TatGuard is a Chrome browser extension developed and operated by CosmoLabs Ltd, a company registered in Scotland, United Kingdom.
CosmoLabs Ltd is the data controller for personal data processed in connection with TatGuard. We have not appointed a Data Protection Officer as we are not required to do so under UK GDPR. For all data protection queries, please contact us at [email protected].
This policy is governed by the laws of England and Wales. Where users are located in the European Economic Area (EEA), EU GDPR may also apply in addition to UK GDPR.
TatGuard analyses product listings on e-commerce websites and provides consumers with an AI-powered risk assessment covering counterfeit risk, safety risk, and quality risk. Analysis is performed on our secure remote servers, not locally on your device. When you trigger a scan on a supported product page, TatGuard:
TatGuard only reads content from pages where you have actively triggered a scan. It does not read any other browser tabs, build profiles of your browsing activity, track your activity across websites, or access your passwords, bookmarks, or personal files.
| Data | Purpose | Retention | Shared with |
|---|---|---|---|
| Anonymous device identifier | Manage daily free scan limit | Until extension uninstalled or storage cleared | Our backend (Supabase) |
| Product page data (name, price, seller, reviews) | Generate risk assessment | Deleted immediately after analysis; system logs max 30 days | Anthropic, Serper, Supabase |
| Subscription email address | Subscription management and support | Duration of subscription + 7 years (UK tax obligations) | Stripe, Supabase |
Anonymous device identifier. When you first install TatGuard, a randomly generated anonymous identifier is created and stored locally in your browser. This identifier is not linked to your name, email address, IP address, or any other identifying information. Under UK GDPR, this constitutes pseudonymous personal data and we treat it accordingly.
Product page data. When you trigger an analysis, publicly visible product data from the page you are viewing is transmitted to our backend. Some product review content may incidentally include personal data such as a reviewer's username. Where this occurs, it is processed transiently, is not used for any purpose other than generating your risk assessment, and is not retained after the analysis session ends. We apply data minimisation where feasible.
Subscription data. If you subscribe to TatGuard Premium, your email address is collected for subscription management and transactional communications only. We do not use Premium email addresses for marketing without your explicit consent. Payment card details are processed exclusively by Stripe and are never received or stored by CosmoLabs Ltd.
Under the UK Privacy and Electronic Communications Regulations (PECR), we are required to disclose any data stored on your device. TatGuard stores the following data locally in your browser's extension storage:
This storage is strictly necessary to provide the core functionality of TatGuard that you have requested. No non-essential tracking cookies or similar technologies are used. You can clear this data at any time by uninstalling TatGuard or clearing your browser's extension storage via chrome://extensions.
| Data | Lawful Basis | Justification |
|---|---|---|
| Product page data and reviews | Legitimate interests (Art. 6(1)(f) UK GDPR) | Processing is necessary to deliver the risk assessment you have actively requested. Users trigger scans voluntarily on public product pages. Data is limited to publicly available information, processing is ephemeral with no retention, and no profiling or linking to personal identity occurs. |
| Anonymous device identifier | Legitimate interests (Art. 6(1)(f) UK GDPR) | Necessary to prevent abuse of the free tier and manage daily scan limits fairly. Pseudonymous and stored locally with no link to personal identity. |
| Subscription email | Contract performance (Art. 6(1)(b) UK GDPR) | Necessary to manage your subscription, process payments via Stripe, and provide customer support. |
TatGuard uses automated processing, including AI language models, to generate product risk scores. These scores are informational only and do not produce legal or similarly significant effects on you. No solely automated decisions are made about individuals — only probabilistic assessments about products based on publicly available data. You remain fully in control of your purchasing decisions.
CosmoLabs Ltd remains the data controller. The following third parties act as data processors under Data Processing Agreements and process data only on our instructions:
| Processor | Role | Location | Privacy Policy |
|---|---|---|---|
| Anthropic | AI language model for risk assessment generation | United States | anthropic.com/privacy |
| Serper | Web search for external product signals | United States | serper.dev/privacy |
| Supabase | Backend infrastructure and database hosting | European Union | supabase.com/privacy |
| Stripe | Payment processing for Premium subscriptions | United States / EU | stripe.com/privacy |
Some of our processors, including Anthropic, Serper, and Stripe, are located outside the United Kingdom or European Economic Area, primarily in the United States. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including Standard Contractual Clauses approved for use under UK GDPR and, where applicable, the UK Extension to the EU-US Data Privacy Framework.
Product page data transmitted to these processors is used solely to generate your risk assessment and is subject to the same ephemeral processing standards described in Section 3.
Product page data and review content sent for analysis is deleted immediately after your risk assessment is generated. System logs required for reliability and security are retained for a maximum of 30 days and do not contain full product page content.
Your anonymous device identifier and daily scan count are retained locally in your browser for as long as you use the extension. You can delete this data at any time by uninstalling TatGuard or clearing your browser extension storage.
Subscription email addresses are retained for the duration of your subscription and for 7 years thereafter to comply with UK tax and accounting obligations, unless you request earlier deletion where legally permissible.
To exercise any of these rights, please contact us at hello@cosmolabs.co.uk. We will respond within 30 days.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.
tatGuard complies with the Chrome Web Store User Data Policy:
Limited Use Disclosure. tatGuard's use of information received from Chrome APIs complies with the Chrome Web Store User Data Policy, including the Limited Use requirements. Data obtained through Chrome APIs is used only to provide and improve tatGuard's core functionality (product risk assessment), is not transferred to third parties except as necessary to provide that functionality, is not used for purposes unrelated to tatGuard's core functionality, and is not used to determine creditworthiness or for lending purposes. Data is not sold or used for advertising.
All data transmitted between tatGuard and our backend is encrypted in transit using HTTPS/TLS. Our backend infrastructure is hosted on Supabase, which maintains SOC 2 Type II certification. Access to our systems is restricted to authorised personnel only. In the event of a suspected security incident, we will investigate promptly and notify affected parties as required by law.
tatGuard is intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at hello@cosmolabs.co.uk and we will delete it promptly.
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify Premium users by email and display a notice within the extension where reasonably practicable.
This Privacy Policy is governed by the laws of Scotland and England and Wales. For users in the EEA, EU GDPR may apply in addition to UK GDPR.
To contact us regarding this Privacy Policy or any data protection matter: