate the service. No personal data is involved in this processing.

6. Browsing activity

Okto checks every URL you visit against the locally cached phishing blocklist. This check happens entirely within your browser — visited URLs are never sent to our server. Only the blocked domain name is reported if a warning is actually triggered.

7. Permissions used

• storage — stores TOTP accounts, blocklist cache, and settings locally on your device.
• alarms — schedules a background task to refresh the phishing blocklist every 60 minutes.
• host permissions (<all_urls>) — required to check every visited page against the phishing blocklist and display a warning overlay before the page loads.

8. Data retention

The anonymous installation ID and associated country/version data are retained on our server for statistical analysis. Phishing warning events are retained for blocklist improvement purposes. QR code images are deleted immediately after decoding. No retention period exceeds 24 months.

9. Your rights

Because Okto does not collect personally identifiable information, most data protection rights (access, deletion, portability) are satisfied by default — we cannot identify you from the data we hold. If you wish to have your anonymous installation record deleted, contact us with your anonymous ID (visible in the extension's storage under the key installId) and we will remove it.

10. Children's privacy

Okto is not directed at children under 13. We do not knowingly collect data from children.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the extension after changes constitutes acceptance of the updated policy.

12. Contact

If you have any questions about this Privacy Policy, contact the developer at:
hujilurline@gmail.com