Effective date: 14 June 2026. Last updated: 14 June 2026.
This Privacy Policy describes how the AMASAMYA Accessibility Audit Tool ("the Extension", "AMASAMYA", "we") handles user data. AMASAMYA is a Chrome browser extension that audits web pages for compliance with the Web Content Accessibility Guidelines (WCAG) 2.2. The Extension is developed and maintained by Akhilesh Malani as an independent accessibility consultant.
AMASAMYA is designed to be a privacy-respecting tool. The developer operates no backend server that receives user data. All Extension processing takes place inside your browser. The only external network requests AMASAMYA initiates are optional and go directly from your browser to a Vision AI provider that you choose and configure with your own API key.
1. Scope
This policy covers the AMASAMYA Chrome extension distributed through
the Chrome Web Store under item ID
blnfmiipkccpggpinjofhhglfcgglbif. It does not cover the
separate AMASAMYA Platform website hosted at amasamya.akhileshmalani.com,
which has its own privacy disclosures. It does not cover third-party
services you may choose to integrate with the Extension; those
services are governed by their own privacy policies, linked in
Section 7 below.
2. Categories of User Data and How Each Is Handled
Chrome Web Store policy requires explicit disclosure for each category of user data. The table below states, for every category Google defines, whether AMASAMYA collects it, what we do with it, where it is stored, and whom it is shared with.
| Data category | Collected? | Purpose | Storage | Sharing |
|---|---|---|---|---|
| Personally identifiable information (name, address, email, age, ID number, phone) | No | Not applicable | Not applicable | Not shared |
| Health information | No | Not applicable | Not applicable | Not shared |
| Financial and payment information | No | Not applicable | Not applicable | Not shared |
| Authentication information (passwords, credentials, security questions) | Yes, only when the user voluntarily enters a Vision AI API key in Settings. | The API key is used to authenticate the user's own requests to the Vision AI provider they selected (Anthropic, OpenAI, or Google Gemini). | Encrypted at rest in the user's browser using a non-extractable AES-GCM 256-bit master key generated by the WebCrypto API and held in IndexedDB. Never leaves the user's device in plaintext. Never transmitted to the developer. | Not shared with the developer. Transmitted only to the Vision AI provider whose key it is, when the user actively runs the Focus Indicator Narrator or Visual Layout Auditor module. |
| Personal communications (email, SMS, chat messages) | No | Not applicable | Not applicable | Not shared |
| Location (GPS, IP-based, region) | No | Not applicable | Not applicable | Not shared |
| Web history (URLs visited, browsing history) | No persistent storage. The URL and title of the currently active tab are read at audit time only to populate the audit report header. | Inclusion in the on-device audit report so the user can identify which page the findings refer to. | Held only in chrome.storage.session for the duration of the current browser session and discarded when the session ends. |
Not shared with the developer. Not transmitted to any third party. |
| User activity (clicks, mouse position, scroll, keystrokes) | No | Not applicable | Not applicable | Not shared |
| Website content (text, images, sounds, videos, hyperlinks) | Limited. When the user runs the Focus Indicator Narrator or Visual Layout Auditor, AMASAMYA captures screenshots of the active tab. The WCAG Audit Engine and State Change Watchdog read DOM nodes locally but do not export them. | Screenshots are sent to the Vision AI provider the user has configured, so the provider can analyse focus indicators and visual layout. DOM reads are used only for in-browser audit logic. | Screenshots are not stored. They are sent to the chosen Vision AI provider as part of a single request and discarded from Extension memory once the response returns. DOM data is not persisted. | Screenshots: shared only with the Vision AI provider the user has selected (Anthropic, OpenAI, or Google Gemini), using the user's own API key. Never shared with the developer. |
3. Data the Developer Never Receives
The developer of AMASAMYA operates no backend server for the Extension. The following are never transmitted to, collected by, stored by, or accessible to the developer under any circumstances:
- Your name, email address, or any other personally identifiable information.
- Your browsing history or the URLs of pages you visit.
- Your financial, health, or authentication information.
- Content from the pages you audit, including DOM contents, screenshots, and form values.
- Vision AI API keys you have entered into Settings.
- Audit results, findings, or exported reports.
- Any usage analytics, telemetry, or crash reports.
4. Local Storage on Your Device
AMASAMYA uses Chrome's extension storage APIs entirely on your device. The two storage areas the Extension uses are:
- chrome.storage.local - persists across sessions. Holds your selected Vision AI provider (Anthropic, OpenAI, or Google Gemini) and any API keys you have entered, encrypted at rest using a non-extractable AES-GCM 256-bit master key generated by the WebCrypto API and held in your browser's IndexedDB.
- chrome.storage.session - cleared when the browser session ends. Holds the most recent audit result so the side panel can display it after a navigation or a panel reopen.
No data from these storage areas is transmitted off your device by the Extension.
4.1 Threat model for at-rest encryption
The non-extractable master key blocks passive exfiltration: a malicious browser extension that reads localStorage, a stolen disk image, or a backup that captures profile data sees only opaque ciphertext rather than usable keys. It does not protect against an active attacker who can run JavaScript inside the AMASAMYA origin, because such an attacker can ask the WebCrypto sandbox to decrypt on their behalf. Treat the encryption as defence-in-depth, not as a substitute for revoking and rotating any API key you suspect has been exposed.
5. How Data Is Used
AMASAMYA uses the limited data it handles for exactly three purposes:
- Running accessibility audits. The Extension reads the current page's DOM, computed styles, and visible content to evaluate WCAG 2.2 conformance. This processing happens entirely inside your browser.
- Optional Vision AI analysis. When you explicitly run the Focus Indicator Narrator or Visual Layout Auditor modules, screenshots of the active tab are sent to the Vision AI provider you have configured (Anthropic, OpenAI, or Google Gemini) using your own API key.
- Displaying and exporting results. Audit findings are rendered in the Chrome side panel and can be exported by you, locally, in JSON, HTML, CSV, plain text, SARIF, or annotated PNG formats. Export is a manual user action; nothing is exported automatically.
6. Data Sharing
AMASAMYA does not sell, rent, trade, or share user data with third parties for advertising, profiling, or any other commercial purpose. The Extension never transmits user data to the developer's servers because the developer operates no such servers.
The only external data transfer that AMASAMYA initiates is the optional transmission of page screenshots to the Vision AI provider you have configured, using your own API credentials. This transfer happens only when you actively run the Focus Indicator Narrator or Visual Layout Auditor modules and only with the provider you have selected.
7. Third-Party Services
If you configure a Vision AI provider, screenshots you choose to send are processed under that provider's own privacy policy and terms of service. AMASAMYA has no affiliation with these providers beyond offering an optional integration. Review their policies before enabling the optional modules:
8. Permissions Used and Why
AMASAMYA requests the minimum set of Chrome permissions needed to function. Each permission is justified below.
- activeTab - to run audits on the page you are currently viewing, on demand.
- scripting - to inject locally bundled audit scripts into the active tab.
- sidePanel - to display audit results in the Chrome side panel.
- tabs - to read the current tab's URL and title for inclusion in audit reports.
- storage - to persist your Vision AI provider preference and encrypted API key locally on your device.
- debugger - to emulate viewport sizes for the Visual Layout Auditor using the Chrome DevTools Protocol. AMASAMYA never collects DevTools console output, network traffic, or page state through this permission.
- host_permissions (<all_urls>) - to allow auditing of any website the user chooses to test. AMASAMYA only acts on a tab when the user explicitly invokes an audit.
9. Data Retention
- Vision AI API keys: retained in encrypted form in
chrome.storage.localuntil you remove them through the Clear Keys button in Settings, uninstall the Extension, or clear the Extension's data fromchrome://extensions. - Audit results: retained in
chrome.storage.sessiononly for the duration of the current browser session. Closing the browser discards them. - Provider preference: retained in
chrome.storage.localuntil you change it or uninstall the Extension. - Screenshots sent to Vision AI providers: retention is governed by the provider you selected. AMASAMYA itself does not retain a copy.
10. Security
AMASAMYA applies the following security measures to the data it handles:
- API keys are encrypted at rest using AES-GCM 256-bit with a non-extractable WebCrypto master key.
- All network requests to Vision AI providers use HTTPS (TLS 1.2 or higher) as enforced by the provider endpoints.
- The Extension is distributed as a Manifest V3 package. It contains no remote code, no eval, no dynamically loaded scripts, and no inline scripts in HTML.
- The codebase of the Extension is available for inspection at github.com/accessitestai/AMASAMYA.
11. Your Rights and Choices
Because AMASAMYA does not collect personally identifiable information and stores all user-controlled data on your own device, you exercise the equivalents of access, correction, deletion, and portability rights directly:
- Access: open the Extension's side panel and Settings to view your stored preferences and API keys.
- Correction: edit your settings or API keys at any time through the Settings panel.
- Deletion: use the Clear Keys button in Settings to remove stored API keys, or uninstall the Extension to delete all stored data. Removing the Extension from Chrome clears all
chrome.storagedata associated with it. - Opt-out of Vision AI: do not configure a provider. The WCAG Audit Engine and State Change Watchdog will continue to work without any external network calls.
- Data portability: export audit findings using the Export buttons in the side panel; supported formats include JSON, HTML, CSV, plain text, SARIF, and annotated PNG.
12. Children's Privacy
AMASAMYA is intended for professional accessibility testers and developers. It is not directed at children under 13, and the developer does not knowingly collect data from children. If you believe a child has used the Extension and provided data, contact the address in Section 16.
13. International Users
Because AMASAMYA does not transmit user data to a developer-operated backend, there is no cross-border transfer initiated by the Extension itself. Optional Vision AI requests you initiate may be processed in the region operated by the provider you selected; consult their privacy policy (linked in Section 7) for details.
14. Compliance
AMASAMYA is designed to be compatible with the data-handling obligations of GDPR (EU), CCPA and CPRA (California), and the Chrome Web Store Developer Program Policies. The developer is the data controller for the limited categories described in Section 2. Because no personal data is collected or processed by the developer, most rights-request procedures under GDPR and CCPA are not applicable; you exercise the practical equivalents on-device as described in Section 11.
15. Changes to This Policy
We may update this policy from time to time. Material changes will be reflected in the "Effective date" line at the top of the policy. Continued use of the Extension after changes constitutes acceptance of the revised policy. Significant changes will also be noted in the Extension's Chrome Web Store listing.
16. Contact
For privacy questions, data-rights requests, or to report a suspected privacy issue, contact the developer directly:
- Email: akhilesh.malani@gmail.com
- Website: amasamya.akhileshmalani.com
- Source code: github.com/accessitestai/AMASAMYA
The developer is Akhilesh Malani, an independent accessibility architect and digital inclusion strategist. AMASAMYA is fully self-funded with no investor or third-party influence on this privacy policy or the feature roadmap.